Replace bandit with ruff (#93200)

home-assistant · Jun 8, 2023 · ca936d0 · ca936d0
1 parent f7938c9
commit ca936d0
Show file tree

Hide file tree

Showing 16 changed files with 36 additions and 61 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -468,19 +468,6 @@ jobs:
         with:
           args: hadolint Dockerfile.dev
 
-      - name: Run bandit (fully)
-        if: needs.info.outputs.test_full_suite == 'true'
-        run: |
-          . venv/bin/activate
-          pre-commit run --hook-stage manual bandit --all-files --show-diff-on-failure
-      - name: Run bandit (partially)
-        if: needs.info.outputs.test_full_suite == 'false'
-        shell: bash
-        run: |
-          . venv/bin/activate
-          shopt -s globstar
-          pre-commit run --hook-stage manual bandit --files {homeassistant,tests}/components/${{ needs.info.outputs.integrations_glob }}/{*,**/*} --show-diff-on-failure
-
   base:
     name: Prepare dependencies
     runs-on: ubuntu-22.04

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -22,15 +22,6 @@ repos:
           - --quiet-level=2
         exclude_types: [csv, json]
         exclude: ^tests/fixtures/|homeassistant/generated/
-  - repo: https://github.com/PyCQA/bandit
-    rev: 1.7.4
-    hooks:
-      - id: bandit
-        args:
-          - --quiet
-          - --format=custom
-          - --configfile=tests/bandit.yaml
-        files: ^(homeassistant|script|tests)/.+\.py$
   - repo: https://github.com/PyCQA/isort
     rev: 5.12.0
     hooks:

diff --git a/homeassistant/components/command_line/notify.py b/homeassistant/components/command_line/notify.py
@@ -72,7 +72,7 @@ def send_message(self, message: str = "", **kwargs: Any) -> None:
             universal_newlines=True,
             stdin=subprocess.PIPE,
             close_fds=False,  # required for posix_spawn
-            shell=True,  # nosec # shell by design
+            shell=True,  # noqa: S602 # shell by design
         ) as proc:
             try:
                 proc.communicate(input=message, timeout=self._timeout)

diff --git a/homeassistant/components/command_line/utils.py b/homeassistant/components/command_line/utils.py
@@ -19,7 +19,7 @@ def call_shell_with_timeout(
         _LOGGER.debug("Running command: %s", command)
         subprocess.check_output(
             command,
-            shell=True,  # nosec # shell by design
+            shell=True,  # noqa: S602 # shell by design
             timeout=timeout,
             close_fds=False,  # required for posix_spawn
         )
@@ -45,7 +45,7 @@ def check_output_or_log(command: str, timeout: int) -> str | None:
     try:
         return_value = subprocess.check_output(
             command,
-            shell=True,  # nosec # shell by design
+            shell=True,  # noqa: S602 # shell by design
             timeout=timeout,
             close_fds=False,  # required for posix_spawn
         )

diff --git a/homeassistant/components/gtfs/sensor.py b/homeassistant/components/gtfs/sensor.py
@@ -341,7 +341,7 @@ def get_next_departure(
                  {tomorrow_order}
                  origin_stop_time.departure_time
         LIMIT :limit
-        """
+        """  # noqa: S608
     result = schedule.engine.connect().execute(
         text(sql_query),
         {

diff --git a/homeassistant/components/influxdb/sensor.py b/homeassistant/components/influxdb/sensor.py
@@ -339,7 +339,7 @@ def update(self):
             return
 
         self.query = (
-            f"select {self.group}({self.field}) as {INFLUX_CONF_VALUE} from"
+            f"select {self.group}({self.field}) as {INFLUX_CONF_VALUE} from"  # noqa: S608
             f" {self.measurement} where {where_clause}"
         )
 

