Add support for nosec comments for bandit rules #12743
Labels
needs-decision
Awaiting a decision from a maintainer
suppression
Related to supression of violations e.g. noqa
I already brought this up a while back in the issue for the flake8-bandit rules, which has recently been completed.
I personally think it would be a good idea to support them, because they provide better visibility for potential security flaws in the code than their equivalent
noqa
comment, which I find easy to gloss over by comparison. It also means improved interoperability between bandit and ruff without the need for flake8-bandit as a compatibility shim.There was some push back against the idea last time, but I wanted to try again, since ruff has has undergone some big changes in relevant portions like the parser in the meantime, from what I can tell ruff already recognizes
nosec
as a pragma so the cost of adding support should be overall a bit lower now.I'd be happy to give the implementation a try myself, if there is no significant push back against the idea.
The most difficult thing to support will probably be a bare
nosec
without a code. Since that should only silence bandit rules, so it can't be equivalent to a barenoqa
. For the rest of the rules it should be possible to treat it as an alias to an equivalentnoqa
rule.Although there's also a broader question of the interaction with flake8-noqa. Should
nosec
comments be able to triggerNQA10X
rules? Or do we add some ruff specific rules to tidy upnosec
rules? bandit itself does emit warnings fornosec
comments, where the supplied rule doesn't apply (although there are some false positives).The text was updated successfully, but these errors were encountered: