Description
I've got a PR set up to run bandit on everything in cve_bin_tool/ (#1523) to help us get some basic security checks into our automated workflow. Currently, I explicitly skip the test/ directory because bandit will flag every assert but they're fine for use in test code (you can't use asserts in production python because they get optimized out, so bandit is correct in warning you about that).
BUT just because I'm skipping the test/ directory in this first enabling in CI doesn't mean we have to skip it forever! So I'm opening this issue in case someone wants to make it possible in the future.
- You'd need to make sure the assert rule doesn't run on the tests. (there's ways to do this built in to bandit)
- You'd need to go through all the other warnings generated by bandit when run on
test/*
a. some may need fixing
b. some other rules may need to be disabled on that directory and only that directory
c. some sections may need code review and then to be marked as# nosecwith appropriate notes in comments nearby.
If you want to start working on this, be warned that our current bandit.conf explicitly skips the test directory, so you'll need to change your local copy of bandit.conf or run bandit without a config file to see the current warnings:
bandit -r test/*