Bandit not recognising Test Plugins?

[JPalm1]

I am using bandit (1.7.8) with an existing python project. I want to write my own custom Test Plugins. I am using Poetry to manage the package dependencies of my existing project. I have a bandit.yml file that specifiesin built bandit plugin configurations.

What is the best way to set my custom plugin so that Bandit recognises it automatically? My folder structure is:

- pyproject.toml
- poetry.lock
- bandit.yml 
- plugins/
    - __init__.py
    - my_custom_plugin.py
- examples/
    -  {example files that should fail}
- app/
    - {app code}

In this case, what is the best way to set up the project to automatically detect the plugin logic in my_custom_plugin.py?

I have tried:

• Defining entry point for the plugin in my pyproject.toml:

[tool.poetry.plugins."bandit.plugins"]
my_custom_plugin = "plugins.my_custom_plugin:my_custom_plugin"

• Defining setup.cfg/setup.py file(s) in plugins/ directory to treat plugins/ as a package and define the entry points, in conjunction with importing plugins/ as a package in my root pyproject.toml.

Neither of these approaches seemed to work.

Any insight would be much appreciated!

example code in my_custom_plugin I have used (error when httpx is called):

import bandit
from bandit.core import test_properties

import logging

logger = logging.getLogger(__name__)


@test_properties.checks("Call")
def httpx_timeout_set(context):
    qualname = context.call_function_name_qual.split(".")[0]

    # Check if the call is to an httpx function or method
    if qualname=="httpx":
        return bandit.Issue(
                severity=bandit.HIGH,
                confidence=bandit.HIGH, 
                text=f"Call to httpx",
            )

[ericwb]

Might help to point to some other examples. I don't know if it can be done with poetry as I have never tried. But take a look at these:

https://github.com/lyft/bandit-high-entropy-string
https://github.com/microsoft/bandit-sarif-formatter

[sowensupgrade]

So you are saying that in order to run custom bandit rules, you must package your custom rules as a module, and install that module everytime you want to run bandit with your custom rules?

Will there every be support for just referencing a new local bandit custom rule?

[sowensupgrade]

@JPalm1 I was able to get it to work with following pyproject.toml file

[project]
name = "bandit_upgrade_custom_rules"
version = "0.0.1"
authors = [
{ name="Example Author", email="[email protected]" },
]
description = "A small example package"
readme = "README.md"
requires-python = ">=3.6"
classifiers = [
"Programming Language :: Python :: 3",
"License :: OSI Approved :: MIT License",
"Operating System :: OS Independent",
]

[project.entry-points."bandit.plugins"]
check_insecure_cors = "bandit_upgrade_custom_rules.cors:check_insecure_cors"

Then i built my project

pip3 install -r bandit_upgrade_custom_rules/requirements.txt
python3 -m build
pip3 install -r requirements.txt

my requirements.txt just has "-e . " in it to install my custom bandit rule package

Now when i run bandit, it runs my rules automatically. You don't need to do anything else

[myteron]

Duplicate of #910 ?
created a repo with a test plugin template see
https://github.com/myteron/bandit_big_bad_wolf