Implement flak8-bandit shell injection rules #3924
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This includes rules S602 - S607.
robyoung
force-pushed
the
implement-bandit-shell-injection-rules
branch
from
1ef1d43
to
e6443de
Compare
PR Check ResultsEcosystemℹ️ ecosystem check detected changes. (+357, -0, 0 error(s)) airflow (+246, -0)
+ airflow/cli/commands/dag_command.py:248:31: S603 `subprocess` call: check for execution of untrusted input
+ airflow/cli/commands/dag_command.py:248:31: S607 Starting a process with a partial executable path
+ airflow/cli/commands/info_command.py:197:35: S603 `subprocess` call: check for execution of untrusted input
+ airflow/cli/commands/internal_api_command.py:184:38: S603 `subprocess` call: check for execution of untrusted input
+ airflow/cli/commands/internal_api_command.py:199:35: S603 `subprocess` call: check for execution of untrusted input
+ airflow/cli/commands/standalone_command.py:290:13: S603 `subprocess` call: check for execution of untrusted input
+ airflow/cli/commands/webserver_command.py:482:38: S603 `subprocess` call: check for execution of untrusted input
+ airflow/cli/commands/webserver_command.py:497:35: S603 `subprocess` call: check for execution of untrusted input
+ airflow/configuration.py:106:9: S603 `subprocess` call: check for execution of untrusted input
+ airflow/example_dags/example_kubernetes_executor.py:134:45: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+ airflow/example_dags/example_kubernetes_executor.py:134:45: S607 Starting a process with a partial executable path
+ airflow/example_dags/example_kubernetes_executor.py:96:37: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+ airflow/example_dags/example_kubernetes_executor.py:96:37: S607 Starting a process with a partial executable path
+ airflow/executors/celery_executor.py:154:33: S603 `subprocess` call: check for execution of untrusted input
+ airflow/executors/dask_executor.py:93:42: S603 `subprocess` call: check for execution of untrusted input
+ airflow/executors/local_executor.py:98:35: S603 `subprocess` call: check for execution of untrusted input
+ airflow/executors/sequential_executor.py:77:39: S603 `subprocess` call: check for execution of untrusted input
+ airflow/hooks/subprocess.py:78:17: S603 `subprocess` call: check for execution of untrusted input
+ airflow/operators/python.py:664:46: S603 `subprocess` call: check for execution of untrusted input
+ airflow/operators/python.py:679:35: S603 `subprocess` call: check for execution of untrusted input
+ airflow/operators/python.py:696:17: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/amazon/aws/operators/s3.py:585:21: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/apache/beam/hooks/beam.py:134:9: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/apache/beam/hooks/beam.py:266:21: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/apache/hive/hooks/hive.py:278:21: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/apache/pig/hooks/pig.py:88:21: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/apache/pinot/hooks/pinot.py:228:13: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/apache/spark/hooks/spark_sql.py:173:13: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/apache/spark/hooks/spark_submit.py:401:13: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/apache/spark/hooks/spark_submit.py:563:17: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/apache/spark/hooks/spark_submit.py:609:35: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/apache/spark/hooks/spark_submit.py:631:21: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/apache/sqoop/hooks/sqoop.py:107:31: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/google/cloud/example_dags/example_cloud_sql_query.py:197:53: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/google/cloud/example_dags/example_cloud_sql_query.py:197:53: S607 Starting a process with a partial executable path
+ airflow/providers/google/cloud/hooks/cloud_sql.py:575:44: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/google/cloud/hooks/cloud_sql.py:633:42: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/google/cloud/hooks/dataflow.py:1017:35: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/google/common/hooks/base_google.py:545:21: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/google/common/hooks/base_google.py:545:21: S607 Starting a process with a partial executable path
+ airflow/providers/google/common/hooks/base_google.py:558:34: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/google/common/hooks/base_google.py:558:34: S607 Starting a process with a partial executable path
+ airflow/providers/google/common/hooks/base_google.py:561:25: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/google/common/hooks/base_google.py:561:25: S607 Starting a process with a partial executable path
+ airflow/providers/google/common/hooks/base_google.py:565:25: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/google/common/hooks/base_google.py:565:25: S607 Starting a process with a partial executable path
+ airflow/providers/google/common/hooks/base_google.py:576:30: S603 `subprocess` call: check for execution of untrusted input
+ airflow/providers/google/common/hooks/base_google.py:576:30: S607 Starting a process with a partial executable path
+ airflow/security/kerberos.py:143:27: S603 `subprocess` call: check for execution of untrusted input
+ airflow/security/kerberos.py:92:9: S603 `subprocess` call: check for execution of untrusted input
+ airflow/sensors/bash.py:81:21: S603 `subprocess` call: check for execution of untrusted input
+ airflow/sensors/bash.py:81:21: S607 Starting a process with a partial executable path
+ airflow/task/task_runner/base_task_runner.py:136:21: S603 `subprocess` call: check for execution of untrusted input
+ airflow/task/task_runner/base_task_runner.py:145:21: S603 `subprocess` call: check for execution of untrusted input
+ airflow/task/task_runner/base_task_runner.py:184:33: S603 `subprocess` call: check for execution of untrusted input
+ airflow/task/task_runner/base_task_runner.py:184:33: S607 Starting a process with a partial executable path
+ airflow/task/task_runner/base_task_runner.py:77:35: S603 `subprocess` call: check for execution of untrusted input
+ airflow/task/task_runner/base_task_runner.py:77:35: S607 Starting a process with a partial executable path
+ airflow/utils/process_utils.py:107:47: S603 `subprocess` call: check for execution of untrusted input
+ airflow/utils/process_utils.py:107:47: S607 Starting a process with a partial executable path
+ airflow/utils/process_utils.py:183:9: S603 `subprocess` call: check for execution of untrusted input
+ airflow/utils/process_utils.py:214:13: S603 `subprocess` call: check for execution of untrusted input
+ airflow/utils/process_utils.py:93:21: S603 `subprocess` call: check for execution of untrusted input
+ dev/assign_cherry_picked_prs_with_milestone.py:225:9: S603 `subprocess` call: check for execution of untrusted input
+ dev/breeze/src/airflow_breeze/commands/ci_image_commands.py:485:17: S603 `subprocess` call: check for execution of untrusted input
+ dev/breeze/src/airflow_breeze/commands/main_command.py:123:50: S603 `subprocess` call: check for execution of untrusted input
+ dev/breeze/src/airflow_breeze/commands/main_command.py:123:50: S607 Starting a process with a partial executable path
+ dev/breeze/src/airflow_breeze/commands/main_command.py:170:13: S603 `subprocess` call: check for execution of untrusted input
+ dev/breeze/src/airflow_breeze/commands/main_command.py:170:13: S607 Starting a process with a partial executable path
+ dev/breeze/src/airflow_breeze/commands/release_candidate_command.py:106:81: S604 Function call with `shell=True` parameter identified, security issue
