Metadata-Version: 2.1
Name: bento-cli
Version: 0.9.1
Summary: Free program analysis focused on bugs that matter to you.
Home-page: http://bento.dev
License: Proprietary
Author: Return To Corporation
Author-email: bento@r2c.dev
Requires-Python: >=3.6,<4.0
Classifier: License :: Other/Proprietary License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Requires-Dist: PyYAML (>=5.1.2)
Requires-Dist: attrs (>=18.2.0,<=19.3.0)
Requires-Dist: click (>=7.0,<8.0)
Requires-Dist: docker (>=3.7,<4.0)
Requires-Dist: frozendict (>=1.2,<2.0)
Requires-Dist: gitpython (>=2.1,<3.0)
Requires-Dist: packaging (>=14.0)
Requires-Dist: pre-commit (>=1.0.0,<=1.18.3)
Requires-Dist: psutil (>=5.6.3,<5.7.0)
Requires-Dist: pymmh3 (>=0.0.5,<0.1.0)
Requires-Dist: r2c-lib (==0.0.18a0)
Requires-Dist: semantic-version (>=2.8.0,<2.9.0)
Requires-Dist: tqdm (>=4.36.1,<4.37.0)
Requires-Dist: validate-email (>=1.3,<2.0)
Description-Content-Type: text/markdown

<p align="center">
    <img src="https://raw.githubusercontent.com/returntocorp/bento/master/bento-logo.png" height="100" alt="Bento logo"/>
</p>
<h3 align="center">
  Find Python web-app bugs delightfully fast, without changing your workflow
</h3>

<p align="center">
  <a href="#installation">Installation</a>
  <span> · </span>
  <a href="#motivations">Motivations</a>
  <span> · </span>
  <a href="#code-checks">Code Checks</a>
  <span> · </span>
  <a href="#usage">Usage</a>
  <br/>
  <a href="#workflows">Workflows</a>
  <span> · </span>
  <a href="#running-in-cicd">Integrations</a>
  <span> · </span>
  <a href="#help-and-community">Help & Community</a>
</p>

<p align="center">
  <a href="https://pypi.org/project/bento-cli/">
    <img alt="PyPI" src="https://img.shields.io/pypi/v/bento-cli?style=flat-square&color=blue">
  </a>
  <a href="https://pypi.org/project/bento-cli/">
    <img alt="PyPI - Downloads" src="https://img.shields.io/pypi/dm/bento-cli?style=flat-square&color=green">
  </a>
  <a href="https://github.com/returntocorp/bento/issues/new/choose">
    <img src="https://img.shields.io/badge/issues-welcome-green?style=flat-square" alt="Issues welcome!" />
  </a>
  <a href="https://twitter.com/intent/follow?screen_name=r2cdev">
    <img src="https://img.shields.io/twitter/follow/r2cdev?label=Follow%20r2cdev&style=social&color=blue" alt="Follow @r2cdev" />
  </a>
</p>

Inspired by tools like the ESLint plugin for React, Bento was created for Flask and Django. With Bento you’ll:

- **Find bugs that matter.** Checks find security and reliability bugs in your code. They’re vetted across thousands of open source projects and never nit your style.
- **Upgrade your tooling.** You don’t have to fix existing bugs to adopt Bento. It’s diff-centric, finding new bugs introduced by your changes. And there’s zero config.
- **Go delightfully fast.** Run Bento automatically locally or in CI. Either way, it runs offline and never sends your code anywhere.

<p align="center">
    <img src="https://web-assets.r2c.dev/bento-demo.gif" width="100%" alt="Demonstrating Bento running in a terminal"/>
</p>

## Installation

Bento is free and requires [Python 3.6+](https://www.python.org/downloads/) and [Docker 19.03+](https://docs.docker.com/get-docker/). It runs on macOS and Linux.

In a Git project directory:

```bash
$ pip3 install bento-cli && bento init
```

Go forth and write great code!

## Motivations

> See our [Bento introductory blog post](https://bento.dev/blog/2019/our-quest-to-make-world-class-security-and-bugfinding-available-to-all-developers/) to learn the full story.

