Metadata-Version: 2.1
Name: bento-cli
Version: 0.6.2
Summary: Free program analysis focused on bugs that matter to you.
Home-page: https://bento.dev
Author: Return To Corporation
Author-email: bento@r2c.dev
License: Proprietary
Platform: UNKNOWN
Classifier: Programming Language :: Python :: 3
Classifier: License :: Other/Proprietary License
Classifier: Operating System :: OS Independent
Requires-Python: >=3.6
Description-Content-Type: text/markdown
Requires-Dist: attrs (<=19.3.0,>=18.2.0)
Requires-Dist: click (~=7.0)
Requires-Dist: docker (~=3.7)
Requires-Dist: frozendict (~=1.2)
Requires-Dist: gitpython (~=2.1)
Requires-Dist: packaging (>=14.0)
Requires-Dist: pre-commit (<=1.18.3,>=1.0.0)
Requires-Dist: psutil (~=5.6.3)
Requires-Dist: pymmh3 (~=0.0.5)
Requires-Dist: pyyaml (>=5.1.2)
Requires-Dist: r2c-lib (==0.0.18a0)
Requires-Dist: semantic-version (~=2.8.0)
Requires-Dist: tqdm (~=4.36.1)
Requires-Dist: validate-email (~=1.3)

<p align="center">
    <img src="https://raw.githubusercontent.com/returntocorp/bento/master/bento-logo.png" height="100" alt="Bento logo"/>
</p>
<h1 align="center" style="margin-top:0;"></h1>

<br/>
<h3 align="center">
    Free program analysis focused on bugs that matter to you.
</h3>
<p align="center">
Install, configure, and adopt Bento in seconds. Runs 100% locally.
</p>

<p align="center">
  <a href="https://pypi.org/project/bento-cli/">
    <img alt="PyPI" src="https://img.shields.io/pypi/v/bento-cli?style=flat-square&color=blue">
  </a>
  <a href="https://pypi.org/project/bento-cli/">
    <img alt="PyPI - Downloads" src="https://img.shields.io/pypi/dm/bento-cli?style=flat-square&color=green">
  </a>
  <a href="https://github.com/returntocorp/bento/issues/new/choose">
    <img src="https://img.shields.io/badge/issues-welcome-green?style=flat-square" alt="Issues welcome!" />
  </a>
  <a href="https://twitter.com/intent/follow?screen_name=r2cdev">
    <img src="https://img.shields.io/twitter/follow/r2cdev?label=Follow%20r2cdev&style=social&color=blue" alt="Follow @r2cdev" />
  </a>
</p>

<h3 align="center">
  <a href="#installation">Installation</a>
  <span> · </span>
  <a href="#motivations">Motivations</a>
  <span> · </span>
  <a href="#usage">Usage</a>
  <span> · </span>
  <a href="#integrations">Integrations</a>
  <span> · </span>
  <a href="#help-and-community">Help & Community</a>
</h3>

Bento is a free and opinionated toolkit for gradually adopting linters[¹](https://en.wikipedia.org/wiki/Lint_(software)) and program analysis[²](https://en.wikipedia.org/wiki/Program_analysis) in your codebase. Be the bug-squashing advocate your team needs but (maybe) doesn’t deserve.

- **Find bugs that matter.** Bento automatically enables and configures relevant analysis based on your dependencies and frameworks, and it will [never report style-related issues](https://blog.r2c.dev/posts/three-things-your-linter-shouldnt-tell-you/). You won’t painstakingly configure your tooling.
- **Get started immediately.** Bento doesn’t force you to fix all your preexisting issues today. Instead, you can archive them and address them incrementally when it makes sense for your project.
- **Go fast.** Bento installs in 5 seconds and self-configures in less than 30. Its tools check your code in parallel, not sequentially.

Bento includes checks written by [r2c](https://r2c.dev/) and curated from [Bandit](https://pypi.org/project/bandit/), [ESLint](https://eslint.org/), [Flake8](https://pypi.org/project/flake8/), and their plugins. It runs on your local machine and never sends your code anywhere or to anyone.

<p align="center">
    <img src="https://web-assets.r2c.dev/bento-demo.gif" width="100%" alt="Demonstrating Bento running in a terminal"/>
</p>

## Installation
```bash
$ pip3 install bento-cli
```

Bento is for JavaScript, TypeScript, and Python 3 projects. It requires Python 3.6+ and works on macOS Mojave (10.14) and Ubuntu 18.04+.

