python/bandit: Use .bandit configuration file

Bandit automatically [uses any .bandit file] within the directories on
which it is invoked.  Since ALE invokes bandit on stdin, it does not
load a .bandit file automatically.  Add support for automatically
finding a .bandit file and passing it to bandit via the --ini option
along with a variable to disable this behavior if desired.

Note: This is useful for the skips and tests configuration options, but
not exclude which would require invoking bandit using a file name, which
may or may not be a good trade-off.

[uses any .bandit file]: https://github.com/PyCQA/bandit/blob/1.5.1/bandit/cli/main.py#L70-L73

Signed-off-by: Kevin Locke <kevin@kevinlocke.name>

6 files changed, 42 insertions, 0 deletions

diff --git a/ale_linters/python/bandit.vim b/ale_linters/python/bandit.vim
index 819c83aa..5c9500a6 100644
--- a/ale_linters/python/bandit.vim
+++ b/ale_linters/python/bandit.vim
@@ -3,6 +3,7 @@
 
 call ale#Set('python_bandit_executable', 'bandit')
 call ale#Set('python_bandit_options', '')
+call ale#Set('python_bandit_use_config', 1)
 call ale#Set('python_bandit_use_global', get(g:, 'ale_use_global_executables', 0))
 call ale#Set('python_bandit_auto_pipenv', 0)
 
@@ -22,6 +23,14 @@ function! ale_linters#python#bandit#GetCommand(buffer) abort
     let l:flags = ' --format custom'
     \   . ' --msg-template "{line}:{test_id}:{severity}:{msg}" '
 
+    if ale#Var(a:buffer, 'python_bandit_use_config')
+        let l:config_path = ale#path#FindNearestFile(a:buffer, '.bandit')
+
+        if !empty(l:config_path)
+            let l:flags = ' --ini ' . ale#Escape(l:config_path) . l:flags
+        endif
+    endif
+
     let l:exec_args = l:executable =~? 'pipenv$'
     \   ? ' run bandit'
     \   : ''
diff --git a/doc/ale-python.txt b/doc/ale-python.txt
index f74e4e83..9326d6d5 100644
--- a/doc/ale-python.txt
+++ b/doc/ale-python.txt
@@ -88,6 +88,17 @@ g:ale_python_bandit_options                       *g:ale_python_bandit_options*
   bandit invocation.
 
 
+g:ale_python_bandit_use_config                 *g:ale_python_bandit_use_config*
+                                               *b:ale_python_bandit_use_config*
+  Type: |Number|
+  Default: `1`
+
+  If this variable is true and a `.bandit` file exists in the directory of the
+  file being checked or a parent directory, an `--ini` option is added to the
+  `bandit` command for the nearest `.bandit` file.  Set this variable false to
+  disable adding the `--ini` option automatically.
+
+
 g:ale_python_bandit_use_global                 *g:ale_python_bandit_use_global*
                                                *b:ale_python_bandit_use_global*
   Type: |Number|
diff --git a/test/command_callback/python_paths/with_bandit/.bandit b/test/command_callback/python_paths/with_bandit/.bandit
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/test/command_callback/python_paths/with_bandit/.bandit
diff --git a/test/command_callback/python_paths/with_bandit/namespace/foo/__init__.py b/test/command_callback/python_paths/with_bandit/namespace/foo/__init__.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/test/command_callback/python_paths/with_bandit/namespace/foo/__init__.py
diff --git a/test/command_callback/python_paths/with_bandit/namespace/foo/bar.py b/test/command_callback/python_paths/with_bandit/namespace/foo/bar.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/test/command_callback/python_paths/with_bandit/namespace/foo/bar.py
diff --git a/test/command_callback/test_bandit_command_callback.vader b/test/command_callback/test_bandit_command_callback.vader
index 5d1e6fd3..274ce901 100644
--- a/test/command_callback/test_bandit_command_callback.vader
+++ b/test/command_callback/test_bandit_command_callback.vader
@@ -47,3 +47,25 @@ Execute(Pipenv is detected when python_bandit_auto_pipenv is set):
   \ . ' run bandit'
   \ . b:bandit_flags
   \ . ' -'
+
+Execute(The bandit command callback should add .bandit by default):
+  silent execute 'file ' . fnameescape(g:dir . '/python_paths/with_bandit/namespace/foo/bar.py')
+
+  let b:config_path = ale#path#Simplify(
+  \ g:dir . '/python_paths/with_bandit/.bandit'
+  \)
+
+  AssertLinter 'bandit',
+  \ ale#Escape('bandit')
+  \ . ' --ini ' . ale#Escape(b:config_path)
+  \ . b:bandit_flags
+  \ . ' -'
+
+Execute(The bandit command callback should support not using .bandit):
+  silent execute 'file ' . fnameescape(g:dir . '/python_paths/with_bandit/subdir/foo/bar.py')
+  let g:ale_python_bandit_use_config = 0
+
+  AssertLinter 'bandit',
+  \ ale#Escape('bandit')
+  \ . b:bandit_flags
+  \ . ' -'