Bento is part of a quest to make world-class security and bugfinding available to all developers, for free. We’ve learned that most developers have never heard of—let alone tried—tools that find deep flaws in code: like Codenomicon, which found [Heartbleed](http://heartbleed.com/), or Zoncolan at Facebook, which finds more [top-severity security issues](https://cacm.acm.org/magazines/2019/8/238344-scaling-static-analyses-at-facebook/fulltext) than any human effort. These tools find severe issues and also save tons of time, identifying [hundreds of thousands of issues](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43322.pdf) before humans can. Bento is a step towards universal access to tools like these.

We’re also big proponents of opinionated tools like [Black](https://github.com/psf/black) and [Prettier](https://github.com/prettier/prettier). This has two implications: Bento ignores style-related issues and the bikeshedding that comes with them, and it ships with a curated set of checks that we believe are high signal and bug-worthy. See [Three things your linter shouldn’t tell you](https://bento.dev/blog/2019/three-things-your-linter-shouldnt-tell-you/) for more about our decision making process.

## Code Checks

Bento’s check focus on security and reliability bugs in Flask and Django projects.

|                              |                                      |                                                      |
| ---------------------------- | ------------------------------------ | ---------------------------------------------------- |
| **Flask**                    | **Jinja**                            | **Django**                                           |
| missing JWT token            | href template variable               | _coming soon_                                        |
| secure set cookie            | missing noopener                     |                                                      |
| send file open               | missing noreferrer                   | **Docker**                                           |
| unescaped file extension     | missing csrf protection              | [Hadolint](https://github.com/hadolint/hadolint)     |
| use blueprint for modularity | missing doctype                      |                                                      |
| use jsonify                  | meta charset                         | **Shell**                                            |
| avoid hardcoded config       | meta content-type                    | [ShellCheck](https://github.com/koalaman/shellcheck) |
|                              | unquoted attribute template variable |
| **Requests**                 |                                      |
| no auth over http            | **SQLAlchemy**                       |                                                      |
| use scheme                   | _coming soon_                        |                                                      |
| use timeout                  |                                      |

See the full list of [Bento’s specialty checks](https://bento.dev/checks/).

## Usage

Out-of-the-box, Bento is configured for your personal use. See [Team Use](#team-use) to setup Bento for all contributors.

### Upgrading

```bash
$ pip3 install --upgrade bento-cli
```

### Command Line Options

```
$ bento --help
Usage: bento [OPTIONS] COMMAND [ARGS]...

Options:
  -h, --help    Show this message and exit.
  --version     Show the version and exit.
  --agree       Automatically agree to terms of service.
  --email TEXT  Email address to use while running this command without global
                configs e.g. in CI

Commands:
  archive  Suppress current findings.
  check    Checks for new findings.
  disable  Turn OFF a Bento feature for this project.
  enable   Turn ON a Bento feature for this project.
  init     Autodetects and installs tools.

  To get help for a specific command, run `bento COMMAND --help`
```

### Exit Codes

`bento check` may exit with the following exit codes:

- `0`: Bento ran successfully and found no errors
- `2`: Bento ran successfully and found issues in your code
- `3`: Bento or one of its underlying tools failed to run

## Workflows

### Individual Use

Bento understands the importance of getting out of the way so you can write your code. It runs at commit-time on your diffs and only affects you; it won’t change anything for other project contributors or modify Git state.

Initialization enables `autorun` behind the scenes. By default `autorun` blocks the commit if Bento returns findings. To make it non-blocking:

```bash
$ bento enable autorun --no-block
```

You can always manually run Bento on staged files or directories via:

```bash
$ bento check [PATHS]
```

This will show only new findings introduced by these files AND that are not in the archive (`.bento/archive.json`). Use `--all` to check all Git tracked files, not just those that are staged:

```bash
$ bento check --all [PATHS]
```

This feature makes use of Git hooks. If the Bento hook incorrectly blocks your commit, you can skip it by passing the `--no-verify` flag to Git at commit-time (please use this sparingly since all hooks will be skipped):

```bash
$ git commit --no-verify
```

### Team Use

#### Running Locally

To setup Bento for all project contributors, add Bento’s configuration to Git (it’s ignored by default):

```bash
$ cd <PROJECT DIRECTORY>
# Add Bento's cache to the project's .gitignore
$ echo ".bento/cache" >> .gitignore
# Commit Bento's config to your project
$ git add --force .bento .bentoignore
```

Contributors can run Bento for themselves using the project’s configuration via:

```bash
$ bento init
```

#### Running in CI/CD

Bento in CI analyzes your entire project, not just the latest commit. So that you don’t have to fix all existing issues before making Bento blocking, its `archive` feature allows historical issues to be tracked and ignored during CI.