+ dev/breeze/src/airflow_breeze/commands/release_candidate_command.py:148:96: S604 Function call with `shell=True` parameter identified, security issue
+ dev/breeze/src/airflow_breeze/commands/release_candidate_command.py:160:72: S604 Function call with `shell=True` parameter identified, security issue
+ dev/breeze/src/airflow_breeze/commands/setup_commands.py:148:35: S603 `subprocess` call: check for execution of untrusted input
+ dev/breeze/src/airflow_breeze/commands/setup_commands.py:148:35: S607 Starting a process with a partial executable path
+ dev/breeze/src/airflow_breeze/commands/setup_commands.py:150:41: S603 `subprocess` call: check for execution of untrusted input
+ dev/breeze/src/airflow_breeze/commands/setup_commands.py:150:41: S607 Starting a process with a partial executable path
+ dev/breeze/src/airflow_breeze/utils/reinstall.py:38:27: S603 `subprocess` call: check for execution of untrusted input
+ dev/breeze/src/airflow_breeze/utils/reinstall.py:38:27: S607 Starting a process with a partial executable path
+ dev/breeze/src/airflow_breeze/utils/reinstall.py:43:9: S606 Starting a process without a shell
+ dev/breeze/src/airflow_breeze/utils/run_utils.py:136:31: S603 `subprocess` call: check for execution of untrusted input
+ dev/breeze/src/airflow_breeze/utils/run_utils.py:152:35: S603 `subprocess` call: check for execution of untrusted input
+ dev/perf/scheduler_dag_execution_timing.py:291:9: S606 Starting a process without a shell
+ dev/prepare_release_issue.py:166:9: S603 `subprocess` call: check for execution of untrusted input
+ dev/provider_packages/prepare_provider_packages.py:1024:13: S603 `subprocess` call: check for execution of untrusted input
+ dev/provider_packages/prepare_provider_packages.py:1036:9: S603 `subprocess` call: check for execution of untrusted input
+ dev/provider_packages/prepare_provider_packages.py:1365:33: S603 `subprocess` call: check for execution of untrusted input
+ dev/provider_packages/prepare_provider_packages.py:1365:33: S607 Starting a process with a partial executable path
+ dev/provider_packages/prepare_provider_packages.py:1583:9: S603 `subprocess` call: check for execution of untrusted input
+ dev/provider_packages/prepare_provider_packages.py:691:21: S603 `subprocess` call: check for execution of untrusted input
+ dev/provider_packages/prepare_provider_packages.py:695:27: S603 `subprocess` call: check for execution of untrusted input
+ dev/provider_packages/prepare_provider_packages.py:721:13: S603 `subprocess` call: check for execution of untrusted input
+ dev/provider_packages/prepare_provider_packages.py:742:21: S603 `subprocess` call: check for execution of untrusted input
+ dev/provider_packages/prepare_provider_packages.py:753:33: S603 `subprocess` call: check for execution of untrusted input
+ dev/provider_packages/prepare_provider_packages.py:753:33: S607 Starting a process with a partial executable path
+ dev/provider_packages/prepare_provider_packages.py:767:31: S603 `subprocess` call: check for execution of untrusted input
+ dev/provider_packages/prepare_provider_packages.py:952:9: S603 `subprocess` call: check for execution of untrusted input
+ dev/provider_packages/prepare_provider_packages.py:960:13: S603 `subprocess` call: check for execution of untrusted input
+ dev/provider_packages/prepare_provider_packages.py:974:25: S603 `subprocess` call: check for execution of untrusted input
+ dev/provider_packages/remove_old_releases.py:81:32: S603 `subprocess` call: check for execution of untrusted input
+ dev/retag_docker_images.py:65:17: S603 `subprocess` call: check for execution of untrusted input
+ dev/retag_docker_images.py:65:17: S607 Starting a process with a partial executable path
+ docker_tests/command_utils.py:27:44: S603 `subprocess` call: check for execution of untrusted input
+ docker_tests/command_utils.py:29:28: S603 `subprocess` call: check for execution of untrusted input
+ docker_tests/test_docker_compose_quick_start.py:137:37: S603 `subprocess` call: check for execution of untrusted input
+ docker_tests/test_docker_compose_quick_start.py:137:37: S607 Starting a process with a partial executable path
+ docker_tests/test_docker_compose_quick_start.py:54:33: S603 `subprocess` call: check for execution of untrusted input
+ docker_tests/test_docker_compose_quick_start.py:54:33: S607 Starting a process with a partial executable path
+ docker_tests/test_docker_compose_quick_start.py:63:37: S603 `subprocess` call: check for execution of untrusted input
+ docker_tests/test_docker_compose_quick_start.py:63:37: S607 Starting a process with a partial executable path
+ docker_tests/test_docker_compose_quick_start.py:70:21: S603 `subprocess` call: check for execution of untrusted input
+ docker_tests/test_docker_compose_quick_start.py:70:21: S607 Starting a process with a partial executable path
+ docs/exts/docs_build/docs_builder.py:167:17: S603 `subprocess` call: check for execution of untrusted input
+ docs/exts/docs_build/docs_builder.py:246:17: S603 `subprocess` call: check for execution of untrusted input
+ kubernetes_tests/test_base.py:104:32: S603 `subprocess` call: check for execution of untrusted input
+ kubernetes_tests/test_base.py:104:32: S607 Starting a process with a partial executable path
+ kubernetes_tests/test_base.py:112:32: S603 `subprocess` call: check for execution of untrusted input
+ kubernetes_tests/test_base.py:112:32: S607 Starting a process with a partial executable path
+ kubernetes_tests/test_base.py:116:24: S603 `subprocess` call: check for execution of untrusted input
+ kubernetes_tests/test_base.py:116:24: S607 Starting a process with a partial executable path
+ kubernetes_tests/test_base.py:163:32: S603 `subprocess` call: check for execution of untrusted input
+ kubernetes_tests/test_base.py:163:32: S607 Starting a process with a partial executable path
+ kubernetes_tests/test_base.py:178:28: S603 `subprocess` call: check for execution of untrusted input
+ kubernetes_tests/test_base.py:178:28: S607 Starting a process with a partial executable path
+ kubernetes_tests/test_base.py:201:24: S603 `subprocess` call: check for execution of untrusted input
+ kubernetes_tests/test_base.py:201:24: S607 Starting a process with a partial executable path
+ kubernetes_tests/test_base.py:80:17: S603 `subprocess` call: check for execution of untrusted input
+ kubernetes_tests/test_base.py:80:17: S607 Starting a process with a partial executable path
+ kubernetes_tests/test_base.py:88:17: S603 `subprocess` call: check for execution of untrusted input
+ kubernetes_tests/test_base.py:88:17: S607 Starting a process with a partial executable path
+ kubernetes_tests/test_base.py:96:17: S603 `subprocess` call: check for execution of untrusted input
+ kubernetes_tests/test_base.py:96:17: S607 Starting a process with a partial executable path
+ scripts/ci/pre_commit/pre_commit_boring_cyborg.py:36:41: S603 `subprocess` call: check for execution of untrusted input
+ scripts/ci/pre_commit/pre_commit_boring_cyborg.py:36:41: S607 Starting a process with a partial executable path
+ scripts/ci/pre_commit/pre_commit_boring_cyborg.py:37:41: S603 `subprocess` call: check for execution of untrusted input
+ scripts/ci/pre_commit/pre_commit_boring_cyborg.py:37:41: S607 Starting a process with a partial executable path
+ scripts/ci/pre_commit/pre_commit_breeze_cmd_line.py:68:9: S603 `subprocess` call: check for execution of untrusted input
+ scripts/ci/pre_commit/pre_commit_check_license.py:53:5: S603 `subprocess` call: check for execution of untrusted input
+ scripts/ci/pre_commit/pre_commit_compile_www_assets.py:47:27: S603 `subprocess` call: check for execution of untrusted input
