Sarif formatter physicalLocation calculation error #1311
Description
Describe the bug
There is an error in line calculation algorithm for sarif. We're getting less snippet_lines than line_range in bandit.formatters.sarif.add_region_and_context_region. But we always get the required line for "physicalLocation" as the second line in code.
Traceback:
bandit -r -f sarif tests/conftest.py
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.13.7
Traceback (most recent call last):
File "/Users/jerrdasur/dev/open/damn-vulnerable-MCP-server/.venv/lib/python3.13/site-packages/bandit/core/manager.py", line 186, in output_results
report_func(
~~~~~~~~~~~^
self,
^^^^^
...<3 lines>...
lines=lines,
^^^^^^^^^^^^
)
^
File "/Users/jerrdasur/dev/open/damn-vulnerable-MCP-server/.venv/lib/python3.13/site-packages/bandit/formatters/sarif.py", line 188, in report
add_results(issues, run)
~~~~~~~~~~~^^^^^^^^^^^^^
File "/Users/jerrdasur/dev/open/damn-vulnerable-MCP-server/.venv/lib/python3.13/site-packages/bandit/formatters/sarif.py", line 233, in add_results
result = create_result(issue, rules, rule_indices)
File "/Users/jerrdasur/dev/open/damn-vulnerable-MCP-server/.venv/lib/python3.13/site-packages/bandit/formatters/sarif.py", line 251, in create_result
add_region_and_context_region(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
physical_location,
^^^^^^^^^^^^^^^^^^
...<3 lines>...
issue_dict["code"],
^^^^^^^^^^^^^^^^^^^
)
^
File "/Users/jerrdasur/dev/open/damn-vulnerable-MCP-server/.venv/lib/python3.13/site-packages/bandit/formatters/sarif.py", line 288, in add_region_and_context_region
snippet_line = snippet_lines[line_range[0] - first_line_number]
~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
IndexError: list index out of range
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/Users/jerrdasur/dev/open/damn-vulnerable-MCP-server/.venv/bin/bandit", line 7, in <module>
sys.exit(main())
~~~~^^
File "/Users/jerrdasur/dev/open/damn-vulnerable-MCP-server/.venv/lib/python3.13/site-packages/bandit/cli/main.py", line 678, in main
b_mgr.output_results(
~~~~~~~~~~~~~~~~~~~~^
args.context_lines,
^^^^^^^^^^^^^^^^^^^
...<4 lines>...
args.msg_template,
^^^^^^^^^^^^^^^^^^
)
^
File "/Users/jerrdasur/dev/open/damn-vulnerable-MCP-server/.venv/lib/python3.13/site-packages/bandit/core/manager.py", line 195, in output_results
raise RuntimeError(
...<2 lines>...
)
RuntimeError: Unable to output report using 'sarif' formatter: list index out of range
Reproduction steps
1. ensure python >=3.13.7 is installed
2. git clone [email protected]:harishsg993010/damn-vulnerable-MCP-server.git
3. cd damn-vulnerable-MCP-server
4. python3 -m venv ./.venv/
5. source .venv/bin/activate
6. pip3 install bandit 'bandit[sarif]'
7. bandit -r -f sarif tests/conftest.pyExpected behavior
Results in default bandit format:
bandit -r tests/conftest.py
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.13.7
Run started:2025-10-06 21:58:05.243854
Test results:
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
CWE: CWE-377 (https://cwe.mitre.org/data/definitions/377.html)
More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b108_hardcoded_tmp_directory.html
Location: ./tests/conftest.py:170:34
169 "autorestart": True,