To use the `archive` feature so Bento returns a non-zero exit code only for new issues, rather than all existing issues, first create the archive:

```bash
$ cd <PROJECT DIRECTORY>
$ bento archive .
```

Commit Bento’s configuration to the project:

```bash
# Add Bento's cache to the project's .gitignore
$ echo ".bento/cache" >> .gitignore
# Commit Bento's config to your project
$ git add --force .bento .bentoignore
```

You can then add Bento to your CI scripts:

```bash
$ pip3 install bento-cli && bento --version
$ bento --agree --email=<YOUR_EMAIL> check --all 2>&1 | cat
```

We pipe through `cat` to disable Bento's interactive tty features (e.g. progress bars, using a pager for many findings).

If you use CircleCI, the above commands become:

```yaml
version: 2.1

jobs:
  bentoCheck:
  executor: circleci/python:3.7.4-stretch-node
  steps:
    - checkout
    - run:
        name: "Install Bento"
        command: pip3 install bento-cli && bento --version
    - run:
        name: "Run Bento check"
        command: bento --agree --email=<YOUR_EMAIL> check --all 2>&1 | cat
```

`bento check` will exit with a non-zero exit code if it finds issues in your code (see [Exit Codes](#exit-codes)).

If you need help setting up Bento with another CI provider please [open an issue](https://github.com/returntocorp/bento/issues/new?template=feature_request.md). Documentation PRs welcome if you set up Bento with a CI provider that isn’t documented here!

## Help and Community

Need help or want to share feedback? We’d love to hear from you!

- Email us at [support@r2c.dev](mailto:support@r2c.dev)
- Join #bento in our [community Slack](https://join.slack.com/t/r2c-community/shared_invite/enQtNjU0NDYzMjAwODY4LWE3NTg1MGNhYTAwMzk5ZGRhMjQ2MzVhNGJiZjI1ZWQ0NjQ2YWI4ZGY3OGViMGJjNzA4ODQ3MjEzOWExNjZlNTA)
- [File an issue](https://github.com/returntocorp/bento/issues/new?assignees=&labels=bug&template=bug_report.md&title=) or [submit a feature request](https://github.com/returntocorp/bento/issues/new?assignees=&labels=feature-request&template=feature_request.md&title=) directly on GitHub &mdash; we welcome them all!

We’re constantly shipping new features and improvements.

- [Sign up for the Bento newsletter](http://eepurl.com/gDeFvL) &mdash; we promise not to spam and you can unsubscribe at any time
- See past announcements, releases, and issues [here](https://us18.campaign-archive.com/home/?u=ee2dc8f77e27d3739cf4df9ef&id=d13f5e938e)

We’re fortunate to benefit from the contributions of the open source community and great projects such as [Bandit](https://pypi.org/project/bandit/), [ESLint](https://eslint.org/), [Flake8](https://pypi.org/project/flake8/), and their plugins. 🙏

## License and Legal

Please refer to the [terms and privacy document](https://github.com/returntocorp/bento/blob/master/PRIVACY.md).

</br>
</br>
<p align="center">
    <img src="https://web-assets.r2c.dev/r2c-logo-silhouette.png?gh" height="24" alt="r2c logo"/>
</p>
<p align="center">
    Copyright (c) <a href="https://r2c.dev">r2c</a>.
</p>

# Changelog

This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [0.9.1](https://pypi.org/project/bento-cli/0.9.0/) - 2020-02-14

### Fixed
- ShellCheck detect shell files robustly

## [0.9.0](https://pypi.org/project/bento-cli/0.9.0/) - 2020-02-13

### Added

- Python tools now scan files that don't end in `.py` but have python shebang
- Added ReDoS check via Dlint. The check is off by default. Enable the Dlint tool to run this check: `bento enable tool dlint`.
- Jinja checks added and turned on by default

