Unable to act on bandit detected issues due to missing drop down menu

(Tomas Riveros) #1

Hi, we are using bandit as an external rule scanner for our python projects, but the issues that it detects cannot be acted upon due to no drop down menu in the “Open” button.
All regular security hotspot issues we can “detect” or “clear” normally. Only bandit detected vulnerabilities we are unable to act on.

We setup bandit according to this howto: https://docs.sonarqube.org/display/PLUG/Import+Bandit+Issues+Reports

If it helps, we are also using pylint rules and those are working just fine.

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube: 7.6.0.21501
    Bandit: 1.5.1

  • what are you trying to achieve
    Detect or clear issues detected by bandit

  • what have you tried so far to achieve this
    We configured the external scanner and are managing all other issues normally
    our configuration looks like this:
    bandit --format json --output bandit-report.json --exclude some-dirs --recursive some-folder/;

Any help would be very appreciated!

This is an example of how it looks in the sonarqube interface, please note that the dropdown option is missing.
11

(Scott) #2

This is expected as mentioned in https://docs.sonarqube.org/latest/analysis/generic-issue/

External issues suffer from two important limitations:

  • they cannot be managed within SonarQube; for instance, there is no ability to mark them False Positive.

  • the activation of the rules that raise these issues cannot be managed within SonarQube. In fact, external rules are not visible in the Rules page or reflected in any Quality Profile

1 Like
(Tomas Riveros) #3

hi! yes, I understand that, however, apparently bandit is kind of officially supported (since there was an announcement that you could now import issues from bandit directly instead of configuring it as a generic external engine.
I just wanted to know if this is expected or there is some extra configuration that i need to do

Best

(G Ann Campbell) #4

Hi,

Yes, even though we provide the import, these are still “external” rules and issues and must be managed externally.

 
Ann

1 Like