[flake8-bandit] Implement upstream updates for S311, S324 and S605
#10313
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Remove unnecessary empty lines, and use `OK`/`Errors` to be more consistent with other tests.
|
| code | total | + violation | - violation | + fix | - fix |
|---|---|---|---|---|---|
| S311 | 6 | 6 | 0 | 0 | 0 |
| S605 | 1 | 1 | 0 | 0 | 0 |
| S607 | 1 | 1 | 0 | 0 | 0 |
Linter (preview)
ℹ️ ecosystem check detected linter changes. (+8 -0 violations, +0 -0 fixes in 4 projects; 39 projects unchanged)
DisnakeDev/disnake (+2 -0 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview
+ disnake/backoff.py:45:16: S311 Standard pseudo-random generators are not suitable for cryptographic purposes + disnake/colour.py:135:44: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
apache/airflow (+2 -0 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL
+ airflow/dag_processing/manager.py:1156:13: S311 Standard pseudo-random generators are not suitable for cryptographic purposes + tests/dag_processing/test_job_runner.py:363:9: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
model-bakers/model_bakery (+1 -0 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview
+ model_bakery/random_gen.py:30:16: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
zulip/zulip (+3 -0 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL
+ analytics/lib/fixtures.py:39:11: S311 Standard pseudo-random generators are not suitable for cryptographic purposes + tools/lib/provision.py:280:60: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell` + tools/lib/provision.py:280:60: S607 Starting a process with a partial executable path
Changes by rule (3 rules affected)
| code | total | + violation | - violation | + fix | - fix |
|---|---|---|---|---|---|
| S311 | 6 | 6 | 0 | 0 | 0 |
| S605 | 1 | 1 | 0 | 0 | 0 |
| S607 | 1 | 1 | 0 | 0 | 0 |
Formatter (stable)
✅ ecosystem check detected no format changes.
Formatter (preview)
✅ ecosystem check detected no format changes.
|
Not sure why there is a new match for |
charliermarsh
approved these changes
Mar 11, 2024
I think it's because you added |
Oh yeah sorry, I did not know what S607 was exactly, and didn't see that this change would also apply to this rule. But it does seem legit to handle this new case for S607, as this is the core logic to detect shell invocations, so all good it seems! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Pick up updates made in latest releases of
bandit:S311: Addrandom.Randomto B311 checks PyCQA/bandit#940 and Add random.randbytes to blacklist calls PyCQA/bandit#1096S324: Adds check for crypt module usage as weak hash PyCQA/bandit#1018S605: [B605] Add functions that are vulnerable to shell injection. PyCQA/bandit#1116Test Plan
Snapshot tests