See [https://bento.dev/checks](https://bento.dev/checks) for more information on new checks

### Fixed

- Bento iterates over files in batches if number of files to check exceeds OS argmax limit

## [0.8.2](https://pypi.org/project/bento-cli/0.8.2/) - 2020-02-05

### Fixed

- `bento check` works with repos with no previous commits
- Verify a path is a file before checking if it contains a shell shebang (shellcheck tool)
- Correctly install autorun even if git-hooks subdirectory is non-existent

## [0.8.1](https://pypi.org/project/bento-cli/0.8.1/) - 2020-01-30

### Fixed

- Perfomance improvements when running in large projects
- Additional human readable check_ids for bandit

## [0.8.0](https://pypi.org/project/bento-cli/0.8.0/) - 2020-01-24

This release represents a major shift in Bento's default behavior: It emphasizes an incremental
and personal, rather than team-wide, workflow that makes Bento a smaller commitment to use:

1. Other project contributors won’t see Bento files or have their workflows changed.
2. You no longer need to manually run Bento. After initialization Bento will automatically
   check for issues in your code as you commit, analyzing only the files that have changed.
3. You won’t see a project’s old issues (tech debt) during initialization. To view them,
   run

   ```bash
   bento check --all
   ```

### Migration

Project configurations have changed in version 0.8. In order to migrate a project from
version 0.7 or earlier:

- Ensure Bento has been upgraded using `pip3 install --upgrade bento-cli`. Run `bento --version`
  to validate Bento’s version.
- `rm -r .bento*` (Use `git rm` if you have previously added Bento files to source control).
- Run `bento init` in the project root.

### New requirements

- Docker must be installed, and the docker client running, to use Bento.

### Changed

How you use Bento has changed significantly in 0.8.

#### Usage changes

- `bento check` will now only check staged changes.
  - Use `bento check --all` to check the entire project.
- `bento archive` will archive findings due to staged diff:

  - Use `bento archive --all` to archive all findings in a project.

#### Other changes

- `hadolint` and `shellcheck` are now enabled by default.
- Messages for findings are no longer truncated.
- `bento init` will now install an empty configuration on a project it can not identify;
  tools may then be manually enabled using `bento enable tool TOOL`. Use `bento enable tool --help`
  to list tools.
- Virtual environments for Python tools are now installed in your home directory, instead of in your
  project directories.
- `eslint` is now installed in your project’s `.bento` directory, and will not modify your project’s
  `package.json`.
- Tool and check names have been modified to improve readability.
- `eslint` is disabled by default. To enable it run `bento enable tool eslint`.

### Added

- On init, Bento will prompt you to ask if you want to add ignore patterns to your global Git ignore file.
  If you agree, Bento will alter this file to ignore Bento configuration files in your git projects.
- `bento enable autorun` and `bento disable autorun` will cause Bento to either begin or stop analyzing
  code on every commit.
- Tab completion can now be installed by Bento. To install for your shell, run `bento enable autocomplete`.
  To remove tab completion, run `bento disable autocomplete`.

### Removed

- `bento check --show-all` has been removed. Use `bento check --all` instead. Archived findings can be found at `~/.bento/archive.json`.
- `bento install-hook` has been removed. Use `bento enable autorun` to run Bento on every commit.
- The histogram formatter is no longer used by default. To show findings with a histogram, run
  `bento check -f histo`.

## [0.7.0](https://pypi.org/project/bento-cli/0.7.0/) - 2019-12-11

### Fixed

- Fixed `r2c.hadolint` issue where it failed to detect files with `.dockerfile` suffixes.
- Fixed `r2c.sgrep` to respect file path when running on specific files with `bento check /path/to/file`

### Changed

- Redesigned `bento init`
  - It now runs `bento check` and `bento archive` itself; these were almost always run manually by users immediately after `bento init`
  - Displays histogram of results
- `bento check` supports running a single tool with the `-t` flag: `bento check -t r2c.flask`
- Reworked user registration flow
- Removed [flake8-builtins](https://github.com/gforcada/flake8-builtins) plugin from `r2c.flask` based on user feedback: codebases with SQLAlchemy models (common in Flask apps) regularly shadow the `id` builtin, causing false positives.
- Added eslint arrow-body-style as a default ignore because it is a style issue.
- Added unused variable/import related checks (eslint no-unused-vars and no-var, flake8 F401 and F841)to default ignore. While useful they are very noisy and are often non-issues.