+ scripts/ci/pre_commit/pre_commit_compile_www_assets.py:47:27: S607 Starting a process with a partial executable path
+ scripts/ci/pre_commit/pre_commit_compile_www_assets.py:48:27: S603 `subprocess` call: check for execution of untrusted input
+ scripts/ci/pre_commit/pre_commit_compile_www_assets.py:48:27: S607 Starting a process with a partial executable path
+ scripts/ci/pre_commit/pre_commit_compile_www_assets_dev.py:50:13: S603 `subprocess` call: check for execution of untrusted input
+ scripts/ci/pre_commit/pre_commit_compile_www_assets_dev.py:50:13: S607 Starting a process with a partial executable path
+ scripts/ci/pre_commit/pre_commit_compile_www_assets_dev.py:57:13: S603 `subprocess` call: check for execution of untrusted input
+ scripts/ci/pre_commit/pre_commit_compile_www_assets_dev.py:57:13: S607 Starting a process with a partial executable path
+ scripts/ci/pre_commit/pre_commit_lint_dockerfile.py:47:5: S603 `subprocess` call: check for execution of untrusted input
+ scripts/ci/pre_commit/pre_commit_update_common_sql_api_stubs.py:336:9: S603 `subprocess` call: check for execution of untrusted input
+ scripts/ci/pre_commit/pre_commit_update_common_sql_api_stubs.py:336:9: S607 Starting a process with a partial executable path
+ scripts/ci/pre_commit/pre_commit_www_lint.py:31:27: S603 `subprocess` call: check for execution of untrusted input
+ scripts/ci/pre_commit/pre_commit_www_lint.py:31:27: S607 Starting a process with a partial executable path
+ scripts/ci/pre_commit/pre_commit_www_lint.py:32:27: S603 `subprocess` call: check for execution of untrusted input
+ scripts/ci/pre_commit/pre_commit_www_lint.py:32:27: S607 Starting a process with a partial executable path
+ scripts/ci/pre_commit/pre_commit_www_lint.py:33:27: S603 `subprocess` call: check for execution of untrusted input
+ scripts/ci/pre_commit/pre_commit_www_lint.py:33:27: S607 Starting a process with a partial executable path
+ scripts/ci/pre_commit/pre_commit_www_lint.py:34:27: S603 `subprocess` call: check for execution of untrusted input
+ scripts/ci/pre_commit/pre_commit_www_lint.py:34:27: S607 Starting a process with a partial executable path
+ scripts/in_container/remove_arm_packages.py:47:20: S603 `subprocess` call: check for execution of untrusted input
+ scripts/in_container/verify_providers.py:816:20: S603 `subprocess` call: check for execution of untrusted input
+ scripts/in_container/verify_providers.py:816:20: S607 Starting a process with a partial executable path
+ scripts/in_container/verify_providers.py:818:20: S603 `subprocess` call: check for execution of untrusted input
+ scripts/in_container/verify_providers.py:818:20: S607 Starting a process with a partial executable path
+ scripts/in_container/verify_providers.py:820:20: S603 `subprocess` call: check for execution of untrusted input
+ scripts/in_container/verify_providers.py:820:20: S607 Starting a process with a partial executable path
+ scripts/in_container/verify_providers.py:822:20: S603 `subprocess` call: check for execution of untrusted input
+ scripts/in_container/verify_providers.py:822:20: S607 Starting a process with a partial executable path
+ scripts/in_container/verify_providers.py:824:20: S603 `subprocess` call: check for execution of untrusted input
+ scripts/in_container/verify_providers.py:824:20: S607 Starting a process with a partial executable path
+ scripts/in_container/verify_providers.py:826:20: S603 `subprocess` call: check for execution of untrusted input
+ scripts/in_container/verify_providers.py:826:20: S607 Starting a process with a partial executable path
+ scripts/in_container/verify_providers.py:828:20: S603 `subprocess` call: check for execution of untrusted input
+ scripts/in_container/verify_providers.py:828:20: S607 Starting a process with a partial executable path
+ scripts/in_container/verify_providers.py:830:20: S603 `subprocess` call: check for execution of untrusted input
+ scripts/in_container/verify_providers.py:830:20: S607 Starting a process with a partial executable path
+ scripts/tools/check_if_limited_dependencies.py:46:16: S603 `subprocess` call: check for execution of untrusted input
+ scripts/tools/check_if_limited_dependencies.py:46:16: S607 Starting a process with a partial executable path
+ scripts/tools/initialize_virtualenv.py:172:20: S603 `subprocess` call: check for execution of untrusted input
+ scripts/tools/initialize_virtualenv.py:172:20: S607 Starting a process with a partial executable path
+ scripts/tools/initialize_virtualenv.py:181:20: S603 `subprocess` call: check for execution of untrusted input
+ scripts/tools/initialize_virtualenv.py:181:20: S607 Starting a process with a partial executable path
+ scripts/tools/initialize_virtualenv.py:97:24: S603 `subprocess` call: check for execution of untrusted input
+ setup.py:139:31: S603 `subprocess` call: check for execution of untrusted input
+ setup.py:139:31: S607 Starting a process with a partial executable path
+ setup.py:140:31: S603 `subprocess` call: check for execution of untrusted input
+ setup.py:140:31: S607 Starting a process with a partial executable path
+ setup.py:870:41: S603 `subprocess` call: check for execution of untrusted input
+ setup.py:870:41: S607 Starting a process with a partial executable path
+ setup.py:878:35: S603 `subprocess` call: check for execution of untrusted input
+ setup.py:878:35: S607 Starting a process with a partial executable path
+ tests/charts/helm_template_generator.py:138:45: S603 `subprocess` call: check for execution of untrusted input
+ tests/cli/commands/test_internal_api_command.py:103:21: S603 `subprocess` call: check for execution of untrusted input
+ tests/cli/commands/test_internal_api_command.py:103:21: S607 Starting a process with a partial executable path
+ tests/cli/commands/test_webserver_command.py:257:21: S603 `subprocess` call: check for execution of untrusted input
+ tests/cli/commands/test_webserver_command.py:257:21: S607 Starting a process with a partial executable path
+ tests/conftest.py:273:35: S603 `subprocess` call: check for execution of untrusted input
+ tests/conftest.py:273:35: S607 Starting a process with a partial executable path
+ tests/core/test_impersonation_tests.py:64:88: S602 `subprocess` call with `shell=True` identified, security issue
+ tests/core/test_impersonation_tests.py:68:88: S602 `subprocess` call with `shell=True` identified, security issue
+ tests/core/test_impersonation_tests.py:76:13: S603 `subprocess` call: check for execution of untrusted input
+ tests/core/test_impersonation_tests.py:76:13: S607 Starting a process with a partial executable path
+ tests/core/test_impersonation_tests.py:88:27: S603 `subprocess` call: check for execution of untrusted input
+ tests/core/test_impersonation_tests.py:88:27: S607 Starting a process with a partial executable path
+ tests/dags/test_on_kill.py:41:23: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+ tests/dags/test_on_kill.py:41:23: S607 Starting a process with a partial executable path
+ tests/decorators/test_external_python.py:59:25: S603 `subprocess` call: check for execution of untrusted input
+ tests/providers/google/cloud/log/test_gcs_task_handler_system.py:77:42: S603 `subprocess` call: check for execution of untrusted input
+ tests/providers/google/cloud/log/test_gcs_task_handler_system.py:77:42: S607 Starting a process with a partial executable path
+ tests/providers/google/cloud/log/test_gcs_task_handler_system.py:78:42: S603 `subprocess` call: check for execution of untrusted input
+ tests/providers/google/cloud/log/test_gcs_task_handler_system.py:78:42: S607 Starting a process with a partial executable path