diff --git a/homeassistant/components/recorder/migration.py b/homeassistant/components/recorder/migration.py
@@ -1303,7 +1303,7 @@ def _migrate_statistics_columns_to_timestamp(
             with session_scope(session=session_maker()) as session:
                 session.connection().execute(
                     text(
-                        f"UPDATE {table} set start_ts=strftime('%s',start) + "
+                        f"UPDATE {table} set start_ts=strftime('%s',start) + "  # noqa: S608
                         "cast(substr(start,-7) AS FLOAT), "
                         f"created_ts=strftime('%s',created) + "
                         "cast(substr(created,-7) AS FLOAT), "
@@ -1321,7 +1321,7 @@ def _migrate_statistics_columns_to_timestamp(
                 with session_scope(session=session_maker()) as session:
                     result = session.connection().execute(
                         text(
-                            f"UPDATE {table} set start_ts="
+                            f"UPDATE {table} set start_ts="  # noqa: S608
                             "IF(start is NULL or UNIX_TIMESTAMP(start) is NULL,0,"
                             "UNIX_TIMESTAMP(start) "
                             "), "
@@ -1343,7 +1343,7 @@ def _migrate_statistics_columns_to_timestamp(
                 with session_scope(session=session_maker()) as session:
                     result = session.connection().execute(
                         text(
-                            f"UPDATE {table} set start_ts="  # nosec
+                            f"UPDATE {table} set start_ts="  # noqa: S608
                             "(case when start is NULL then 0 else EXTRACT(EPOCH FROM start::timestamptz) end), "
                             "created_ts=EXTRACT(EPOCH FROM created::timestamptz), "
                             "last_reset_ts=EXTRACT(EPOCH FROM last_reset::timestamptz) "

diff --git a/homeassistant/components/recorder/statistics.py b/homeassistant/components/recorder/statistics.py
@@ -2400,7 +2400,7 @@ def cleanup_statistics_timestamp_migration(instance: Recorder) -> bool:
             with session_scope(session=instance.get_session()) as session:
                 session.connection().execute(
                     text(
-                        f"update {table} set start = NULL, created = NULL, last_reset = NULL;"
+                        f"update {table} set start = NULL, created = NULL, last_reset = NULL;"  # noqa: S608
                     )
                 )
     elif engine.dialect.name == SupportedDialect.MYSQL:
@@ -2410,7 +2410,7 @@ def cleanup_statistics_timestamp_migration(instance: Recorder) -> bool:
                     session.connection()
                     .execute(
                         text(
-                            f"UPDATE {table} set start=NULL, created=NULL, last_reset=NULL where start is not NULL LIMIT 100000;"
+                            f"UPDATE {table} set start=NULL, created=NULL, last_reset=NULL where start is not NULL LIMIT 100000;"  # noqa: S608
                         )
                     )
                     .rowcount
@@ -2425,7 +2425,7 @@ def cleanup_statistics_timestamp_migration(instance: Recorder) -> bool:
                     session.connection()
                     .execute(
                         text(
-                            f"UPDATE {table} set start=NULL, created=NULL, last_reset=NULL "  # nosec
+                            f"UPDATE {table} set start=NULL, created=NULL, last_reset=NULL "  # noqa: S608
                             f"where id in (select id from {table} where start is not NULL LIMIT 100000)"
                         )
                     )

diff --git a/homeassistant/components/recorder/util.py b/homeassistant/components/recorder/util.py
@@ -278,9 +278,11 @@ def basic_sanity_check(cursor: SQLiteCursor) -> bool:
 
     for table in TABLES_TO_CHECK:
         if table in (TABLE_RECORDER_RUNS, TABLE_SCHEMA_CHANGES):
-            cursor.execute(f"SELECT * FROM {table};")  # nosec # not injection
+            cursor.execute(f"SELECT * FROM {table};")  # noqa: S608 # not injection
         else:
-            cursor.execute(f"SELECT * FROM {table} LIMIT 1;")  # nosec # not injection
+            cursor.execute(
+                f"SELECT * FROM {table} LIMIT 1;"  # noqa: S608 # not injection
+            )
 
     return True
 

diff --git a/homeassistant/components/yi/camera.py b/homeassistant/components/yi/camera.py
@@ -29,7 +29,7 @@
 