### Added

- Added `r2c.boto3` tool for [Boto3](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html) framework. To use it on a project, run `bento enable tool r2c.boto3`
- Added additional checks for `r2c.flake8`
  - [unescaped-file-extension](https://checks.bento.dev/en/latest/flake8-flask/unescaped-file-extension)
  - [use-jsonify](https://checks.bento.dev/en/latest/flake8-flask/use-jsonify/)

## [0.6.2](https://pypi.org/project/bento-cli/0.6.2/) - 2019-12-05

### Fixed

- Fixed an issue where upgrade notifications were not shown to users.
- Fix an issue where certain `.gitignore` patterns would cause an error or be skipped by Bento
- Properly render multi-line context in the Clippy formatter.

## [0.6.1](https://pypi.org/project/bento-cli/0.6.1/) - 2019-11-26

### Fixed

- Bento no longer completes initialization if it can't identify a project; this prevents
  confusing errors when subsequently running `bento check`.
- Pinned versions of all 3rd-party Python tools, so that remote package upgrades do not break
  Bento.
- Bento no longer crashes if a project path contains a space.

### Changed

- Results of `bento check` are now printed
  using the Clippy and histogram formatters (see "Added" section below) by default.
- The APIs to enable and disable a check are now `bento enable check [check]` and
  `bento disable check [check]`.
- The `r2c.flask` tool is now enabled by default. It finds best-practice and security bugs in
  code using the Python [Flask](https://www.palletsprojects.com/p/flask/) framework.
- Multiple formatters can now be used to display results from `bento check`. For example,
  `bento check -f stylish -f histo` will display results using the Stylish formatter,
  followed by display using a histogram formatter.
- Progress bars are not emitted to stderr if not a tty; this prevents progress-bar output from
  littering CI logs.
- Updated progress bar glyphs for readability on a wider range of terminal themes.
- Disabled `r2c.flake8` check `B001` by default, in favor of the (also included) `E722` check.

### Added

- Added `r2c.requests`, which finds best-practice and security bugs in code using the Python
  [Requests](https://2.python-requests.org/en/master/) framework. It is enabled by default.
- Added `r2c.sgrep`, a syntactically aware code search tool. It is _not_ enabled by default.
  To use it on a project, run `bento enable tool r2c.sgrep`. Note that Docker is required in
  order to use `r2c.sgrep`.
- All findings, including those previously archived, can now be viewed using
  `bento check --show-all`.
- Tools can now be enabled using `bento enable tool [tool_id]`. Available
  tools can be listed by running `bento enable tool --help` or using shell autocompletion.
  Tools can be disabled using `bento disable tool [tool_id]`.

## 0.6.0

Version 0.6.0 was not released.

## [0.5.0](https://pypi.org/project/bento-cli/0.5.0/) - 2019-11-18

### Fixed

- `r2c.eslint` now properly detects TypeScript imports.
- `r2c.eslint` now detects global node environments (e.g., `jest`),
  and properly resolves their global variables.

### Changed

- To better protect users' data, error messages are no longer reported to our backend.
- `.bentoignore` can now be configured to include patterns from other files; by default
  the contents of the project's `.gitignore` are included. For more information, please see the comments at
  the top of the generated `.bentoignore` file.
- Tab completion times reduced by approximately half.
- Disabled a number of `r2c.eslint` checks by default:
  - `arrow-parens`, as it conflicts with Prettier's default behavior.
  - TypeScript semicolon checking, which is stylistic.
  - `import/no-cycle` which takes 50% of tool runtime on moderately large code bases.
- `r2c.flake8 E306` disabled by default, as it is stylistic in nature.
- Runtime of `r2c.eslint` has been reduced by up to 30% for some projects.

### Added

- Added `r2c.shellcheck` tool for shell scripts. To enable, add `r2c.shellcheck` to the
  tools section of your `.bento.yml`. Note that this tool requires `docker` as a dependency.
- Added `r2c.hadolint` tool for Docker files. To enable, add `r2c.hadolint` to the
  tools section of your `.bento.yml`. Note that this tool requires `docker` to be installed in order to run.

