# nosec with bandit ID doesn't work properly sometimes about bandit HOT 4 OPEN

ok to close now @ericwb ?

from bandit.

ok to close now @ericwb ?

No, it's still an issue. The example I gave, still shows the warning in the logs.

from bandit.

I have the same issue. My code looks approximately like this:

205  parameter = {  # nosec B108
206          "certificate": "/tmp/certificates/tls.crt",
207          "privateKey": "/tmp/certificates/tls.key",
208          "trustedCertificates": "/tmp/certificates/ca.crt",
209          "alias": "alias",
210  }

Regardless of which of these lines I put the # nosec on (any of lines 205-210), or how many of them I have (used to have one each on lines 206-208), I get the following warnings:

[tester]	WARNING	nosec encountered (B108), but no failed test on line 206
[tester]	WARNING	nosec encountered (B108), but no failed test on line 207
[tester]	WARNING	nosec encountered (B108), but no failed test on line 208
[tester]	WARNING	nosec encountered (B108), but no failed test on line 209
[tester]	WARNING	nosec encountered (B108), but no failed test on line 209

Also note the double entry for line 209, which in fact doesn't even have the issue.

If I remove the # nosec, then Bandit fails with B108.

from bandit.

In the example I gave, it actually is functioning as you'd expect. The line:

        return {"tmp_dirs": ["/tmp", "/var/tmp", "/dev/shm"]}  # nosec: B108

The plugin hardcoded_tmp_directory will be called 4 times. One time for each str object as this plugin is designed to check string literals for a strings ["/tmp", "/var/tmp", "/dev/shm"] in them. However the first string encountered "tmp_dirs" is not found to have one of those and it is label with a nosec (for the entire line). So the warning is output to the logs as a result.

A more ideal solution would be do nosec processing by line, not by test result encounter since you can have multiple strings per line obviously.

from bandit.