+ tests/providers/google/cloud/log/test_stackdriver_task_handler_system.py:67:42: S603 `subprocess` call: check for execution of untrusted input
+ tests/providers/google/cloud/log/test_stackdriver_task_handler_system.py:67:42: S607 Starting a process with a partial executable path
+ tests/providers/google/cloud/log/test_stackdriver_task_handler_system.py:68:42: S603 `subprocess` call: check for execution of untrusted input
+ tests/providers/google/cloud/log/test_stackdriver_task_handler_system.py:68:42: S607 Starting a process with a partial executable path
+ tests/providers/google/cloud/log/test_stackdriver_task_handler_system.py:83:42: S603 `subprocess` call: check for execution of untrusted input
+ tests/providers/google/cloud/log/test_stackdriver_task_handler_system.py:83:42: S607 Starting a process with a partial executable path
+ tests/providers/google/cloud/log/test_stackdriver_task_handler_system.py:84:42: S603 `subprocess` call: check for execution of untrusted input
+ tests/providers/google/cloud/log/test_stackdriver_task_handler_system.py:84:42: S607 Starting a process with a partial executable path
+ tests/providers/google/cloud/secrets/test_secret_manager_system.py:44:24: S603 `subprocess` call: check for execution of untrusted input
+ tests/providers/google/cloud/secrets/test_secret_manager_system.py:44:24: S607 Starting a process with a partial executable path
+ tests/providers/google/cloud/secrets/test_secret_manager_system.py:45:42: S603 `subprocess` call: check for execution of untrusted input
+ tests/providers/google/cloud/secrets/test_secret_manager_system.py:45:42: S607 Starting a process with a partial executable path
+ tests/providers/google/cloud/secrets/test_secret_manager_system.py:50:24: S603 `subprocess` call: check for execution of untrusted input
+ tests/providers/google/cloud/secrets/test_secret_manager_system.py:50:24: S607 Starting a process with a partial executable path
+ tests/providers/google/cloud/secrets/test_secret_manager_system.py:65:24: S603 `subprocess` call: check for execution of untrusted input
+ tests/providers/google/cloud/secrets/test_secret_manager_system.py:65:24: S607 Starting a process with a partial executable path
+ tests/providers/google/cloud/secrets/test_secret_manager_system.py:66:42: S603 `subprocess` call: check for execution of untrusted input
+ tests/providers/google/cloud/secrets/test_secret_manager_system.py:66:42: S607 Starting a process with a partial executable path
+ tests/providers/google/cloud/secrets/test_secret_manager_system.py:72:24: S603 `subprocess` call: check for execution of untrusted input
+ tests/providers/google/cloud/secrets/test_secret_manager_system.py:72:24: S607 Starting a process with a partial executable path
+ tests/providers/google/cloud/utils/gcp_authenticator.py:206:17: S603 `subprocess` call: check for execution of untrusted input
+ tests/providers/google/cloud/utils/gcp_authenticator.py:206:17: S607 Starting a process with a partial executable path
+ tests/system/providers/amazon/aws/example_emr_eks.py:130:9: S602 `subprocess` call with `shell=True` identified, security issue
+ tests/system/providers/amazon/aws/example_emr_eks.py:86:9: S602 `subprocess` call with `shell=True` identified, security issue
+ tests/system/providers/amazon/aws/example_sagemaker.py:173:13: S602 `subprocess` call with `shell=True` identified, security issue
+ tests/system/providers/amazon/aws/example_sagemaker.py:473:9: S602 `subprocess` call with `shell=True` identified, security issue
+ tests/task/task_runner/test_standard_task_runner.py:290:19: S605 Starting a process with a shell, possible injection detected
+ tests/test_utils/perf/perf_kit/python.py:55:17: S606 Starting a process without a shell
+ tests/utils/test_process_utils.py:141:54: S603 `subprocess` call: check for execution of untrusted input
+ tests/utils/test_process_utils.py:141:54: S607 Starting a process with a partial executable path
+ tests/utils/test_process_utils.py:147:47: S603 `subprocess` call: check for execution of untrusted input
+ tests/utils/test_process_utils.py:147:47: S607 Starting a process with a partial executable path
+ tests/utils/test_process_utils.py:152:47: S603 `subprocess` call: check for execution of untrusted input
+ tests/utils/test_process_utils.py:152:47: S607 Starting a process with a partial executable path
+ tests/utils/test_process_utils.py:161:49: S603 `subprocess` call: check for execution of untrusted input
+ tests/utils/test_process_utils.py:161:49: S607 Starting a process with a partial executable path
+ tests/utils/test_process_utils.py:169:49: S603 `subprocess` call: check for execution of untrusted input
+ tests/utils/test_process_utils.py:169:49: S607 Starting a process with a partial executable pathbokeh (+51, -0)
+ examples/output/apis/server_document/flask_server.py:46:5: S603 `subprocess` call: check for execution of untrusted input
+ examples/output/apis/server_document/flask_server.py:46:5: S607 Starting a process with a partial executable path
+ release/system.py:43:34: S602 `subprocess` call with `shell=True` identified, security issue
+ scripts/hooks/install.py:5:20: S603 `subprocess` call: check for execution of untrusted input
+ scripts/hooks/protect_branches.py:10:26: S603 `subprocess` call: check for execution of untrusted input
+ scripts/hooks/protect_branches.py:10:26: S607 Starting a process with a partial executable path
+ scripts/hooks/uninstall.py:5:20: S603 `subprocess` call: check for execution of untrusted input
+ scripts/sri.py:18:16: S603 `subprocess` call: check for execution of untrusted input
+ scripts/sri.py:21:16: S603 `subprocess` call: check for execution of untrusted input
+ setup.py:125:40: S603 `subprocess` call: check for execution of untrusted input
+ setup.py:51:31: S603 `subprocess` call: check for execution of untrusted input
+ setup.py:51:31: S607 Starting a process with a partial executable path
+ src/bokeh/ext.py:117:18: S603 `subprocess` call: check for execution of untrusted input
+ src/bokeh/resources.py:663:16: S603 `subprocess` call: check for execution of untrusted input
+ src/bokeh/resources.py:666:16: S603 `subprocess` call: check for execution of untrusted input
+ src/bokeh/util/compiler.py:398:26: S603 `subprocess` call: check for execution of untrusted input
+ src/bokeh/util/compiler.py:440:18: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_code_quality.py:118:37: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_code_quality.py:118:37: S607 Starting a process with a partial executable path
+ tests/codebase/test_eslint.py:37:16: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_eslint.py:37:16: S607 Starting a process with a partial executable path
+ tests/codebase/test_isort.py:58:16: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_isort.py:58:16: S607 Starting a process with a partial executable path
+ tests/codebase/test_js_license_set.py:50:16: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_license.py:40:16: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_license.py:40:16: S607 Starting a process with a partial executable path
+ tests/codebase/test_no_client_server_common.py:48:16: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_no_client_server_common.py:57:16: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_no_ipython_common.py:51:16: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_no_pandas_common.py:53:16: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_no_request_host.py:50:26: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_no_request_host.py:50:26: S607 Starting a process with a partial executable path
