Skip to content

Commit

Permalink
Rework GitPython dependency to be an extra for bandit-baseline
Browse files Browse the repository at this point in the history
The only piece of code that requires GitPython is bandit-baseline.
There tends to be an abundance of CVEs in the GitPython library
due to its dependency on Git. By making GitPython optional via
an extra, users who mostly use just the bandit command line and
not bandit-baseline can benefit.

However, this will require different install if a user wants to
use bandit-baseline. This is now noted in the Getting Started
doc, but you simply do:

pip install bandit[GitPython]

FYI, this option was suggested in PR #976.

#976

Signed-off-by: Eric Brown <[email protected]>
  • Loading branch information
ericwb committed Jan 20, 2024
1 parent 12e14f6 commit fe81ced
Show file tree
Hide file tree
Showing 6 changed files with 19 additions and 3 deletions.
10 changes: 9 additions & 1 deletion bandit/cli/baseline.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,10 @@
import sys
import tempfile

import git
try:
import git
except ImportError:
git = None

bandit_args = sys.argv[1:]
baseline_tmp_file = "_bandit_baseline_run.json_"
Expand Down Expand Up @@ -198,6 +201,11 @@ def initialize():
report_fname = f"{report_basename}.{output_format}"

# #################### Check Requirements #################################
if git is None:
LOG.error("Git not available, reinstall with baseline extra")
valid = False
return (None, None, None)

try:
repo = git.Repo(os.getcwd())

Expand Down
7 changes: 7 additions & 0 deletions doc/source/start.rst
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,13 @@ If you want to include TOML support, install it with the `toml` extras:
pip install bandit[toml]
If you want to use the bandit-baseline CLI, install it with the `baseline`
extras:

.. code-block:: console
pip install bandit[baseline]
Run Bandit:

.. code-block:: console
Expand Down
1 change: 0 additions & 1 deletion requirements.txt
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
# The order of packages is significant, because pip processes them in the order
# of appearance. Changing the order has an impact on the overall integration
# process, which may cause wedges in the gate later.
GitPython>=3.1.30 # BSD License (3 clause)
PyYAML>=5.3.1 # MIT
stevedore>=1.20.0 # Apache-2.0
colorama>=0.3.9;platform_system=="Windows" # BSD License (3 clause)
Expand Down
2 changes: 2 additions & 0 deletions setup.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ yaml =
PyYAML
toml =
tomli>=1.1.0; python_version < "3.11"
baseline =
GitPython>=3.1.30

[entry_points]
console_scripts =
Expand Down
1 change: 0 additions & 1 deletion test-requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,5 @@ flake8>=4.0.0 # Apache-2.0
stestr>=2.5.0 # Apache-2.0
testscenarios>=0.5.0 # Apache-2.0/BSD
testtools>=2.3.0 # MIT
tomli>=1.1.0;python_version<"3.11" # MIT
beautifulsoup4>=4.8.0 # MIT
pylint==1.9.4 # GPLv2
1 change: 1 addition & 0 deletions tox.ini
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ setenv =
deps =
-r{toxinidir}/requirements.txt
-r{toxinidir}/test-requirements.txt
.[yaml,toml,baseline]
commands =
find bandit -type f -name "*.pyc" -delete
stestr run {posargs}
Expand Down

0 comments on commit fe81ced

Please sign in to comment.