Sometimes bandit will notice a security risk when there is none. The example in the video demonstrates this nicely.
if path.startswith(("https:", "http:")): with urllib.request.urlopen(path) as resp: ...
Bandit will try to detect usage of
urlopen in order to warn the user that there
is a security risk. In fact, it will check for a lot of function signatures.
Bandit is worried that the
path variable might contain
file:// which might trigger
the code to read files from disk. It's good that bandit is critical, but in this case
the code already takes care of this risk.
This is a great use-case for the
nosec comment. Adding that to the line will allow
us to tell bandit to go ahead an ignore the line.
if path.startswith(("https:", "http:")): with urllib.request.urlopen(path) as resp: # nosec ...
If you re-run the bandit command with the
nosec comment then it will no longer complain