+ tests/codebase/test_no_selenium_common.py:52:16: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_no_tornado_common.py:55:16: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_no_typing_extensions_common.py:49:16: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_python_execution_with_OO.py:45:18: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_ruff.py:33:16: S603 `subprocess` call: check for execution of untrusted input
+ tests/codebase/test_ruff.py:33:16: S607 Starting a process with a partial executable path
+ tests/support/plugins/bokeh_server.py:66:33: S603 `subprocess` call: check for execution of untrusted input
+ tests/support/plugins/jupyter_notebook.py:125:33: S603 `subprocess` call: check for execution of untrusted input
+ tests/support/util/project.py:46:16: S603 `subprocess` call: check for execution of untrusted input
+ tests/support/util/project.py:46:16: S607 Starting a process with a partial executable path
+ tests/support/util/screenshot.py:101:33: S603 `subprocess` call: check for execution of untrusted input
+ tests/test_bokehjs.py:34:33: S603 `subprocess` call: check for execution of untrusted input
+ tests/test_bokehjs.py:34:33: S607 Starting a process with a partial executable path
+ tests/test_defaults.py:55:29: S603 `subprocess` call: check for execution of untrusted input
+ tests/test_defaults.py:55:29: S607 Starting a process with a partial executable path
+ tests/test_examples.py:293:9: S603 `subprocess` call: check for execution of untrusted input
+ tests/unit/bokeh/command/subcommands/test_serve.py:430:82: S603 `subprocess` call: check for execution of untrusted input
+ tests/unit/bokeh/command/subcommands/test_serve.py:477:33: S603 `subprocess` call: check for execution of untrusted input
+ tests/unit/bokeh/test_resources.py:324:35: S603 `subprocess` call: check for execution of untrusted inputdisnake (+9, -0)
+ disnake/player.py:164:37: S603 `subprocess` call: check for execution of untrusted input
+ disnake/player.py:577:42: S603 `subprocess` call: check for execution of untrusted input
+ disnake/player.py:596:13: S603 `subprocess` call: check for execution of untrusted input
+ docs/conf.py:119:36: S603 `subprocess` call: check for execution of untrusted input
+ docs/conf.py:119:36: S607 Starting a process with a partial executable path
+ setup.py:20:13: S603 `subprocess` call: check for execution of untrusted input
+ setup.py:20:13: S607 Starting a process with a partial executable path
+ setup.py:26:13: S603 `subprocess` call: check for execution of untrusted input
+ setup.py:26:13: S607 Starting a process with a partial executable pathzulip (+51, -0)
+ scripts/lib/check_rabbitmq_queue.py:136:9: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/check_rabbitmq_queue.py:153:9: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/hash_reqs.py:38:36: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/puppet_cache.py:27:9: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/puppet_cache.py:27:9: S607 Starting a process with a partial executable path
+ scripts/lib/setup_venv.py:177:55: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/setup_venv.py:278:38: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/sharding.py:52:13: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/zulip_tools.py:114:13: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/zulip_tools.py:239:31: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/zulip_tools.py:597:27: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/zulip_tools.py:597:27: S607 Starting a process with a partial executable path
+ scripts/lib/zulip_tools.py:679:13: S603 `subprocess` call: check for execution of untrusted input
+ tools/lib/pretty_print.py:183:24: S603 `subprocess` call: check for execution of untrusted input
+ tools/lib/pretty_print.py:183:24: S607 Starting a process with a partial executable path
+ tools/lib/provision.py:317:24: S603 `subprocess` call: check for execution of untrusted input
+ tools/lib/provision.py:317:24: S607 Starting a process with a partial executable path
+ tools/lib/provision.py:456:5: S606 Starting a process without a shell
+ tools/lib/test_script.py:125:27: S603 `subprocess` call: check for execution of untrusted input
+ tools/lib/test_script.py:125:27: S607 Starting a process with a partial executable path
+ tools/lib/test_server.py:78:35: S603 `subprocess` call: check for execution of untrusted input
+ tools/oneclickapps/prepare_digital_ocean_one_click_app_release.py:120:9: S603 `subprocess` call: check for execution of untrusted input
+ tools/oneclickapps/prepare_digital_ocean_one_click_app_release.py:120:9: S607 Starting a process with a partial executable path
+ tools/oneclickapps/prepare_digital_ocean_one_click_app_release.py:22:9: S603 `subprocess` call: check for execution of untrusted input
+ tools/oneclickapps/prepare_digital_ocean_one_click_app_release.py:22:9: S607 Starting a process with a partial executable path
+ zerver/data_import/mattermost.py:436:43: S603 `subprocess` call: check for execution of untrusted input
+ zerver/data_import/mattermost.py:436:43: S607 Starting a process with a partial executable path
+ zerver/lib/email_notifications.py:867:9: S603 `subprocess` call: check for execution of untrusted input
+ zerver/lib/export.py:1912:9: S603 `subprocess` call: check for execution of untrusted input
+ zerver/lib/export.py:1912:9: S607 Starting a process with a partial executable path
+ zerver/lib/export.py:1971:36: S603 `subprocess` call: check for execution of untrusted input
+ zerver/lib/mdiff.py:18:36: S603 `subprocess` call: check for execution of untrusted input
+ zerver/lib/test_fixtures.py:372:9: S603 `subprocess` call: check for execution of untrusted input
+ zerver/lib/test_fixtures.py:372:9: S607 Starting a process with a partial executable path
+ zerver/lib/tex.py:37:42: S603 `subprocess` call: check for execution of untrusted input
+ zerver/logging_handlers.py:24:13: S603 `subprocess` call: check for execution of untrusted input
+ zerver/logging_handlers.py:24:13: S607 Starting a process with a partial executable path
+ zerver/management/commands/compilemessages.py:73:31: S603 `subprocess` call: check for execution of untrusted input
+ zerver/management/commands/compilemessages.py:73:31: S607 Starting a process with a partial executable path
+ zerver/management/commands/export_single_user.py:50:13: S603 `subprocess` call: check for execution of untrusted input
+ zerver/management/commands/export_single_user.py:50:13: S607 Starting a process with a partial executable path
+ zerver/management/commands/import.py:57:31: S603 `subprocess` call: check for execution of untrusted input
+ zerver/management/commands/makemessages.py:203:13: S603 `subprocess` call: check for execution of untrusted input
+ zerver/management/commands/makemessages.py:203:13: S607 Starting a process with a partial executable path
+ zerver/management/commands/register_server.py:98:21: S603 `subprocess` call: check for execution of untrusted input
+ zerver/management/commands/register_server.py:98:21: S607 Starting a process with a partial executable path
+ zerver/openapi/test_curl_examples.py:100:61: S603 `subprocess` call: check for execution of untrusted input
+ zerver/tests/test_email_mirror.py:1474:13: S603 `subprocess` call: check for execution of untrusted input
+ zerver/tests/test_email_mirror.py:1489:13: S603 `subprocess` call: check for execution of untrusted input
+ zerver/views/zephyr.py:74:31: S603 `subprocess` call: check for execution of untrusted input
+ zerver/views/zephyr.py:74:31: S607 Starting a process with a partial executable pathBenchmarkLinuxWindows |
MichaReiser
approved these changes
Apr 11, 2023
|
|
||
| fn get_call_kind(checker: &mut Checker, func: &Expr) -> Option<CallKind> { | ||
| checker.ctx.resolve_call_path(func).and_then(|call_path| { | ||
| if CONFIG |
There was a problem hiding this comment.
