[docs] Mention exclude_dirs option available in TOML and YAML
#876
Conversation
bittner
requested review from
ericwb,
lukehinds,
ghugo and
sigmavirus24
as code owners
|
Can we merge these changes, so developers can have it easier finding information about how to configure Bandit? |
|
This is what I am looking for and it is the missing part in the document. |
|
Please, review and merge! |
|
@gdalmau Thanks for your approval! I rebased the PR and resolved the conflict that had been introduced since I opened it. Can you approve again, please? And maybe merge? |
|
@bittner Sorry I'm not a member of PyCQA nor bandit. I just checked the changes and they looked good to me so I approved if that means anything to the members of this project :) I will recheck the changes and approve (or not) so hopefully we can see this PR merged. |
| If you want to include TOML support, install it with the `toml` extras: | ||
|
|
||
| .. code-block:: console | ||
|
|
||
| pip install bandit[toml] |
There was a problem hiding this comment.
I just noticed that tomli is required if you use a pyproject.toml. In my case our CI didn't break because it was installed via other packages, but a bare install makes it indeed not work.
Since the setup.cfg file seems to also have an extra for yaml files:
Lines 30 to 34 in caae4ee
Should we mention it as well in here? Or does a .bandit YAML file work with just installing pip install bandit?
There was a problem hiding this comment.
Hmm, I'm confused. 🤔 Installing the toml extra, that's what the pip install bandit[toml] does. Anything else needed from your point of view in addition to those instructions?
There was a problem hiding this comment.
What I mean is that in order to make bandit process a pyproject.toml file it needs to be installed via pip install bandit[toml]. Does it need to be installed via pip install bandit[yaml] for yaml files? If so, it should probably be in this docs as well.
There was a problem hiding this comment.
I understand! So, "If you want to include TOML support" is not clear enough?
There was a problem hiding this comment.
Argh, YAML! Now I understand. Let me verify this locally.
There was a problem hiding this comment.
I can confirm, the latest version of PyYAML (not the one in requirements.txt) is installed as a dependency when you install Bandit via pip install bandit.
I'm a bit puzzled: I absolutely can't see in the source code where the dependencies being installed are defined.
|
@ericwb @lukehinds @sigmavirus24 Could you approve and merge, please? |
There was a problem hiding this comment.
@bittner there's way more here than just mentioning that option. You've reformatted large swaths of text and many of these things we simply won't accept in what should be a relatively small patch.
Case-in-point: pre-commit formats the hooks in exactly the way we have them formatted. If you look at it's documentation, all hooks are written exactly as we wrote ours.
Please note that the PR has 2 separate commits, dedicated to changes with their own scope. With respect to the formatting, I attempt to modernize the reStructuredText syntax, with a uniform use of
Fair point. I didn't know. I'd have to adapt the pre-commit hook configuration with those changes, fair enough. That would certainly warrant a dedicated PR,—Let me revert those changes. I apologize. |
|
I reverted the changes to the displayed source code that apparently gets reformatted by the pre-commit hook, when installed. The PR description now mentions the reformatting of the documentation code (which affects the code portions modified in this PR and is hence difficult to contribute independently in parallel). I hope you see the value in the change. If there's anything you want adapted in addition, please let me know. @ericwb @lukehinds @sigmavirus24 Could you approve and merge now, please? |
bittner
requested review from
sigmavirus24 and
ericwb
and removed request for
ghugo
The project has a history of separating these out. A switch to code-blocks should be a fast merge but there are also formatting changes to the docs last I checked with line wrapping, etc. Non-inlined URLs are my preference and again standardizing s hour be easy to review. Finally, this change which is important should have been easy to merge but was allowed down by the additional noise making it harder to review with confidence something else wasn't missed. It's a matter of opinion but every comment you've left recently had been instructing people to merge it. That might have happened years ago if there had been less noise making the important change (documenting this option) easier to see and comment on with the shit tools available to the maintainers (because separate commits do not in fact improve the review experience on GitHub) |
|
Ian, thanks for taking the time to comment. I think the situation has now improved.
The documentation benefits from a nicer reading experience, and the documentation code has been modernized with related changes. While I second your concerns of the review experience, the benefits hopefully speak in favor of this larger-than-bare-minimum PR. |
|
Thanks for merging! 👍 |
Move the list of excluded files from --exclude in tox.ini to exclude_dirs in pyproject.toml to centralize configuration in pyproject.toml and make it accessible to tools and bandit invocations outside of tox. - Remove the comment that exclude is ignored by bandit 1.6.3+, which was fixed by PyCQA/bandit#722 in bandit 1.7.1. - Change exclude (which only works for INI files) to exclude_dirs (which only works for TOML and YAML files), as described in PyCQA/bandit#876 - Add /.git/ and /__pycache__/ to exclude_dirs to match --exclude. - Remove --exclude from invocation in tox.ini Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
As discovered in #488 (latest comments) and reported in #528.
Also attempts to improve the documentation code by aligning code block indenting replacing simple code blocks (
::) with source code markup code blocks in reStructuredText.Side Notes
exclude_dirsalso recognizes single files, not only directories.excludeandexclude_dirs.