Replace bandit with ruff #6961
Merged
Replace bandit with ruff #6961
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I'm very much in favor of (a) this specific change and (b) in general standardizing these tools, to avoid surprises like freedomofpress/securedrop-client#1668. But you knew that already. :-) |
cfm
added a commit
that referenced
this pull request
Oct 2, 2023
GitPython is a development-only dependency of Bandit, which will be obsoleted by #6961. In the meantime: - CVE-2023-40590 (Safety 60789) affects Windows, which we don't support. - CVE-2023-41040 (Safety 60841) is not exploitable for our use of GitPython via Bandit.
1 task
rocodes
previously approved these changes
Oct 3, 2023
There was a problem hiding this comment.
LGTM pending the il8n stuff mentioned in the PR - yay ruff, thanks @legoktm :)
ruff has reimplemented the bandit rules[1], so we can use that as a better-integrated tool with the rest of our stack. We enable all the bandit rules and selectively disable some across the codebase and some in just tests where they don't make sense (e.g. flagging use of `assert` or using insecure crypto). For bonus points we can get rid of the GitPython dependency, which has a history of (non-exploitable in our context) security issues. [1] Per astral-sh/ruff#1646 they've implemented nearly all of them, and the remaining ones aren't that important IMO.
|
This should be ready to go now! |
zenmonkeykstop
approved these changes
Oct 12, 2023
eloquence
added a commit
to freedomofpress/securedrop-builder
that referenced
this pull request
Jan 9, 2024
With heavy inspiration from freedomofpress/securedrop#6961
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Status
Ready for review,
depends on #6954 (I did not fix the bandit issues in i18n_tool.py)Description of Changes
ruff has reimplemented the bandit rules[1], so we can use that as a better-integrated tool with the rest of our stack. We enable all the bandit rules and selectively disable some across the codebase and some in just tests where they don't make sense (e.g. flagging use of
assertor using insecure crypto).For bonus points we can get rid of the GitPython dependency, which has a history of (non-exploitable in our context) security issues.
[1] Per astral-sh/ruff#1646 they've implemented nearly all of them, and the remaining ones aren't that important IMO.
Testing
How should the reviewer test this PR?
make check-ruffpasses locallyDeployment
Any special considerations for deployment? No
Checklist
make lint) and tests (make test) pass in the development container