Scanning the list of all subprocess even if the module isn't subprocess is a lot of unnecessary work. I think we can optimize this a bit by:
- Only checking if the
call_pathhas a length of two. - First match by the module name
- Then by the submodule
- Avoid allocating vectors
checker
.ctx
.resolve_call_path(func)
.and_then(|call_path| match call_path.as_slice() {
&[module, submodule] => match module {
"os" => match submodule {
"execl" | "execle" | "execlp" | "execlpe" | "execv" | "execve" | "execvp"
| "execvpe" | "spawnl" => Some(CallKind::NoShell),
"system" | "popen" | "popen2" | "popen3" | "popen4" => Some(CallKind::Shell),
_ => None,
},
"subprocess" => match submodule {
"Popen" | "call" | "check_call" | "check_output" | "run" => {
Some(CallKind::Subprocess)
}
_ => None,
},
"popen2" => match submodule {
"popen2" | "popen3" | "popen4" | "Popen3" | "Popen4" => Some(CallKind::Shell),
_ => None,
},
"commands" => match submodule {
"getoutput" | "getstatusoutput" => Some(CallKind::Shell),
_ => None,
},
_ => None,
},
_ => None,
})(I didn't write out all submodules)
if call_path.len() != 2 {
return None;
}
let [module, submodule, ..rest] = call_path.as_slice();
if !
There was a problem hiding this comment.
This looks like a great idea, if these will never change. In bandit these are configurable as you can see here in the bandit docs. I think flake8-bandit will make use of this configuration. If we want to support these being configurable in future it would be harder with this approach.
To address the performance concern I could flip the data structure to something like HashMap<&str, CallKind> and use the dotted module form as the key (eg "os.system"). I've implemented it a separate branch over here and it looks ok. Are there tools to help comparing the performance between the two approaches?
There was a problem hiding this comment.
My two cents: I think we should run with the match approach since it's super simple and satisfies our needs for now (and it lets us unblock + get this merged). If we want to extend these to be configurable, we can def continue exploring and benchmarking in a follow-up PR.
Looking at the Bandit docs, I think that configuration is mostly used to turn rules on and off on a per-file or per-line basis, rather than to make (e.g.) the list of matching functions here configurable -- so it may not be needed anyway? But I could be misreading.
There was a problem hiding this comment.
Looking back at the docs, maybe it is configurable? So I might be wrong on that. But we can still revisit if we opt to respect and implement that configuration.
https://github.com/PyCQA/bandit/blob/main/bandit/plugins/injection_shell.py#L137
There was a problem hiding this comment.
|
Thank you for taking the time to work on this rule. This is looking great. |
Co-authored-by: Micha Reiser <micha@reiser.io>
Co-authored-by: Micha Reiser <micha@reiser.io>
As suggested I have refactored find_shell_keyword to return a struct that includes the has_shell and keyword fields. After applying this refactor I realised that the name of as_shell function no longer really makes sense as it was just determining whether the value for a given keyword was truthy so I've refactored that as well.
| #[test_case(Rule::StartProcessWithNoShell, Path::new("S606.py"); "S606")] | ||
| #[test_case(Rule::StartProcessWithPartialPath, Path::new("S607.py"); "S607")] | ||
| #[test_case(Rule::SubprocessPopenWithShellEqualsTrue, Path::new("S602.py"); "S602")] | ||
| #[test_case(Rule::SubprocessWithoutShellEqualsTrue, Path::new("S603.py"); "S603")] |
There was a problem hiding this comment.
Heads up: I added these here so that they get picked up in the fixture tests (i.e., when running cargo test).
|
Great PR, really grateful to have you involved in the project :) |
renovate bot
added a commit
to ixm-one/pytest-cmake-presets
that referenced
this pull request
Apr 20, 2023
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [ruff](https://togithub.com/charliermarsh/ruff) | `^0.0.261` -> `^0.0.262` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>charliermarsh/ruff</summary> ### [`v0.0.262`](https://togithub.com/charliermarsh/ruff/releases/tag/v0.0.262) [Compare Source](https://togithub.com/charliermarsh/ruff/compare/v0.0.261...v0.0.262) <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### Configuration - Allow users to extend the set of included files via `include` by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3914 - Implement isort custom sections and ordering ([#​2419](https://togithub.com/charliermarsh/ruff/issues/2419)) by [@​hackedd](https://togithub.com/hackedd) in [astral-sh/ruff#3900 ##### Rules - \[`flake8-simplify`] Add autofix for `contextlib.suppress` (`SIM105`) by [@​leiserfg](https://togithub.com/leiserfg) in [astral-sh/ruff#3915 - \[`flake8-bandit`] Ignore assert errors (S101) in `TYPE_CHECKING` blocks by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3960 - \[`flake8-comprehensions`] Implement `unnecessary-literal-within-dict-call` (`C418`) by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3969 - \[`ruff`] Add checks for mutable defaults `dataclass`es by [@​mosauter](https://togithub.com/mosauter) in [astral-sh/ruff#3877 - \[`flake8-import-conventions`] Add a rule for `BannedImportAlias` by [@​stancld](https://togithub.com/stancld) in [astral-sh/ruff#3926 - \[`flake8-pyi`] Implement duplicate types in unions (`PYI016`) by [@​USER-5](https://togithub.com/USER-5) in [astral-sh/ruff#3922 - \[`flake8-bandit`] Implement flake8-bandit shell injection rules by [@​robyoung](https://togithub.com/robyoung) in [astral-sh/ruff#3924 - \[`flake8-comprehensions`] Redirect `PIE802` to `C419` by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3971 ##### Bug Fixes - Fix unicode handling in PLE2515 by [@​konstin](https://togithub.com/konstin) in [astral-sh/ruff#3898 - Avoid adding required imports to stub files by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3940 - Add 'or if cond' to `E712` message by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3962 - Ignore argument assignments when enforcing `RET504` by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4004 - Fix (doc-)line-too-long start location by [@​MichaReiser](https://togithub.com/MichaReiser) in [astral-sh/ruff#4006 - Ignore stub file assignments to value-requiring targets by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4030 - Allow legacy C and T selectors in JSON schema by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3889 - Ignore `PLW2901` when using typing cast by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3891 - Visit comprehension to detect group name usage/overrides by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3887 - Ensure that tab characters aren't in multi-line strings before throwing a violation by [@​evanrittenhouse](https://togithub.com/evanrittenhouse) in [astral-sh/ruff#3837 - Avoid N802 violations for `@override` methods by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3912 - Check for arguments in inner/outer call for `C414` by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3916 - Do not skip analysis if `*args` present for `F523` by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3923 - Extend SIM105 to match also 'Ellipsis only' bodies in exception handlers by [@​leiserfg](https://togithub.com/leiserfg) in [astral-sh/ruff#3925 - Support `pyright: ignore` comments by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3941 - Tidy up some `pygrep-hooks` rules by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3942 - Use identifier range for pytest rules by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3948 - Allow `typing_extensions.TypeVar` assignments in `.pyi` files by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3951 - Raise percent-format upgrade rule (`UP031`) for hanging modulos by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3953 - Check