Use .gitignore as part of the excluded file list

When using Bandit to scan projects based on Git source control,
it would be benefitual to ignore files based on the patterns
in the .gitignore file.

Today, Bandit has some default excludes that get overridden if
a user passes in other excludes. This is a bit confusing to the
end user. But it also serves a purpose similar to .gitignore in
that the paths excluded by default are typically included in a
.gitignore.

This change makes use of an existing dependency of GitPython to
process a .gitignore file. Note, it will only check for .gitignore
files in top-level directories specified on the Bandit command
line as targets. It does not recursive look for .gitignore files.
This is done for a couple reasons. Firstly as recursive searching for
.gitignore files and loading via GitPython would be complex to
add to Bandit existing file discovery. Secondly, the performance
of Bandit might suffer greatly if GitPython is used recursively.

The GitPython is a wrapper around calling various git commands.
So there is a dependency that the user has Git installed. There
are also limitations to argument sizes on operating systems
which this code has newly introduced to ensure the command doesn't
fail.

Signed-off-by: Eric Brown <[email protected]>

Author: ericwb

bandit/cli/main.py

@@ -340,7 +340,8 @@ def main():
         help="comma-separated list of paths (glob patterns "
         "supported) to exclude from scan "
         "(note that these are in addition to the excluded "
-        "paths provided in the config file) (default: "
+        "paths provided in the config file and any files "
+        "matching patterns defined in .gitignore) (default: "
         + ",".join(constants.EXCLUDE)
         + ")",
     )

bandit/core/manager.py

@@ -13,6 +13,7 @@
 import tokenize
 import traceback
 
+import git
 from rich import progress
 
 from bandit.core import constants as b_constants
@@ -197,6 +198,55 @@ def output_results(
                 f"'{output_format}' formatter: {str(e)}"
             )
 
+    def _arg_max_args(self, args):
+        """
+        Split up the list in `args` into a list of lists
+        where each list contains fewer than half ARG_MAX bytes.
+        """
+        ARG_MAX = os.sysconf("SC_ARG_MAX")
+        result = []
+        sublist = []
+        count = 0
+        for arg in args:
+            arg_len = len(arg)
+            if count + arg_len > ARG_MAX / 2:
+                result.append(sublist)
+                sublist = [arg]
+                count = arg_len
+            else:
+                sublist.append(arg)
+                count += arg_len
+        if sublist:
+            result.append(sublist)
+        return result
+
+    def _exclude_gitignore(self, repo, new_files, newly_excluded):
+        """
+        Exclude files matching patterns in .gitignore if found.
+        """
+        if repo is not None:
+            # Git will only compare absolute paths in the
+            # processing of a .gitignore file.
+            tmp_files = map(os.path.abspath, new_files)
+
+            # Split list into chunks if size is larger than the
+            # operating system's ARG_MAX
+            split_files = self._arg_max_args(tmp_files)
+
+            for files in split_files:
+                try:
+                    ignore_list = repo.ignored(*files)
+                    ignored_files = list(
+                        filter(
+                            lambda x: os.path.abspath(x) in ignore_list,
+                            new_files,
+                        )
+                    )
+                    new_files.difference_update(ignored_files)
+                    newly_excluded.update(ignored_files)
+                except git.exc.GitCommandError as e:
+                    LOG.warning(e)
+
     def discover_files(self, targets, recursive=False, excluded_paths=""):
         """Add tests directly and from a directory to the test set
 
@@ -224,12 +274,25 @@ def discover_files(self, targets, recursive=False, excluded_paths=""):
         for fname in targets:
             # if this is a directory and recursive is set, find all files
             if os.path.isdir(fname):
+                repo = None
+                try:
+                    repo = git.Repo(fname)
+                except git.exc.InvalidGitRepositoryError:
+                    LOG.debug("No Git repository found")
+                except git.exc.GitCommandNotFound:
+                    LOG.debug("Git command not found")
+                except git.exc.NoSuchPathError:
+                    LOG.debug("No such path to a git repo")
+
                 if recursive:
                     new_files, newly_excluded = _get_files_from_dir(
                         fname,
                         included_globs=included_globs,
                         excluded_path_strings=excluded_path_globs,
                     )
+
+                    self._exclude_gitignore(repo, new_files, newly_excluded)
+
                     files_list.update(new_files)
                     excluded_files.update(newly_excluded)
                 else:
@@ -238,7 +301,6 @@ def discover_files(self, targets, recursive=False, excluded_paths=""):
                         "scan contents",
                         fname,
                     )
-
             else:
                 # if the user explicitly mentions a file on command line,
                 # we'll scan it, regardless of whether it's in the included

doc/source/man/bandit.rst

@@ -62,7 +62,8 @@ OPTIONS
                         comma-separated list of paths (glob patterns
                         supported) to exclude from scan (note that these are
                         in addition to the excluded paths provided in the
-                        config file) (default:
+                        config file and any files matching patterns defined in
+                        .gitignore) (default:
                         .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
   -b BASELINE, --baseline BASELINE
                         path of a baseline report to compare against (only