Ruff: add and fix PYI

[kiblik]

New rule: PYI

https://docs.astral.sh/ruff/rules/#flake8-pyi-pyi

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request primarily focus on refactoring the handling of various security-related data models and parsers used by the application. The key changes include:

1. Replacing namedtuple with NamedTuple: The code updates the usage of the deprecated namedtuple from the collections module to the more modern and type-annotated NamedTuple from the typing module. This improves the readability and maintainability of the code.

2. Enhancing the ORT Parser: The changes to the dojo/tools/ort/parser.py file improve the handling of rule violations and the extraction of project information from the Open Review Toolkit (ORT) output. This includes the ability to identify and represent unresolved rule violations, which is an important aspect of application security assessment.

3. Mapping Rule Violations to Findings: The code introduces a RuleViolationModel and a function to map the rule violation data to a Finding object. This aligns with the application security engineering practices and allows for the integration of the ORT findings into the overall security assessment and reporting process.

Files Changed:

1. ruff.toml: The changes update the Ruff linter configuration to include a new "PYI" rule, which is likely a new rule added to Ruff. While this does not directly impact application security, it can help improve the overall code quality and maintainability.

2. dojo/tools/blackduck/model.py and dojo/tools/blackduck_binary_analysis/model.py: These changes refactor the use of namedtuple to NamedTuple, which is a more modern and type-safe approach to defining data structures in Python. This does not introduce any security concerns but can improve code readability and maintainability.

3. dojo/tools/ort/parser.py: The changes to this file significantly improve the handling and representation of security-related information from the ORT tool, including the ability to identify and extract unresolved rule violations. This enhances the application security capabilities of the tool.

Overall, the code changes in this pull request do not introduce any immediate security concerns but rather focus on improving the handling and integration of security-related data within the application. As an application security engineer, I would recommend reviewing the changes to ensure that the new functionality is implemented securely and that the integration with the overall security assessment process is properly addressed.

Powered by DryRun Security

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[dryrunsecurity]

DryRun Security Summary

The provided code changes in this GitHub pull request focus on refactoring and updating the configuration and data models used by various security-related tools and libraries, which can have implications for the overall application security posture and should be reviewed accordingly.

Expand for full summary

Summary:

The provided code changes in this GitHub pull request are primarily focused on refactoring and updating the configuration and data models used by various security-related tools and libraries. While these changes do not directly introduce any security vulnerabilities, they do have implications for the overall application security posture and should be reviewed accordingly.

The key changes include:

1. Updating the Ruff linter configuration to add a new linting rule, which can indirectly impact security by ensuring that the codebase adheres to certain security-related best practices.
2. Refactoring the BlackduckBinaryAnalysisFinding and RuleViolationModel named tuples to use the NamedTuple class from the typing module instead of the namedtuple from the collections module.
3. Updating the BlackduckFinding class to also use NamedTuple instead of namedtuple.

These changes, while seemingly minor, can have implications for the security and maintainability of the application. It's important to ensure that the overall implementation and usage of these security-related data models are secure, and that the underlying tools and processes are properly integrated and configured to effectively identify and address vulnerabilities.

Files Changed:

1. ruff.toml: The changes in this file update the Ruff linter configuration by adding a new linting rule, "PYI", to the select list. While this does not directly introduce any security vulnerabilities, it's important to ensure that the Ruff linter is properly configured to enforce security best practices and catch common security issues.

2. dojo/tools/blackduck_binary_analysis/model.py and dojo/tools/ort/parser.py: These files contain changes that update the use of namedtuple to NamedTuple for various data models used in the application. While these changes are primarily refactoring in nature, it's important to ensure that the overall implementation and usage of these data models are secure, and that the underlying tools and processes (e.g., Blackduck binary analysis, Open Review Toolkit) are properly integrated and configured to effectively identify and address vulnerabilities.

3. dojo/tools/blackduck/model.py: This file also contains a similar change, updating the BlackduckFinding class to use NamedTuple instead of namedtuple. The BlackduckFinding class is used to represent the results of a Blackduck security scan, which is a crucial tool for identifying vulnerabilities in software components. It's important to ensure that the Blackduck integration is properly configured and that the results are being reviewed and addressed in a timely manner.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[Maffooch]

It looks like there has not been any activity here for a while. In order to keep the list of pull requests in a manageable state, we are closing this one for now. If we are making a mistake here, please reopen the pull request, and leave us a note 😄