for parenthesis in implicit str concat in `PT006` by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3955 - Do not consider nested comment as part of code by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3984 - Preserve type annotations when fixing `E731` by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3983 - Remove autofix behavior for uncapitalized-environment-variables (`SIM112`) by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3988 - Respect typing-modules when evaluating no-return functions by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4001 - Avoid short-circuiting when detecting RET rules by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4002 - Set non-empty range for indentation diagnostics by [@​MichaReiser](https://togithub.com/MichaReiser) in [astral-sh/ruff#4005 - Ignore relative imports in `banned-api` rules by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4024 - Support relative imports in `banned-api` enforcement by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4025 - Treat non-future function annotations as required-at-runtime by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4028 - Ignore certain flake8-pyi errors within function bodies by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4029 #### New Contributors - [@​tjkuson](https://togithub.com/tjkuson) made their first contribution in [astral-sh/ruff#3886 - [@​mosauter](https://togithub.com/mosauter) made their first contribution in [astral-sh/ruff#3877 - [@​stancld](https://togithub.com/stancld) made their first contribution in [astral-sh/ruff#3926 - [@​USER-5](https://togithub.com/USER-5) made their first contribution in [astral-sh/ruff#3922 - [@​robyoung](https://togithub.com/robyoung) made their first contribution in [astral-sh/ruff#3924 - [@​hackedd](https://togithub.com/hackedd) made their first contribution in [astral-sh/ruff#3900 - [@​justinchuby](https://togithub.com/justinchuby) made their first contribution in [astral-sh/ruff#3982 - [@​mirecl](https://togithub.com/mirecl) made their first contribution in [astral-sh/ruff#4008 - [@​Xemnas0](https://togithub.com/Xemnas0) made their first contribution in [astral-sh/ruff#4026 **Full Changelog**: astral-sh/ruff@v0.0.261...v0.0.262 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/ixm-one/pytest-cmake-presets). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS40OS4wIiwidXBkYXRlZEluVmVyIjoiMzUuNDkuMCJ9--> Signed-off-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate bot
added a commit
to allenporter/flux-local
that referenced
this pull request
Apr 21, 2023
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [ruff](https://togithub.com/charliermarsh/ruff) | `==0.0.261` -> `==0.0.262` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>charliermarsh/ruff</summary> ### [`v0.0.262`](https://togithub.com/charliermarsh/ruff/releases/tag/v0.0.262) [Compare Source](https://togithub.com/charliermarsh/ruff/compare/v0.0.261...v0.0.262) <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### Configuration - Allow users to extend the set of included files via `include` by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3914 - Implement isort custom sections and ordering ([#​2419](https://togithub.com/charliermarsh/ruff/issues/2419)) by [@​hackedd](https://togithub.com/hackedd) in [astral-sh/ruff#3900 ##### Rules - \[`flake8-simplify`] Add autofix for `contextlib.suppress` (`SIM105`) by [@​leiserfg](https://togithub.com/leiserfg) in [astral-sh/ruff#3915 - \[`flake8-bandit`] Ignore assert errors (S101) in `TYPE_CHECKING` blocks by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3960 - \[`flake8-comprehensions`] Implement `unnecessary-literal-within-dict-call` (`C418`) by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3969 - \[`ruff`] Add checks for mutable defaults `dataclass`es by [@​mosauter](https://togithub.com/mosauter) in [astral-sh/ruff#3877 - \[`flake8-import-conventions`] Add a rule for `BannedImportAlias` by [@​stancld](https://togithub.com/stancld) in [astral-sh/ruff#3926 - \[`flake8-pyi`] Implement duplicate types in unions (`PYI016`) by [@​USER-5](https://togithub.com/USER-5) in [astral-sh/ruff#3922 - \[`flake8-bandit`] Implement flake8-bandit shell injection rules by [@​robyoung](https://togithub.com/robyoung) in [astral-sh/ruff#3924 - \[`flake8-comprehensions`] Redirect `PIE802` to `C419` by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3971 ##### Bug Fixes - Fix unicode handling in PLE2515 by [@​konstin](https://togithub.com/konstin) in [astral-sh/ruff#3898 - Avoid adding required imports to stub files by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3940 - Add 'or if cond' to `E712` message by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3962 - Ignore argument assignments when enforcing `RET504` by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4004 - Fix (doc-)line-too-long start location by [@​MichaReiser](https://togithub.com/MichaReiser) in [astral-sh/ruff#4006 - Ignore stub file assignments to value-requiring targets by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4030 - Allow legacy C and T selectors in JSON schema by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3889 - Ignore `PLW2901` when using typing cast by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3891 - Visit comprehension to detect group name usage/overrides by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3887 - Ensure that tab characters aren't in multi-line strings before throwing a violation by [@​evanrittenhouse](https://togithub.com/evanrittenhouse) in [astral-sh/ruff#3837 - Avoid N802 violations for `@override` methods by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3912 - Check for arguments in inner/outer call for `C414` by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3916 - Do not skip analysis if `*args` present for `F523` by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3923 - Extend SIM105 to match also 'Ellipsis only' bodies in exception handlers by [@​leiserfg](https://togithub.com/leiserfg) in [astral-sh/ruff#3925 - Support `pyright: ignore` comments by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3941 - Tidy up some `pygrep-hooks` rules by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3942 - Use identifier range for pytest rules by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3948 - Allow `typing_extensions.TypeVar` assignments in `.pyi` files by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3951 - Raise percent-format upgrade rule (`UP031`) for hanging modulos by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3953 - Check for parenthesis in implicit str concat in `PT006` by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3955 - Do not consider nested comment as part of code by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3984 - Preserve type annotations when fixing `E731` by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3983 - Remove autofix behavior for uncapitalized-environment-variables (`SIM112`) by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3988 - Respect typing-modules when evaluating no-return functions by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4001 - Avoid short-circuiting when detecting RET rules by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4002 - Set non-empty range for indentation diagnostics by [@​MichaReiser](https://togithub.com/MichaReiser) in [astral-sh/ruff#4005 - Ignore relative imports in `banned-api` rules by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4024 - Support relative imports in `banned-api` enforcement by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4025 - Treat non-future function annotations as required-at-runtime by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4028 - Ignore certain flake8-pyi errors within function bodies by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4029 #### New Contributors - [@​tjkuson](https://togithub.com/tjkuson) made their first contribution in [astral-sh/ruff#3886 - [@​mosauter](https://togithub.com/mosauter) made their first contribution in [astral-sh/ruff#3877 - [@​stancld](https://togithub.com/stancld) made their first contribution in [astral-sh/ruff#3926 - [@​USER-5](https://togithub.com/USER-5) made their first contribution in [astral-sh/ruff#3922 - [@​robyoung](https://togithub.com/robyoung) made their first contribution in [astral-sh/ruff#3924 - [@​hackedd](https://togithub.com/hackedd) made their first contribution in [astral-sh/ruff#3900 - [@​justinchuby](https://togithub.com/justinchuby) made their first contribution in [astral-sh/ruff#3982 - [@​mirecl](https://togithub.com/mirecl) made their first contribution in [astral-sh/ruff#4008 - [@​Xemnas0](https://togithub.com/Xemnas0) made their first contribution in [astral-sh/ruff#4026 **Full Changelog**: astral-sh/ruff@v0.0.261...v0.0.262 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/allenporter/flux-local). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS41NC4wIiwidXBkYXRlZEluVmVyIjoiMzUuNTQuMCJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate bot
