feat(rules): implement flake8-bandit S507 (ssh_no_host_key_verification)
#7528
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PR Check ResultsEcosystem✅ ecosystem check detected no changes. |
charliermarsh
approved these changes
Sep 20, 2023
renovate bot
added a commit
to allenporter/flux-local
that referenced
this pull request
Sep 24, 2023
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [ruff](https://docs.astral.sh/ruff) ([source](https://togithub.com/astral-sh/ruff), [changelog](https://togithub.com/astral-sh/ruff/releases)) | `==0.0.290` -> `==0.0.291` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>astral-sh/ruff (ruff)</summary> ### [`v0.0.291`](https://togithub.com/astral-sh/ruff/releases/tag/v0.0.291) [Compare Source](https://togithub.com/astral-sh/ruff/compare/v0.0.290...v0.0.291) <!-- Release notes generated using configuration in .github/release.yml at v0.0.291 --> #### What's Changed ##### Deprecations **The `format` command-line argument and configuration option has been renamed to `output-format`.** While Ruff will continue to respect `format` when passed as a command-line argument or configuration option, this backwards-compatible support will be dropped in a future release. See: [astral-sh/ruff#7514. ##### Rules - \[`flake8-bandit`] Implement `S201`: `flask-debug-true` by [@​mkniewallner](https://togithub.com/mkniewallner) in [astral-sh/ruff#7503 - \[`flake8-bandit`] Implement `S507`: `ssh_no_host_key_verification` by [@​mkniewallner](https://togithub.com/mkniewallner) in [astral-sh/ruff#7528 - \[`flake8-logging`] Implement `LOG002`: `invalid-get-logger-argument` by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#7399 - \[`flake8-logging`] Implement `LOG007`: `exception-without-exc-info` by [@​qdegraaf](https://togithub.com/qdegraaf) in [astral-sh/ruff#7410 - \[`refurb`] Implement `FURB140`: `reimplemented-starmap` by [@​SavchenkoValeriy](https://togithub.com/SavchenkoValeriy) in [astral-sh/ruff#7253 - \[`refurb`] Implement `FURB148`: `unnecessary-enumerate` by [@​tjkuson](https://togithub.com/tjkuson) in [astral-sh/ruff#7454 - \[`ruff`] Detect `asyncio.get_running_loop` calls in RUF006 by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#7562 ##### Settings - Show `--no-X` variants in CLI help by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#7504 - Rename `format` option to `output-format` by [@​MichaReiser](https://togithub.com/MichaReiser) in [astral-sh/ruff#7514 - Enable tab completion for `ruff rule` by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#7560 ##### Bug Fixes - Add padding to prevent some autofix errors by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#7461 - Remove parentheses when rewriting assert calls to statements by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#7464 - Avoid flagging starred elements in C402 by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#7466 - Extend `bad-dunder-method-name` to permit `attrs` dunders by [@​tjkuson](https://togithub.com/tjkuson) in [astral-sh/ruff#7472 - Avoid N802 violations for [@​overload](https://togithub.com/overload) methods by [@​JonathanPlasse](https://togithub.com/JonathanPlasse) in [astral-sh/ruff#7498 - Avoid flagging starred expressions in UP007 by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#7505 - Ensure that LOG007 only triggers on `.exception()` calls by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#7524 - Use strict sorted and union for NoQA mapping insertion by [@​dhruvmanila](https://togithub.com/dhruvmanila) in [astral-sh/ruff#7531 - Avoid inserting imports directly after continuation by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#7553 - Add padding in `PERF102` fixes by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#7554 - Avoid invalid fix for parenthesized values in F601 by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#7559 - Treat `os.error` as an `OSError` alias by [@​charliermarsh](https://togithub.com/charliermarsh) in [astral-sh/ruff#7582 - Extend `bad-dunder-method-name` to permit `__html__` by [@​jaap3](https://togithub.com/jaap3) in [astral-sh/ruff#7492 - Fix stylist indentation with a formfeed by [@​konstin](https://togithub.com/konstin) in [astral-sh/ruff#7489 #### New Contributors - [@​MicaelJarniac](https://togithub.com/MicaelJarniac) made their first contribution in [astral-sh/ruff#5498 - [@​maheshsaripalli9](https://togithub.com/maheshsaripalli9) made their first contribution in [astral-sh/ruff#7552 - [@​T-256](https://togithub.com/T-256) made their first contribution in [astral-sh/ruff#7585 **Full Changelog**: astral-sh/ruff@v0.0.290...v0.0.291 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/allenporter/flux-local). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi45Ny4xIiwidXBkYXRlZEluVmVyIjoiMzYuOTcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
charliermarsh
pushed a commit
that referenced
this pull request
Sep 28, 2023
## Summary Follow-up on #7528 that improves detections of mis-usages of policy in `paramiko`. First commit applies the same fix as in `bandit` (PyCQA/bandit#1064), as `paramiko` supports passing both a class and a class instance for the policy in `set_missing_host_key_policy` (https://github.com/paramiko/paramiko/blob/8e389c77660c5cdae3069b478665427d23012853/paramiko/client.py#L171-L191). Second commit improve the detection of `paramiko` import paths that trigger a violation, as `AutoAddPolicy`, `WarningPolicy` and `SSHClient` are not only exposed in `paramiko.client`, but also in `paramiko` (https://github.com/paramiko/paramiko/blob/66117732de6de03914308f9a21b05b50a781d13c/paramiko/__init__.py#L121-L164). ## Test Plan Snapshot tests.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Part of #1646.
Summary
Implement
S507(ssh_no_host_key_verification) rule frombandit.Test Plan
Snapshot test from https://github.com/PyCQA/bandit/blob/1.7.5/examples/no_host_key_verification.py, with several additions to test for more cases (most notably passing the parameter as a named argument).