 DEFAULT_BRAND = "YI Home Camera"
 DEFAULT_PASSWORD = ""
-DEFAULT_PATH = "/tmp/sd/record"  # nosec
+DEFAULT_PATH = "/tmp/sd/record"  # noqa: S108
 DEFAULT_PORT = 21
 DEFAULT_USERNAME = "root"
 DEFAULT_ARGUMENTS = "-pred 1"

diff --git a/pyproject.toml b/pyproject.toml
@@ -251,6 +251,23 @@ select = [
     "ICN001", # import concentions; {name} should be imported as {asname}
     "PGH004",  # Use specific rule codes when using noqa
     "PLC0414", # Useless import alias. Import alias does not rename original package.
+    "S103",  # bad-file-permissions
+    "S108",  # hardcoded-temp-file
+    "S306",  # suspicious-mktemp-usage
+    "S307",  # suspicious-eval-usage
+    "S313",  # suspicious-xmlc-element-tree-usage
+    "S314",  # suspicious-xml-element-tree-usage
+    "S315",  # suspicious-xml-expat-reader-usage
+    "S316",  # suspicious-xml-expat-builder-usage
+    "S317",  # suspicious-xml-sax-usage
+    "S318",  # suspicious-xml-mini-dom-usage
+    "S319",  # suspicious-xml-pull-dom-usage
+    "S320",  # suspicious-xmle-tree-usage
+    "S601",  # paramiko-call
+    "S602",  # subprocess-popen-with-shell-equals-true
+    "S604",  # call-with-shell-equals-true
+    "S608",  # hardcoded-sql-expression
+    "S609",  # unix-command-wildcard-injection
     "SIM105", # Use contextlib.suppress({exception}) instead of try-except-pass
     "SIM117", # Merge with-statements that use the same scope
     "SIM118", # Use {key} in {dict} instead of {key} in {dict}.keys()

diff --git a/requirements_test_pre_commit.txt b/requirements_test_pre_commit.txt
@@ -1,6 +1,5 @@
 # Automatically generated from .pre-commit-config.yaml by gen_requirements_all.py, do not edit
 
-bandit==1.7.4
 black==23.3.0
 codespell==2.2.2
 isort==5.12.0

diff --git a/tests/bandit.yaml b/tests/bandit.yaml
diff --git a/tests/components/command_line/test_cover.py b/tests/components/command_line/test_cover.py
@@ -145,7 +145,7 @@ async def test_poll_when_cover_has_command_state(
         await hass.async_block_till_done()
         check_output.assert_called_once_with(
             "echo state",
-            shell=True,  # nosec # shell by design
+            shell=True,  # noqa: S604 # shell by design
             timeout=15,
             close_fds=False,
         )

diff --git a/tests/components/command_line/test_sensor.py b/tests/components/command_line/test_sensor.py
@@ -167,7 +167,7 @@ async def test_template_render_with_quote(hass: HomeAssistant) -> None:
         assert len(check_output.mock_calls) == 1
         check_output.assert_called_with(
             'echo "sensor_value" "3 4"',
-            shell=True,  # nosec # shell by design
+            shell=True,  # noqa: S604 # shell by design
             timeout=15,
             close_fds=False,
         )

diff --git a/tests/util/test_process.py b/tests/util/test_process.py
@@ -12,7 +12,7 @@ async def test_kill_process() -> None:
     """Test killing a process."""
     sleeper = subprocess.Popen(
         "sleep 1000",
-        shell=True,  # nosec # shell by design
+        shell=True,  # noqa: S602 # shell by design
         stdout=subprocess.DEVNULL,
         stderr=subprocess.DEVNULL,
     )