added a commit
to allenporter/pyrainbird
that referenced
this pull request
Apr 21, 2023
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [ruff](https://togithub.com/charliermarsh/ruff) | `==0.0.261` -> `==0.0.262` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>charliermarsh/ruff</summary> ### [`v0.0.262`](https://togithub.com/charliermarsh/ruff/releases/tag/v0.0.262) [Compare Source](https://togithub.com/charliermarsh/ruff/compare/v0.0.261...v0.0.262) <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### Configuration - Allow users to extend the set of included files via `include` by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3914 - Implement isort custom sections and ordering ([#​2419](https://togithub.com/charliermarsh/ruff/issues/2419)) by [@​hackedd](https://togithub.com/hackedd) in [astral-sh/ruff#3900 ##### Rules - \[`flake8-simplify`] Add autofix for `contextlib.suppress` (`SIM105`) by [@​leiserfg](https://togithub.com/leiserfg) in [astral-sh/ruff#3915 - \[`flake8-bandit`] Ignore assert errors (S101) in `TYPE_CHECKING` blocks by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3960 - \[`flake8-comprehensions`] Implement `unnecessary-literal-within-dict-call` (`C418`) by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3969 - \[`ruff`] Add checks for mutable defaults `dataclass`es by [@​mosauter](https://togithub.com/mosauter) in [astral-sh/ruff#3877 - \[`flake8-import-conventions`] Add a rule for `BannedImportAlias` by [@​stancld](https://togithub.com/stancld) in [astral-sh/ruff#3926 - \[`flake8-pyi`] Implement duplicate types in unions (`PYI016`) by [@​USER-5](https://togithub.com/USER-5) in [astral-sh/ruff#3922 - \[`flake8-bandit`] Implement flake8-bandit shell injection rules by [@​robyoung](https://togithub.com/robyoung) in [astral-sh/ruff#3924 - \[`flake8-comprehensions`] Redirect `PIE802` to `C419` by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3971 ##### Bug Fixes - Fix unicode handling in PLE2515 by [@​konstin](https://togithub.com/konstin) in [astral-sh/ruff#3898 - Avoid adding required imports to stub files by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3940 - Add 'or if cond' to `E712` message by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3962 - Ignore argument assignments when enforcing `RET504` by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4004 - Fix (doc-)line-too-long start location by [@​MichaReiser](https://togithub.com/MichaReiser) in [astral-sh/ruff#4006 - Ignore stub file assignments to value-requiring targets by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4030 - Allow legacy C and T selectors in JSON schema by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3889 - Ignore `PLW2901` when using typing cast by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3891 - Visit comprehension to detect group name usage/overrides by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3887 - Ensure that tab characters aren't in multi-line strings before throwing a violation by [@​evanrittenhouse](https://togithub.com/evanrittenhouse) in [astral-sh/ruff#3837 - Avoid N802 violations for `@override` methods by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3912 - Check for arguments in inner/outer call for `C414` by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3916 - Do not skip analysis if `*args` present for `F523` by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3923 - Extend SIM105 to match also 'Ellipsis only' bodies in exception handlers by [@​leiserfg](https://togithub.com/leiserfg) in [astral-sh/ruff#3925 - Support `pyright: ignore` comments by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3941 - Tidy up some `pygrep-hooks` rules by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3942 - Use identifier range for pytest rules by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3948 - Allow `typing_extensions.TypeVar` assignments in `.pyi` files by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3951 - Raise percent-format upgrade rule (`UP031`) for hanging modulos by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3953 - Check for parenthesis in implicit str concat in `PT006` by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3955 - Do not consider nested comment as part of code by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3984 - Preserve type annotations when fixing `E731` by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#3983 - Remove autofix behavior for uncapitalized-environment-variables (`SIM112`) by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#3988 - Respect typing-modules when evaluating no-return functions by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4001 - Avoid short-circuiting when detecting RET rules by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4002 - Set non-empty range for indentation diagnostics by [@​MichaReiser](https://togithub.com/MichaReiser) in [astral-sh/ruff#4005 - Ignore relative imports in `banned-api` rules by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4024 - Support relative imports in `banned-api` enforcement by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4025 - Treat non-future function annotations as required-at-runtime by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4028 - Ignore certain flake8-pyi errors within function bodies by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#4029 #### New Contributors - [@​tjkuson](https://togithub.com/tjkuson) made their first contribution in [astral-sh/ruff#3886 - [@​mosauter](https://togithub.com/mosauter) made their first contribution in [astral-sh/ruff#3877 - [@​stancld](https://togithub.com/stancld) made their first contribution in [astral-sh/ruff#3926 - [@​USER-5](https://togithub.com/USER-5) made their first contribution in [astral-sh/ruff#3922 - [@​robyoung](https://togithub.com/robyoung) made their first contribution in [astral-sh/ruff#3924 - [@​hackedd](https://togithub.com/hackedd) made their first contribution in [astral-sh/ruff#3900 - [@​justinchuby](https://togithub.com/justinchuby) made their first contribution in [astral-sh/ruff#3982 - [@​mirecl](https://togithub.com/mirecl) made their first contribution in [astral-sh/ruff#4008 - [@​Xemnas0](https://togithub.com/Xemnas0) made their first contribution in [astral-sh/ruff#4026 **Full Changelog**: astral-sh/ruff@v0.0.261...v0.0.262 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/allenporter/pyrainbird). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS41NC4wIiwidXBkYXRlZEluVmVyIjoiMzUuNTQuMCJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This includes rules S602 - S607. Partially addresses #1646.
This is my first PR on this project so I apologise if I have missed some things.