-
New Feature
-
Resolution: Fixed
-
Minor
-
Jenkins 2.387.1
Warnings-NG 10.0.2
AnalysisModel 11.0.0
I will acknowledge that bandit isn't listed as a tool, but believe AnalysisModel uses violations-lib which does list bandit as a supported tool if it uses the clang parser and a specific format line.
I am not sure where the issue is so putting this together and asking for some assistance. I've already reached out to the violations-lib folks and they confirmed it is not there. https://github.com/tomasbjerre/violations-lib/issues/175
The bandit issue for this test is generated by simply saying print(eval('1+2')) for testing purposes only.
jenkinsfile bandit call
sh """
. ./venv/bin/activate
bandit -r rc_smtp_bridge/ -f custom --msg-template '{abspath}:{line}: {severity}: {test_id}: {msg}' | tee bandit.log || true
"""
+ bandit -r rc_smtp_bridge/ -f custom --msg-template {abspath}:{line}: {severity}: {test_id}: {msg}
+ tee bandit.log
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.11.2
/jenkins/workspace/ure_RC_SMTP_Bridge_flake8-bandit@2/rc_smtp_bridge/rc_smtp_bridge.py:42: MEDIUM: B307: Use of possibly insecure function - consider using safer ast.literal_eval.
recordIssues
recordIssues aggregatingResults: true, qualityGates: [[threshold: 1, type: 'TOTAL', unstable: false]], enabledForFailure: true, tools: [clang(name: 'bandit', pattern: "bandit.log")] [bandit] Searching for all files in '/jenkins/workspace/ure_RC_SMTP_Bridge_flake8-bandit@2' that match the pattern 'bandit.log' [bandit] Traversing of symbolic links: enabled [bandit] -> found 1 file [bandit] Successfully parsed file /jenkins/workspace/ure_RC_SMTP_Bridge_flake8-bandit@2/bandit.log [bandit] -> found 0 issues (skipped 0 duplicates) [bandit] Successfully processed file 'bandit.log' [bandit] Skipping post processing [bandit] No filter has been set, publishing all 0 issues [bandit] Repository miner is not configured, skipping repository mining [bandit] Searching for all files in '/jenkins/workspace/ure_RC_SMTP_Bridge_flake8-bandit@2' that match the pattern 'bandit.log' [bandit] Traversing of symbolic links: enabled [bandit] -> found 1 file [bandit] Successfully parsed file /jenkins/workspace/ure_RC_SMTP_Bridge_flake8-bandit@2/bandit.log [bandit] -> found 0 issues (skipped 0 duplicates) [bandit] Successfully processed file 'bandit.log' [bandit] Skipping post processing [bandit] No filter has been set, publishing all 0 issues [bandit] Ignoring 'aggregatingResults' and ID 'null' since only a single tool is defined. [bandit] Searching for all files in '/jenkins/workspace/ure_RC_SMTP_Bridge_flake8-bandit@2' that match the pattern 'bandit.log' [bandit] Traversing of symbolic links: enabled [bandit] -> found 1 file [bandit] Successfully parsed file /jenkins/workspace/ure_RC_SMTP_Bridge_flake8-bandit@2/bandit.log [bandit] -> found 0 issues (skipped 0 duplicates) [bandit] Successfully processed file 'bandit.log' [bandit] Skipping post processing [bandit] No filter has been set, publishing all 0 issues [bandit] Repository miner is not configured, skipping repository mining [bandit] Reference build recorder is not configured [bandit] Obtaining reference build from same job (flake8-bandit) [bandit] Using reference build 'Infrastructure/RC SMTP Bridge/flake8-bandit #11' to compute new, fixed, and outstanding issues [bandit] Issues delta (vs. reference build): outstanding: 0, new: 0, fixed: 0 [bandit] Evaluating quality gates [bandit] -> PASSED - Total (any severity): 0 - Quality Gate: 1 [bandit] -> All quality gates have been passed [bandit] Health report is disabled - skipping [bandit] Created analysis result for 0 issues (found 0 new issues, fixed 0 issues) [bandit] Attaching ResultAction with ID 'clang' to build 'Infrastructure/RC SMTP Bridge/flake8-bandit #21'. [Checks API] No suitable checks publisher found.
- relates to
-
JENKINS-70826 warningsng (clang) puppetlint not parsing log file
-
- Fixed but Unreleased
-
[JENKINS-70824] Add Bandit format
Ben
added a comment - For my own knowledge, is `violations-lib` used for some parsers and not others? Is there an easy way to tell when it is being used without digging through the code (https://github.com/jenkinsci/analysis-model/blob/master/SUPPORTED-FORMATS.md)?
So looking at ClangParser in analysis-model, there is a transform added to allow for `HIGH`, `MEDIUM`, and `LOW` to be mapped to `error`, `warning`, and `info` in a case insensitive manner. Is this a change that would be considered acceptable? To me it makes sense as it allows the clang parser to support more tools when they can specify the format line.
Ben
added a comment - For my own knowledge, is `violations-lib` used for some parsers and not others? Is there an easy way to tell when it is being used without digging through the code ( https://github.com/jenkinsci/analysis-model/blob/master/SUPPORTED-FORMATS.md)?
So looking at ClangParser in analysis-model, there is a transform added to allow for `HIGH`, `MEDIUM`, and `LOW` to be mapped to `error`, `warning`, and `info` in a case insensitive manner. Is this a change that would be considered acceptable? To me it makes sense as it allows the clang parser to support more tools when they can specify the format line. These are the parsers that are reused: https://github.com/jenkinsci/analysis-model/tree/master/src/main/java/edu/hm/hafner/analysis/parser/violations
Abhinav
added a comment - Hey,can i work on this issue? I am new to open source and would like to work on it.
Also, can you please tell me some basic concepts I should learn before starting with this issue?
Abhinav
added a comment - Hey,can i work on this issue? I am new to open source and would like to work on it.
Also, can you please tell me some basic concepts I should learn before starting with this issue? Yes, nobody has picked up that issue up to now.
> Also, can you please tell me some basic concepts I should learn before starting with this issue?
That depends on your experience.
The implementation of the fix should:
1. Create a test that fails
2. Wrap the existing parser into a new Adapter class
3. Improve the code until the test succeeds
You should understand the basics of the analysis-model project (and the adapter design pattern).
Abhinav
added a comment - drulli
>That depends on your experience
I am a total newbie and have made some projects in the MERN stack. I have also learned the basics of docker and Kubernetes.
Abhinav
added a comment - drulli
>That depends on your experience
I am a total newbie and have made some projects in the MERN stack. I have also learned the basics of docker and Kubernetes. 
The analysis model project has a custom parser for CLANG, so it does not use the one from the violations library. So there are basically two options: