[flake8-bandit] Implement upstream updates for S311, S324 and S605

[mkniewallner]

Summary

Pick up updates made in latest releases of bandit:

• S311: Add random.Random to B311 checks PyCQA/bandit#940 and Add random.randbytes to blacklist calls PyCQA/bandit#1096
• S324: Adds check for crypt module usage as weak hash PyCQA/bandit#1018
• S605: [B605] Add functions that are vulnerable to shell injection. PyCQA/bandit#1116

Test Plan

Snapshot tests

[github-actions]

ruff-ecosystem results

Linter (stable)

ℹ️ ecosystem check detected linter changes. (+8 -0 violations, +0 -0 fixes in 4 projects; 39 projects unchanged)

DisnakeDev/disnake (+2 -0 violations, +0 -0 fixes)

+ disnake/backoff.py:45:16: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
+ disnake/colour.py:135:44: S311 Standard pseudo-random generators are not suitable for cryptographic purposes

apache/airflow (+2 -0 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --no-preview --select ALL

+ airflow/dag_processing/manager.py:1156:13: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
+ tests/dag_processing/test_job_runner.py:363:9: S311 Standard pseudo-random generators are not suitable for cryptographic purposes

model-bakers/model_bakery (+1 -0 violations, +0 -0 fixes)

+ model_bakery/random_gen.py:30:16: S311 Standard pseudo-random generators are not suitable for cryptographic purposes

zulip/zulip (+3 -0 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --no-preview --select ALL

+ analytics/lib/fixtures.py:39:11: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
+ tools/lib/provision.py:280:60: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+ tools/lib/provision.py:280:60: S607 Starting a process with a partial executable path

Changes by rule (3 rules affected)

code	total	+ violation	- violation	+ fix	- fix
S311	6	6	0	0	0
S605	1	1	0	0	0
S607	1	1	0	0	0

Linter (preview)

ℹ️ ecosystem check detected linter changes. (+8 -0 violations, +0 -0 fixes in 4 projects; 39 projects unchanged)

DisnakeDev/disnake (+2 -0 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview

+ disnake/backoff.py:45:16: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
+ disnake/colour.py:135:44: S311 Standard pseudo-random generators are not suitable for cryptographic purposes

apache/airflow (+2 -0 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL

+ airflow/dag_processing/manager.py:1156:13: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
+ tests/dag_processing/test_job_runner.py:363:9: S311 Standard pseudo-random generators are not suitable for cryptographic purposes

model-bakers/model_bakery (+1 -0 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview

+ model_bakery/random_gen.py:30:16: S311 Standard pseudo-random generators are not suitable for cryptographic purposes

zulip/zulip (+3 -0 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL

+ analytics/lib/fixtures.py:39:11: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
+ tools/lib/provision.py:280:60: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+ tools/lib/provision.py:280:60: S607 Starting a process with a partial executable path

Changes by rule (3 rules affected)

code	total	+ violation	- violation	+ fix	- fix
S311	6	6	0	0	0
S605	1	1	0	0	0
S607	1	1	0	0	0

Formatter (stable)

✅ ecosystem check detected no format changes.

Formatter (preview)

✅ ecosystem check detected no format changes.

[mkniewallner]

Not sure why there is a new match for S607 on zulip in the ecosystem check as it was not changed.

[charliermarsh]

Nice, this looks great -- thanks!

[charliermarsh]

Not sure why there is a new match for S607 on zulip in the ecosystem check as it was not changed.

I think it's because you added getstatusoutput to the list of shell-like calls.

[mkniewallner]

Not sure why there is a new match for S607 on zulip in the ecosystem check as it was not changed.

I think it's because you added getstatusoutput to the list of shell-like calls.

Oh yeah sorry, I did not know what S607 was exactly, and didn't see that this change would also apply to this rule. But it does seem legit to handle this new case for S607, as this is the core logic to detect shell invocations, so all good it seems!