Open Stack

On 11/03/2015 10:50 AM, Victor Stinner wrote:
> Hi,
>
> I don't like very long command lines, it's hard to document them or
> comment them. I prefer configuration files. But bandit.yaml, the
> "template", is already a configuration file!?
>

Yes, the config file provided by bandit is some kind of "enable all 
checkers" configuration. Basically, it seems to me that people just 
re-use that with minor tweaks.

> As Brant wrote, we should enhance Bandit to use a simpler configuration
> file. Or maybe we should have our own configuration file which on ly
> contains "differences" between the YAML template and the expected YAML
> output configuration file. Basically, the "differences" is what you
> wrote on the command line.
>

I think we do not want bandit to start supporting N different 
configuration formats. I like that "bandit" reads "bandit.yaml", in its 
current state. It is *simple*.

Now, writing a working "bandit.yaml" could be less of a burden. To 
achieve this, bandit could provide a tool that allows developers to say 
"well, I want everything but this particular checker" or "well, I need 
this tweak to the configuration of that checker".

The right "architecture" would be:
- bandit-conf-generator (possibly included in the bandit git repo) reads 
a 'bandit-conf' config file and generates 'bandit.yaml';
- 'bandit' reads 'bandit.yaml' and does its job.

The configuration file for bandit-conf-generator could look something like:

[general]
project_name = oslo.messaging
path_to_src = oslo_messaging
disabled_tests = try_except_pass,assert_used

And then some code to configure the checkers that require additional 
configuration. It might be harder to think of something easy to write, 
though :)

> Anyway, it would be better to add this new bandit-conf-generator tool
> (or making config simpler) directly in Bandit. What do you think Cyril?
>

Yes. I should write a blueprint :)

Cyril.