chore(dev-tools): port bandit config to ruff

[cpcloud]

Port our bandit config over to using ruff.

[copy-pr-bot]

Auto-sync is disabled for ready for review pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[rwgk]

Would it make sense to replace these in this PR?

rwgk-win11.localdomain:~/forked/cuda-python $ git grep nosec
cuda_bindings/tests/test_cuda.py:    import subprocess  # nosec B404
cuda_bindings/tests/test_cuda.py:    )  # nosec B603, B607
cuda_bindings/tests/test_utils.py:import subprocess  # nosec B404
cuda_bindings/tests/test_utils.py:    subprocess.check_call(  # nosec B603
cuda_core/tests/example_tests/utils.py:        exec(script, env if env else {})  # nosec B102
cuda_core/tests/test_module.py:import pickle  # nosec B403, B301
cuda_core/tests/test_module.py:    result = pickle.loads(pickle.dumps(objcode))  # nosec B403, B301
cuda_pathfinder/cuda/pathfinder/_utils/platform_aware.py:        from subprocess import list2cmdline  # nosec B404
cuda_pathfinder/tests/spawned_process_runner.py:            except Exception:  # nosec B110
cuda_pathfinder/tests/spawned_process_runner.py:        except Exception:  # nosec B110

[rwgk]

Is there any reasonable way we could consolidate the --ignore list here and the list in ruff.toml?

If not, could you please add 1-line comments in both places, to keep the lists in sync?

[cpcloud]

We really need to avoid having so many "make sure to sync" comments littered everywhere. IME these basically never have the intended effect.

[cpcloud]

I added a programmatic plucking of the desired ignore codes.

[rwgk]

Hooray!

[rwgk]

Oh, sorry, you're replacing already! I overlooked change vs additions. Please disregard my other comment.

[rwgk]

There are still some nosec left:

rwgk-win11.localdomain:~/forked/cuda-python $ git sw ruff-bandit
branch 'ruff-bandit' set up to track 'cpcloud/ruff-bandit'.
Switched to a new branch 'ruff-bandit'
rwgk-win11.localdomain:~/forked/cuda-python $ git grep nosec
cuda_bindings/tests/test_cuda.py:    import subprocess  # nosec B404
cuda_bindings/tests/test_utils.py:import subprocess  # nosec B404
cuda_core/tests/test_module.py:import pickle  # nosec B403, B301
cuda_pathfinder/cuda/pathfinder/_utils/platform_aware.py:        from subprocess import list2cmdline  # nosec B404

[cpcloud]

Interesting, I'm not sure how those are not being picked up by ruff. Let me poke a bit.

[cpcloud]

/ok to test

[rwgk]

Wow, cool!

[cpcloud]

/ok to test

[cpcloud]

/ok to test

[cpcloud]

/ok to test

[cpcloud]

/ok to test

[rwgk]

Awesome, thanks!

[github-actions]

Doc Preview CI
Preview removed because the pull request was closed or merged.

[leofang]

While I complained about this change being a bit disruptive to open PRs, I do find the new linter runs a lot faster than the raw Bandit, so thanks a lot @cpcloud 🙂