From ca936d0b384632b1104bca4ee252791e1a470fbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ville=20Skytt=C3=A4?= Date: Thu, 8 Jun 2023 23:46:04 +0300 Subject: [PATCH] Replace bandit with ruff (#93200) --- .github/workflows/ci.yaml | 13 ------------ .pre-commit-config.yaml | 9 -------- .../components/command_line/notify.py | 2 +- .../components/command_line/utils.py | 4 ++-- homeassistant/components/gtfs/sensor.py | 2 +- homeassistant/components/influxdb/sensor.py | 2 +- .../components/recorder/migration.py | 6 +++--- .../components/recorder/statistics.py | 6 +++--- homeassistant/components/recorder/util.py | 6 ++++-- homeassistant/components/yi/camera.py | 2 +- pyproject.toml | 17 +++++++++++++++ requirements_test_pre_commit.txt | 1 - tests/bandit.yaml | 21 ------------------- tests/components/command_line/test_cover.py | 2 +- tests/components/command_line/test_sensor.py | 2 +- tests/util/test_process.py | 2 +- 16 files changed, 36 insertions(+), 61 deletions(-) delete mode 100644 tests/bandit.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index cb24a6a9d45dd7..8a99287b8697e8 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -468,19 +468,6 @@ jobs: with: args: hadolint Dockerfile.dev - - name: Run bandit (fully) - if: needs.info.outputs.test_full_suite == 'true' - run: | - . venv/bin/activate - pre-commit run --hook-stage manual bandit --all-files --show-diff-on-failure - - name: Run bandit (partially) - if: needs.info.outputs.test_full_suite == 'false' - shell: bash - run: | - . venv/bin/activate - shopt -s globstar - pre-commit run --hook-stage manual bandit --files {homeassistant,tests}/components/${{ needs.info.outputs.integrations_glob }}/{*,**/*} --show-diff-on-failure - base: name: Prepare dependencies runs-on: ubuntu-22.04 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 461543ba14115f..3fac4229f8cba3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -22,15 +22,6 @@ repos: - --quiet-level=2 exclude_types: [csv, json] exclude: ^tests/fixtures/|homeassistant/generated/ - - repo: https://github.com/PyCQA/bandit - rev: 1.7.4 - hooks: - - id: bandit - args: - - --quiet - - --format=custom - - --configfile=tests/bandit.yaml - files: ^(homeassistant|script|tests)/.+\.py$ - repo: https://github.com/PyCQA/isort rev: 5.12.0 hooks: diff --git a/homeassistant/components/command_line/notify.py b/homeassistant/components/command_line/notify.py index 2922b8caae3bdd..2f4f20045d7743 100644 --- a/homeassistant/components/command_line/notify.py +++ b/homeassistant/components/command_line/notify.py @@ -72,7 +72,7 @@ def send_message(self, message: str = "", **kwargs: Any) -> None: universal_newlines=True, stdin=subprocess.PIPE, close_fds=False, # required for posix_spawn - shell=True, # nosec # shell by design + shell=True, # noqa: S602 # shell by design ) as proc: try: proc.communicate(input=message, timeout=self._timeout) diff --git a/homeassistant/components/command_line/utils.py b/homeassistant/components/command_line/utils.py index 2d42732190ef5f..66faa3a0bf828c 100644 --- a/homeassistant/components/command_line/utils.py +++ b/homeassistant/components/command_line/utils.py @@ -19,7 +19,7 @@ def call_shell_with_timeout( _LOGGER.debug("Running command: %s", command) subprocess.check_output( command, - shell=True, # nosec # shell by design + shell=True, # noqa: S602 # shell by design timeout=timeout, close_fds=False, # required for posix_spawn ) @@ -45,7 +45,7 @@ def check_output_or_log(command: str, timeout: int) -> str | None: try: return_value = subprocess.check_output( command, - shell=True, # nosec # shell by design + shell=True, # noqa: S602 # shell by design timeout=timeout, close_fds=False, # required for posix_spawn ) diff --git a/homeassistant/components/gtfs/sensor.py b/homeassistant/components/gtfs/sensor.py index 9fac4d0192671e..b395c73ab3eb46 100644 --- a/homeassistant/components/gtfs/sensor.py +++ b/homeassistant/components/gtfs/sensor.py @@ -341,7 +341,7 @@ def get_next_departure( {tomorrow_order} origin_stop_time.departure_time LIMIT :limit - """ + """ # noqa: S608 result = schedule.engine.connect().execute( text(sql_query), { diff --git a/homeassistant/components/influxdb/sensor.py b/homeassistant/components/influxdb/sensor.py index 67aaae225a8fe7..b4f643e876f18f 100644 --- a/homeassistant/components/influxdb/sensor.py +++ b/homeassistant/components/influxdb/sensor.py @@ -339,7 +339,7 @@ def update(self): return self.query = ( - f"select {self.group}({self.field}) as {INFLUX_CONF_VALUE} from" + f"select {self.group}({self.field}) as {INFLUX_CONF_VALUE} from" # noqa: S608 f" {self.measurement} where {where_clause}" ) diff --git a/homeassistant/components/recorder/migration.py b/homeassistant/components/recorder/migration.py index b8436da97d58c9..33d8c7b5e67bc7 100644 --- a/homeassistant/components/recorder/migration.py +++ b/homeassistant/components/recorder/migration.py @@ -1303,7 +1303,7 @@ def _migrate_statistics_columns_to_timestamp( with session_scope(session=session_maker()) as session: session.connection().execute( text( - f"UPDATE {table} set start_ts=strftime('%s',start) + " + f"UPDATE {table} set start_ts=strftime('%s',start) + " # noqa: S608 "cast(substr(start,-7) AS FLOAT), " f"created_ts=strftime('%s',created) + " "cast(substr(created,-7) AS FLOAT), " @@ -1321,7 +1321,7 @@ def _migrate_statistics_columns_to_timestamp( with session_scope(session=session_maker()) as session: result = session.connection().execute( text( - f"UPDATE {table} set start_ts=" + f"UPDATE {table} set start_ts=" # noqa: S608 "IF(start is NULL or UNIX_TIMESTAMP(start) is NULL,0," "UNIX_TIMESTAMP(start) " "), " @@ -1343,7 +1343,7 @@ def _migrate_statistics_columns_to_timestamp( with session_scope(session=session_maker()) as session: result = session.connection().execute( text( - f"UPDATE {table} set start_ts=" # nosec + f"UPDATE {table} set start_ts=" # noqa: S608 "(case when start is NULL then 0 else EXTRACT(EPOCH FROM start::timestamptz) end), " "created_ts=EXTRACT(EPOCH FROM created::timestamptz), " "last_reset_ts=EXTRACT(EPOCH FROM last_reset::timestamptz) " diff --git a/homeassistant/components/recorder/statistics.py b/homeassistant/components/recorder/statistics.py index ee9662a21570e2..9bbf35bb40ac2c 100644 --- a/homeassistant/components/recorder/statistics.py +++ b/homeassistant/components/recorder/statistics.py @@ -2400,7 +2400,7 @@ def cleanup_statistics_timestamp_migration(instance: Recorder) -> bool: with session_scope(session=instance.get_session()) as session: session.connection().execute( text( - f"update {table} set start = NULL, created = NULL, last_reset = NULL;" + f"update {table} set start = NULL, created = NULL, last_reset = NULL;" # noqa: S608 ) ) elif engine.dialect.name == SupportedDialect.MYSQL: @@ -2410,7 +2410,7 @@ def cleanup_statistics_timestamp_migration(instance: Recorder) -> bool: session.connection() .execute( text( - f"UPDATE {table} set start=NULL, created=NULL, last_reset=NULL where start is not NULL LIMIT 100000;" + f"UPDATE {table} set start=NULL, created=NULL, last_reset=NULL where start is not NULL LIMIT 100000;" # noqa: S608 ) ) .rowcount @@ -2425,7 +2425,7 @@ def cleanup_statistics_timestamp_migration(instance: Recorder) -> bool: session.connection() .execute( text( - f"UPDATE {table} set start=NULL, created=NULL, last_reset=NULL " # nosec + f"UPDATE {table} set start=NULL, created=NULL, last_reset=NULL " # noqa: S608 f"where id in (select id from {table} where start is not NULL LIMIT 100000)" ) ) diff --git a/homeassistant/components/recorder/util.py b/homeassistant/components/recorder/util.py index 1c50fd0a77c26d..d963901f17be55 100644 --- a/homeassistant/components/recorder/util.py +++ b/homeassistant/components/recorder/util.py @@ -278,9 +278,11 @@ def basic_sanity_check(cursor: SQLiteCursor) -> bool: for table in TABLES_TO_CHECK: if table in (TABLE_RECORDER_RUNS, TABLE_SCHEMA_CHANGES): - cursor.execute(f"SELECT * FROM {table};") # nosec # not injection + cursor.execute(f"SELECT * FROM {table};") # noqa: S608 # not injection else: - cursor.execute(f"SELECT * FROM {table} LIMIT 1;") # nosec # not injection + cursor.execute( + f"SELECT * FROM {table} LIMIT 1;" # noqa: S608 # not injection + ) return True diff --git a/homeassistant/components/yi/camera.py b/homeassistant/components/yi/camera.py index 0537c268aa42d4..632260a899c5ef 100644 --- a/homeassistant/components/yi/camera.py +++ b/homeassistant/components/yi/camera.py @@ -29,7 +29,7 @@ DEFAULT_BRAND = "YI Home Camera" DEFAULT_PASSWORD = "" -DEFAULT_PATH = "/tmp/sd/record" # nosec +DEFAULT_PATH = "/tmp/sd/record" # noqa: S108 DEFAULT_PORT = 21 DEFAULT_USERNAME = "root" DEFAULT_ARGUMENTS = "-pred 1" diff --git a/pyproject.toml b/pyproject.toml index 032bc6e14a2a36..6fbd810626bcd4 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -251,6 +251,23 @@ select = [ "ICN001", # import concentions; {name} should be imported as {asname} "PGH004", # Use specific rule codes when using noqa "PLC0414", # Useless import alias. Import alias does not rename original package. + "S103", # bad-file-permissions + "S108", # hardcoded-temp-file + "S306", # suspicious-mktemp-usage + "S307", # suspicious-eval-usage + "S313", # suspicious-xmlc-element-tree-usage + "S314", # suspicious-xml-element-tree-usage + "S315", # suspicious-xml-expat-reader-usage + "S316", # suspicious-xml-expat-builder-usage + "S317", # suspicious-xml-sax-usage + "S318", # suspicious-xml-mini-dom-usage + "S319", # suspicious-xml-pull-dom-usage + "S320", # suspicious-xmle-tree-usage + "S601", # paramiko-call + "S602", # subprocess-popen-with-shell-equals-true + "S604", # call-with-shell-equals-true + "S608", # hardcoded-sql-expression + "S609", # unix-command-wildcard-injection "SIM105", # Use contextlib.suppress({exception}) instead of try-except-pass "SIM117", # Merge with-statements that use the same scope "SIM118", # Use {key} in {dict} instead of {key} in {dict}.keys() diff --git a/requirements_test_pre_commit.txt b/requirements_test_pre_commit.txt index abe388df5534eb..cee1c684d8aa09 100644 --- a/requirements_test_pre_commit.txt +++ b/requirements_test_pre_commit.txt @@ -1,6 +1,5 @@ # Automatically generated from .pre-commit-config.yaml by gen_requirements_all.py, do not edit -bandit==1.7.4 black==23.3.0 codespell==2.2.2 isort==5.12.0 diff --git a/tests/bandit.yaml b/tests/bandit.yaml deleted file mode 100644 index 568f77d622ae25..00000000000000 --- a/tests/bandit.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# https://bandit.readthedocs.io/en/latest/config.html - -tests: - - B103 - - B108 - - B306 - - B307 - - B313 - - B314 - - B315 - - B316 - - B317 - - B318 - - B319 - - B320 - - B325 - - B601 - - B602 - - B604 - - B608 - - B609 diff --git a/tests/components/command_line/test_cover.py b/tests/components/command_line/test_cover.py index d977c202b04904..d621d98c744933 100644 --- a/tests/components/command_line/test_cover.py +++ b/tests/components/command_line/test_cover.py @@ -145,7 +145,7 @@ async def test_poll_when_cover_has_command_state( await hass.async_block_till_done() check_output.assert_called_once_with( "echo state", - shell=True, # nosec # shell by design + shell=True, # noqa: S604 # shell by design timeout=15, close_fds=False, ) diff --git a/tests/components/command_line/test_sensor.py b/tests/components/command_line/test_sensor.py index 87360d0e251b4c..244a1b992ce91d 100644 --- a/tests/components/command_line/test_sensor.py +++ b/tests/components/command_line/test_sensor.py @@ -167,7 +167,7 @@ async def test_template_render_with_quote(hass: HomeAssistant) -> None: assert len(check_output.mock_calls) == 1 check_output.assert_called_with( 'echo "sensor_value" "3 4"', - shell=True, # nosec # shell by design + shell=True, # noqa: S604 # shell by design timeout=15, close_fds=False, ) diff --git a/tests/util/test_process.py b/tests/util/test_process.py index 243e9f53fca19f..ae28f5d82fc106 100644 --- a/tests/util/test_process.py +++ b/tests/util/test_process.py @@ -12,7 +12,7 @@ async def test_kill_process() -> None: """Test killing a process.""" sleeper = subprocess.Popen( "sleep 1000", - shell=True, # nosec # shell by design + shell=True, # noqa: S602 # shell by design stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, )