## Motivations
> See our [Bento introductory blog post](https://medium.com/@ievans/our-quest-to-make-world-class-security-and-bugfinding-available-to-all-developers-for-free-dce9eb7b06d0) to learn the full story.

r2c is on a quest to make world-class security and bugfinding available to all developers, for free. We’ve learned that most developers have never heard of—let alone tried—tools that find deep flaws in code: like Codenomicon, which found [Heartbleed](http://heartbleed.com/), or Zoncolan at Facebook, which finds more [top-severity security issues](https://cacm.acm.org/magazines/2019/8/238344-scaling-static-analyses-at-facebook/fulltext) than any human effort. These tools find severe issues and also save tons of time, identifying [hundreds of thousands of issues](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43322.pdf) before humans can. Bento is a step towards universal access to tools like these.

We’re also big proponents of opinionated tools like Black and Prettier. This has two implications: Bento ignores style-related issues and the bikeshedding that comes with them, and it ships with a curated set of checks that we believe are high signal and bug-worthy. See [Three things your linter shouldn’t tell you](https://blog.r2c.dev/posts/three-things-your-linter-shouldnt-tell-you/) for more details on our decision making process.

## Usage
To get started right away with sensible defaults:

```bash
$ bento init && bento check
```

To set aside preexisting results so you only see issues in new code:

```bash
$ bento archive
```

Bento is at its best when run automatically. See [Integrations](#integrations) for details.

### Command Line Options
```
$ bento --help

Usage: bento [OPTIONS] COMMAND [ARGS]...

Options:
  -h, --help             Show this message and exit.
  --version              Show current version bento.
  --base-path DIRECTORY  Path to the directory containing the code, as well as
                         the .bento.yml file.
  --agree                Automatically agree to terms of service.
  --email TEXT           Email address to use while running this command
                         without global configs e.g. in CI

Commands:
  archive       Adds all current findings to the whitelist.
  check         Checks for new findings.
  disable       Turn OFF a tool or check.
  enable        Turn ON a tool or check.
  init          Autodetects and installs tools.
  install-hook  Installs Bento as a git pre-commit hook.

  To get help for a specific command, run `bento COMMAND --help`
```

### Exit Codes
`bento check` may exit with the following exit codes: 
- `0`: Bento ran successfully and found no errors
- `2`: Bento ran successfully and found issues in your code
- `3`: Bento or one of its underlying tools failed to run

## Integrations

### Running Bento in CI
If you use CircleCI, add the following job:

```yaml
version: 2.1

jobs:
    bentoCheck:
    executor: circleci/python:3.7.4-stretch-node
    steps:
      - checkout
      - run:
          name: "Install Bento"
          command: pip3 install bento-cli && bento --version
      - run:
          name: "Run Bento check"
          command: bento --agree --email <YOUR_EMAIL> check
```

Otherwise, you can simply install and run Bento in CI with the following commands:

```bash
$ pip3 install bento-cli && bento --version
$ bento --agree --email <YOUR_EMAIL> check
```

`bento check` will exit with a non-zero exit code if it finds issues in your code (see [Exit Codes](#exit-codes)). To suppress this behaviour you can pipe its output to `true`:

 ```bash
 $ bento --agree --email <YOUR_EMAIL> check || true
 ```

Otherwise, address the issues or archive them with `bento archive`.

If you need help setting up Bento with another CI provider please [open an issue](https://github.com/returntocorp/bento/issues/new?template=feature_request.md). Documentation PRs welcome if you set up Bento with a CI provider that isn't documented here!

### Running Bento as a Git Hook
Bento can automatically analyze your staged files when `git commit` is run. Configured as a Git pre-commit hook, Bento ensures every commit to your project is vetted and that no new issues have been introduced to the codebase.

To install Bento as a Git hook:

```bash
$ bento install-hook
```

If Git hooks ever incorrectly block your commit, you can skip them by passing the `--no-verify` flag at commit-time (use this sparingly):

```bash
$ git commit --no-verify
```

Bento’s Git hook can save the round-trip time involved with fixing a failed build if you’re using [Bento in CI](#running-bento-in-ci). 

## Help and Community
Need help or want to share feedback? We’d love to hear from you!

- Email us at [support@r2c.dev](mailto:support@r2c.dev)
- Join #bento in our [community Slack](https://join.slack.com/t/r2c-community/shared_invite/enQtNjU0NDYzMjAwODY4LWE3NTg1MGNhYTAwMzk5ZGRhMjQ2MzVhNGJiZjI1ZWQ0NjQ2YWI4ZGY3OGViMGJjNzA4ODQ3MjEzOWExNjZlNTA)
- [File an issue](https://github.com/returntocorp/bento/issues/new?assignees=&labels=bug&template=bug_report.md&title=) or [submit a feature request](https://github.com/returntocorp/bento/issues/new?assignees=&labels=feature-request&template=feature_request.md&title=) directly on GitHub &mdash; we welcome them all!

