basilisp-lang · chrisrink10 · Nov 6, 2024 · Nov 6, 2024 · Nov 6, 2024 · Nov 6, 2024
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -19,21 +19,21 @@ jobs:
         version: ['3.9', '3.10', '3.11', '3.12', '3.13']
         include:
           - version: '3.9'
-            tox-env: py39,py39-mypy,py39-lint,safety
+            tox-env: py39,py39-mypy,py39-lint,bandit
           - version: '3.10'
-            tox-env: py310,py310-mypy,py310-lint,safety
+            tox-env: py310,py310-mypy,py310-lint,bandit
           - version: '3.11'
-            tox-env: py311,py311-mypy,py311-lint,safety
+            tox-env: py311,py311-mypy,py311-lint,bandit
           - version: '3.12'
-            tox-env: py312,py312-mypy,py312-lint,format,safety
+            tox-env: py312,py312-mypy,py312-lint,format,bandit
           - version: '3.13'
-            tox-env: py313,py313-mypy,py313-lint,safety
+            tox-env: py313,py313-mypy,py313-lint,bandit
           - os: windows-latest
             version: '3.13'
-            tox-env: py313,safety
+            tox-env: py313,bandit
           - os: macos-latest
             version: '3.13'
-            tox-env: py313,safety
+            tox-env: py313,bandit
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5

diff --git a/Makefile b/Makefile
@@ -23,7 +23,7 @@ format:
 .PHONY: check
 check:
 	@rm -f .coverage*
-	@TOX_SKIP_ENV='pypy3|safety|coverage' poetry run tox run-parallel -p auto
+	@TOX_SKIP_ENV='pypy3|bandit|coverage' poetry run tox run-parallel -p auto
 
 
 .PHONY: lint

diff --git a/pyproject.toml b/pyproject.toml
@@ -72,6 +72,9 @@ basilisp_test_runner = "basilisp.contrib.pytest.testrunner"
 requires = ["poetry-core>=1.0.0"]
 build-backend = "poetry.core.masonry.api"
 
+[tool.bandit]
+skips = ["B101"]
+
 [tool.black]
 line-length = 88
 target-version = ["py39"]

diff --git a/src/basilisp/cli.py b/src/basilisp/cli.py
@@ -784,7 +784,7 @@ def run_script():
     if rest := sys.argv[2:]:
         args.append("--")
         args.extend(rest)
-    os.execvp("basilisp", args)
+    os.execvp("basilisp", args)  # nosec B606, B607
 
 
 def invoke_cli(args: Optional[Sequence[str]] = None) -> None:

diff --git a/src/basilisp/importer.py b/src/basilisp/importer.py
@@ -85,7 +85,7 @@ def _get_basilisp_bytecode(
         logger.debug(message)
         raise ImportError(message, **exc_details)
 
-    return marshal.loads(cache_data[12:])
+    return marshal.loads(cache_data[12:])  # nosec 6302
 
 
 def _cache_from_source(path: str) -> str:

diff --git a/src/basilisp/lang/compiler/__init__.py b/src/basilisp/lang/compiler/__init__.py
@@ -186,7 +186,7 @@ def compile_and_exec_form(
         bytecode = compile(ast_module, ctx.filename, "exec")
         if collect_bytecode:
             collect_bytecode(bytecode)
-        exec(bytecode, ns.module.__dict__)  # pylint: disable=exec-used
+        exec(bytecode, ns.module.__dict__)  # pylint: disable=exec-used  # nosec 6102
         try:
             last = getattr(ns.module, final_wrapped_name)()
         finally:
@@ -222,7 +222,7 @@ def _incremental_compile_module(
     bytecode = compile(module, source_filename, "exec")
     if collect_bytecode:
         collect_bytecode(bytecode)
-    exec(bytecode, ns.module.__dict__)  # pylint: disable=exec-used
+    exec(bytecode, ns.module.__dict__)  # pylint: disable=exec-used  # nosec 6102
 
 
 def _bootstrap_module(
@@ -284,7 +284,7 @@ def compile_bytecode(
     and then proceeds to compile a collection of bytecodes into the module."""
     _bootstrap_module(gctx, optimizer, ns)
     for bytecode in code:
-        exec(bytecode, ns.module.__dict__)  # pylint: disable=exec-used
+        exec(bytecode, ns.module.__dict__)  # pylint: disable=exec-used  # nosec 6102
 
 
 _LOAD_SYM = sym.symbol("load", ns=runtime.CORE_NS)

diff --git a/src/basilisp/lang/compiler/generator.py b/src/basilisp/lang/compiler/generator.py
@@ -2291,7 +2291,7 @@ def _import_hash(s: str) -> str:
     the new session can find objects generated by the session which generated the
     cache file. Since we are not concerned with being able to round-trip this data,
     destructive modifications are not an issue."""
-    digest = hashlib.md5(s.encode()).digest()
+    digest = hashlib.md5(s.encode()).digest()  # nosec B324
     return base64.b64encode(digest).decode().translate(_IMPORT_HASH_TRANSLATE_TABLE)[:6]
 
 

diff --git a/tox.ini b/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = py39,py310,py311,py312,py313,pypy3,coverage,py{39,310,311,312,313}-mypy,py{39,310,311,312,313}-lint,format,safety
+envlist = py39,py310,py311,py312,py313,pypy3,coverage,py{39,310,311,312,313}-mypy,py{39,310,311,312,313}-lint,format,bandit
 labels =
     test = py39,py310,py311,py312,py313
 
@@ -58,10 +58,8 @@ commands =
     pylint src/
     ruff check src/
 
-[testenv:safety]
+[testenv:bandit]
 deps =
-     safety
-     # work around 3.13 issue to avoid building an earlier version of pydantic-core on macos
-     pydantic-core>=2.25.0
+     bandit[toml]
 commands =
-    safety check -i 40291 -i 67599 -i 70612
+    bandit -c {toxinidir}/pyproject.toml -r {toxinidir}/src/basilisp