## [0.4.1](https://pypi.org/project/bento-cli/0.4.1/) - 2019-11-14

### Fixed

- Fixes a performance regression due to changes in metrics collection.

## [0.4.0](https://pypi.org/project/bento-cli/0.4.0/) - 2019-11-11

### Changed

- We updated our [privacy policy](https://github.com/returntocorp/bento/commits/master/PRIVACY.md).
  - Notably, we collect email addresses to understand usage and communicate with users through product announcements, technical notices, updates, security alerts, and support messages.

### Added

- Added additional `r2c.click` tool for [Click](http://click.palletsprojects.com/) framework:

  - [flake8-click](https://pypi.org/project/flake8-click/) will be disabled by default.

- Added additional `r2c.flask` tool for [Flask](https://flask.palletsprojects.com/) framework:

  - [flake8-flask](https://pypi.org/project/flake8-flask/) will be disabled by default.

## [0.3.1](https://pypi.org/project/bento-cli/0.3.1/) - 2019-11-08

### Fixed

- Fixed an issue where the tool would fail to install if a macOS user
  had installed `gcc` and then upgraded their OS.
- Fixed a compatibility issue for users with a pre-existing version
  of GitPython with version between 2.1.1 and 2.1.13.

## [0.3.0](https://pypi.org/project/bento-cli/0.3.0/) - 2019-11-01

### Changed

- Bento can now be run from any subdirectory within a project.
- Updated the privacy and terms-of-service statement.

### Added

- File ignores are configurable via [git-style ignore patterns](https://git-scm.com/docs/gitignore) (include patterns
  are not supported). Patterns should be added to `.bentoignore`.

- Added additional checks to the `r2c.flake8` tool:

  - All checks from [flake8-bugbear](https://github.com/PyCQA/flake8-bugbear) (except for B009 and B010,
    which are stylistic in nature).
  - All checks from [flake8-builtins](https://github.com/gforcada/flake8-builtins).
  - All checks from [flake8-debugger](https://github.com/jbkahn/flake8-debugger).
  - All checks from [flake8-executable](https://github.com/xuhdev/flake8-executable).

- Clippy output formatting is now supported.
  - To enable, run: `bento check --formatter clippy`
  - Example output:

```
error: r2c.flake8.E113
   --> foo.py:6:5
    |
  6 |   return x
    |
    = note: unexpected indentation
```

- Autocompletion is now supported from both `bash` and `zsh`. To use:
  - In `bash`, run `echo -e '\neval "$(_BENTO_COMPLETE=source bento)"' >> ~/.bashrc`.
  - In `zsh`, run `echo -e '\neval "$(_BENTO_COMPLETE=source_zsh bento)"' >> ~/.zshrc`.

## [0.2.1](https://pypi.org/project/bento-cli/0.2.1/) - 2019-10-29

### Fixed

- Quoted emails in git configuration do not break user registration.
- Removed files properly invalidate results cache.
- Python tools do not crawl `node_modules`.

## [0.2.0](https://pypi.org/project/bento-cli/0.2.0/) - 2019-10-23

### Changed

- Results are cached between runs. This means that an immediate rerun of
  `bento` will be much faster.
- Broadened library compatibility, especially for common packages:
  - attrs from 18.2.0
  - packaging from 14.0
  - pre-commit from 1.0.0
- `r2c.eslint` ignores `.min.js` files. Bento should only report issues in code, not built artifacts.
- Telemetry endpoint uses `bento.r2c.dev`.

### Added

- Bento check will optionally run only on passed paths, using `bento check [path] ...`.
- Add `r2c.pyre` as a configurable tool. To enable, it must be manually configured in `.bento.yml`.
- Formatters can be specified with short names, and these appear in the help text. For example, `bento check --formatter json`.
- `bento` version is passed to telemetry backend.

### Fixed

- Tool does not crash if a git user does not have an email configured.
- Fixed a regression that caused progress bars to hang after first tool completed.
- Made fully compatible with Python 3.6.
- Tool does not mangle `.gitignore` when that file lacks a trailing newline.

