Hi, we are using bandit as an external rule scanner for our python projects, but the issues that it detects cannot be acted upon due to no drop down menu in the “Open” button.
All regular security hotspot issues we can “detect” or “clear” normally. Only bandit detected vulnerabilities we are unable to act on.
which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
SonarQube: 7.6.0.21501
Bandit: 1.5.1
what are you trying to achieve
Detect or clear issues detected by bandit
what have you tried so far to achieve this
We configured the external scanner and are managing all other issues normally
our configuration looks like this:
bandit --format json --output bandit-report.json --exclude some-dirs --recursive some-folder/;
Any help would be very appreciated!
This is an example of how it looks in the sonarqube interface, please note that the dropdown option is missing.
External issues suffer from two important limitations:
they cannot be managed within SonarQube; for instance, there is no ability to mark them False Positive.
the activation of the rules that raise these issues cannot be managed within SonarQube. In fact, external rules are not visible in the Rules page or reflected in any Quality Profile
hi! yes, I understand that, however, apparently bandit is kind of officially supported (since there was an announcement that you could now import issues from bandit directly instead of configuring it as a generic external engine.
I just wanted to know if this is expected or there is some extra configuration that i need to do
Hi Ann,
It would be great to implement a parameter to let us choose the way these issues are imported.
We’d like to scan source code with bandit, but manage with sonarqube.
Now we can only mark issue severity to pass quality gates.