We’re constantly shipping new features and improvements. 

- [Sign up for the Bento newsletter](http://eepurl.com/gDeFvL) &mdash; we promise not to spam and you can unsubscribe at any time
- See past announcements, releases, and issues [here](https://us18.campaign-archive.com/home/?u=ee2dc8f77e27d3739cf4df9ef&id=d13f5e938e)

We’re fortunate to benefit from the contributions of the open source community and great projects such as [Bandit](https://pypi.org/project/bandit/), [ESLint](https://eslint.org/), [Flake8](https://pypi.org/project/flake8/), and their plugins. 🙏

## License and Legal
Please refer to the [terms and privacy document](https://github.com/returntocorp/bento/blob/master/PRIVACY.md).

</br>
</br>
<p align="center">
    <img src="https://web-assets.r2c.dev/r2c-logo-silhouette.png?pp" height="24" alt="r2c logo"/>
</p>
<p align="center">
    Copyright (c) <a href="https://r2c.dev">r2c</a>.
</p>

---
# Changelog

This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [0.6.2](https://pypi.org/project/bento-cli/0.6.2/) - 2019-12-05

### Fixed

- Fixed an issue where upgrade notifications were not shown to users.
- Fix an issue where certain `.gitignore` patterns would cause an error or be skipped by Bento
- Properly render multi-line context in the Clippy formatter.

## [0.6.1](https://pypi.org/project/bento-cli/0.6.1/) - 2019-11-26

### Fixed

- Bento no longer completes initialization if it can't identify a project; this prevents
  confusing errors when subsequently running `bento check`.
- Pinned versions of all 3rd-party Python tools, so that remote package upgrades do not break
  Bento.
- Bento no longer crashes if a project path contains a space.

### Changed

- Results of `bento check` are now printed
  using the Clippy and histogram formatters (see "Added" section below) by default.
- The APIs to enable and disable a check are now `bento enable check [check]` and
  `bento disable check [check]`.
- The `r2c.flask` tool is now enabled by default. It finds best-practice and security bugs in
  code using the Python [Flask](https://www.palletsprojects.com/p/flask/) framework.
- Multiple formatters can now be used to display results from `bento check`. For example,
  `bento check -f stylish -f histo` will display results using the Stylish formatter,
  followed by display using a histogram formatter.
- Progress bars are not emitted to stderr if not a tty; this prevents progress-bar output from
  littering CI logs.
- Updated progress bar glyphs for readability on a wider range of terminal themes.
- Disabled `r2c.flake8` check `B001` by default, in favor of the (also included) `E722` check.

### Added

- Added `r2c.requests`, which finds best-practice and security bugs in code using the Python
  [Requests](https://2.python-requests.org/en/master/) framework. It is enabled by default.
- Added `r2c.sgrep`, a syntactically aware code search tool. It is _not_ enabled by default.
  To use it on a project, run `bento enable tool r2c.sgrep`. Note that Docker is required in
  order to use `r2c.sgrep`.
- All findings, including those previously archived, can now be viewed using
  `bento check --show-all`.
- Tools can now be enabled using `bento enable tool [tool_id]`. Available
  tools can be listed by running `bento enable tool --help` or using shell autocompletion.
  Tools can be disabled using `bento disable tool [tool_id]`.

## 0.6.0

Version 0.6.0 was not released.

## [0.5.0](https://pypi.org/project/bento-cli/0.5.0/) - 2019-11-18

### Fixed

- `r2c.eslint` now properly detects TypeScript imports.
- `r2c.eslint` now detects global node environments (e.g., `jest`),
  and properly resolves their global variables.

### Changed

- To better protect users' data, error messages are no longer reported to our backend.
- `.bentoignore` can now be configured to include patterns from other files; by default
  the contents of the project's `.gitignore` are included. For more information, please see the comments at
  the top of the generated `.bentoignore` file.
- Tab completion times reduced by approximately half.
- Disabled a number of `r2c.eslint` checks by default:
  - `arrow-parens`, as it conflicts with Prettier's default behavior.
  - TypeScript semicolon checking, which is stylistic.
  - `import/no-cycle` which takes 50% of tool runtime on moderately large code bases.
- `r2c.flake8 E306` disabled by default, as it is stylistic in nature.
- Runtime of `r2c.eslint` has been reduced by up to 30% for some projects.