170 "stdout_logfile": "/tmp/test_stdout.log",
171 "stderr_logfile": "/tmp/test_stderr.log",
172 }
173 ]
174 }
--------------------------------------------------
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
CWE: CWE-377 (https://cwe.mitre.org/data/definitions/377.html)
More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b108_hardcoded_tmp_directory.html
Location: ./tests/conftest.py:171:34
170 "stdout_logfile": "/tmp/test_stdout.log",
171 "stderr_logfile": "/tmp/test_stderr.log",
172 }
173 ]
174 }
--------------------------------------------------
Code scanned:
Total lines of code: 140
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 2
High: 0
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 2
High: 0
Files skipped (0):
SARIF:
{
"runs": [
{
"tool": {
"driver": {
"name": "Bandit",
"organization": "PyCQA",
"rules": [
{
"id": "B108",
"name": "hardcoded_tmp_directory",
"properties": {
"tags": [
"security",
"external/cwe/cwe-377"
],
"precision": "medium"
},
"helpUri": "https://bandit.readthedocs.io/en/1.8.6/plugins/b108_hardcoded_tmp_directory.html"
}
],
"version": "1.8.6",
"semanticVersion": "1.8.6"
}
},
"invocations": [
{
"executionSuccessful": true,
"endTimeUtc": "2025-10-06T22:38:29Z"
}
],
"properties": {
"metrics": {
"_totals": {
"loc": 140,
"nosec": 0,
"skipped_tests": 0,
"SEVERITY.UNDEFINED": 0,
"CONFIDENCE.UNDEFINED": 0,
"SEVERITY.LOW": 0,
"CONFIDENCE.LOW": 0,
"SEVERITY.MEDIUM": 2,
"CONFIDENCE.MEDIUM": 2,
"SEVERITY.HIGH": 0,
"CONFIDENCE.HIGH": 0
},
"./tests/conftest.py": {
"loc": 140,
"nosec": 0,
"skipped_tests": 0,
"SEVERITY.UNDEFINED": 0,
"SEVERITY.LOW": 0,
"SEVERITY.MEDIUM": 2,
"SEVERITY.HIGH": 0,
"CONFIDENCE.UNDEFINED": 0,
"CONFIDENCE.LOW": 0,
"CONFIDENCE.MEDIUM": 2,
"CONFIDENCE.HIGH": 0
}
}
},
"results": [
{
"message": {
"text": "Probable insecure usage of temp file/directory."
},
"locations": [
{
"physicalLocation": {
"region": {
"snippet": {
"text": " \"stdout_logfile\": \"/tmp/test_stdout.log\",\n"
},
"endColumn": 57,
"endLine": 165,
"startColumn": 35,
"startLine": 164
},
"artifactLocation": {
"uri": "tests/conftest.py"
},
"contextRegion": {
"snippet": {
"text": " \"autorestart\": True,\n \"stdout_logfile\": \"/tmp/test_stdout.log\",\n \"stderr_logfile\": \"/tmp/test_stderr.log\",\n }\n ]\n }\n"
},
"endLine": 174,
"startLine": 169
}
}
}
],
"properties": {
"issue_confidence": "MEDIUM",
"issue_severity": "MEDIUM"
},
"ruleId": "B108",
"ruleIndex": 0
},
{
"message": {
"text": "Probable insecure usage of temp file/directory."
},
"locations": [
{
"physicalLocation": {
"region": {
"snippet": {
"text": " \"stderr_logfile\": \"/tmp/test_stderr.log\",\n"
},
"endColumn": 57,
"endLine": 165,
"startColumn": 35,
"startLine": 164
},
"artifactLocation": {
"uri": "tests/conftest.py"
},
"contextRegion": {
"snippet": {
"text": " \"stdout_logfile\": \"/tmp/test_stdout.log\",\n \"stderr_logfile\": \"/tmp/test_stderr.log\",\n }\n ]\n }\n"
},
"endLine": 174,
"startLine": 170
}
}
}
],
"properties": {
"issue_confidence": "MEDIUM",
"issue_severity": "MEDIUM"
},
"ruleId": "B108",
"ruleIndex": 0
}
]
}
],
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0.json"
}%
Bandit version
1.8.3 (Default)
Python version
3.13 (Default)
Additional context
No response