Change in behavior in bandit 1.6.0
jim at jimrollenhagen.com
Fri May 10 13:07:30 UTC 2019
On Fri, May 10, 2019 at 5:48 AM Stephen Finucane <sfinucan at redhat.com>
> We've noticed a spate of recent test failures within the 'pep8' jobs in
> oslo recently. It seems these are because of the release of bandit
> 1.6.0. The root cause is that the '-x' (exclude) option seems to have
> changed behavior. Previously, to match a path like 'oslo_log/tests/*',
> you could state '-x test'. This option now expects a glob patterns,
> such as '-x oslo_log/tests/*'. If you use bandit, you probably have to
> update your 'tox.ini' accordingly. See  for an example.
As a note, it looks like you have to catch every .py file in this glob,
so this won't work for more complex directory layouts. e.g. in Keystone,
`-x keystone/tests/*` still fails, as does `-x keystone/tests/**/*`, etc.
I've just blacklisted this version there.
> It's worth noting that bandit is one of the few packages we don't
> manage the version for , so if you're not already limiting yourself
> to a version, perhaps it would be a good idea to do so to avoid stable
> branches breaking periodically. Also, this is something that really
> shouldn't have happened in a minor version (backwards incompatible
> behavior change, yo) but it has so we'll live with it. I would ask
> though that the bandit maintainers, whoever ye be, be more careful
> about this kind of stuff in the future. Thanks :)
FWIW, looks like this was an unintentional regression that they're
working on fixing in 1.6.1.
>  https://review.opendev.org/#/c/658249/
>  https://github.com/openstack/requirements/blob/master/blacklist.txt
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openstack-discuss