### Added

- Added `r2c.shellcheck` tool for shell scripts. To enable, add `r2c.shellcheck` to the
  tools section of your `.bento.yml`. Note that this tool requires `docker` as a dependency.
- Added `r2c.hadolint` tool for Docker files. To enable, add `r2c.hadolint` to the
  tools section of your `.bento.yml`. Note that this tool requires `docker` to be installed in order to run.

## [0.4.1](https://pypi.org/project/bento-cli/0.4.1/) - 2019-11-14

### Fixed

- Fixes a performance regression due to changes in metrics collection.

## [0.4.0](https://pypi.org/project/bento-cli/0.4.0/) - 2019-11-11

### Changed

- We updated our [privacy policy](https://github.com/returntocorp/bento/commits/master/PRIVACY.md).
  - Notably, we collect email addresses to understand usage and communicate with users through product announcements, technical notices, updates, security alerts, and support messages.

### Added

- Added additional `r2c.click` tool for [Click](http://click.palletsprojects.com/) framework:

  - [flake8-click](https://pypi.org/project/flake8-click/) will be disabled by default.

- Added additional `r2c.flask` tool for [Flask](https://flask.palletsprojects.com/) framework:

  - [flake8-flask](https://pypi.org/project/flake8-flask/) will be disabled by default.

## [0.3.1](https://pypi.org/project/bento-cli/0.3.1/) - 2019-11-08

### Fixed

- Fixed an issue where the tool would fail to install if a macOS user
  had installed `gcc` and then upgraded their OS.
- Fixed a compatibility issue for users with a pre-existing version
  of GitPython with version between 2.1.1 and 2.1.13.

## [0.3.0](https://pypi.org/project/bento-cli/0.3.0/) - 2019-11-01

### Changed

- Bento can now be run from any subdirectory within a project.
- Updated the privacy and terms-of-service statement.

### Added

- File ignores are configurable via [git-style ignore patterns](https://git-scm.com/docs/gitignore) (include patterns
  are not supported). Patterns should be added to `.bentoignore`.

- Added additional checks to the `r2c.flake8` tool:

  - All checks from [flake8-bugbear](https://github.com/PyCQA/flake8-bugbear) (except for B009 and B010,
    which are stylistic in nature).
  - All checks from [flake8-builtins](https://github.com/gforcada/flake8-builtins).
  - All checks from [flake8-debugger](https://github.com/jbkahn/flake8-debugger).
  - All checks from [flake8-executable](https://github.com/xuhdev/flake8-executable).

- Clippy output formatting is now supported.
  - To enable, run: `bento check --formatter clippy`
  - Example output:

```
error: r2c.flake8.E113
   --> foo.py:6:5
    |
  6 |   return x
    |
    = note: unexpected indentation
```

- Autocompletion is now supported from both `bash` and `zsh`. To use:
  - In `bash`, run `echo -e '\neval "$(_BENTO_COMPLETE=source bento)"' >> ~/.bashrc`.
  - In `zsh`, run `echo -e '\neval "$(_BENTO_COMPLETE=source_zsh bento)"' >> ~/.zshrc`.

## [0.2.1](https://pypi.org/project/bento-cli/0.2.1/) - 2019-10-29

### Fixed

- Quoted emails in git configuration do not break user registration.
- Removed files properly invalidate results cache.
- Python tools do not crawl `node_modules`.

## [0.2.0](https://pypi.org/project/bento-cli/0.2.0/) - 2019-10-23

### Changed

- Results are cached between runs. This means that an immediate rerun of
  `bento` will be much faster.
- Broadened library compatibility, especially for common packages:
  - attrs from 18.2.0
  - packaging from 14.0
  - pre-commit from 1.0.0
- `r2c.eslint` ignores `.min.js` files. Bento should only report issues in code, not built artifacts.
- Telemetry endpoint uses `bento.r2c.dev`.

### Added

- Bento check will optionally run only on passed paths, using `bento check [path] ...`.
- Add `r2c.pyre` as a configurable tool. To enable, it must be manually configured in `.bento.yml`.
- Formatters can be specified with short names, and these appear in the help text. For example, `bento check --formatter json`.
- `bento` version is passed to telemetry backend.

### Fixed

- Tool does not crash if a git user does not have an email configured.
- Fixed a regression that caused progress bars to hang after first tool completed.
- Made fully compatible with Python 3.6.
- Tool does not mangle `.gitignore` when that file lacks a trailing newline.


