archinstall icon indicating copy to clipboard operation
archinstall copied to clipboard

Published 20 hours ago verified publisher icon archlinux

Bandit CI checks are failing

Open correctmost opened this issue 6 months ago • 1 comments

Description

The Bandit CI checks have been silently failing for a while: https://github.com/archlinux/archinstall/actions/runs/15349689646/job/43194498787

These checks could possibly be handled by ruff, which has support for many Bandit rules. Some rules would have to be excluded, though, because Bandit checks are prone to false positives:

$ ruff check --select=S --statistics
44	S101	assert
 8	S110	try-except-pass
 7	S108	hardcoded-temp-file
 7	S310	suspicious-url-open-usage
 7	S607	start-process-with-partial-path
 6	S106	hardcoded-password-func-arg
 6	S605	start-process-with-a-shell
 2	S603	subprocess-without-shell-equals-true
 1	S311	suspicious-non-cryptographic-random-usage
 1	S324	hashlib-insecure-hash-function
 1	S602	subprocess-popen-with-shell-equals-true
 1	S606	start-process-with-no-shell
 1	S608	hardcoded-sql-expression
Found 92 errors.

correctmost avatar May 30 '25 17:05 correctmost

I'd be in favor of using ruff, I like having one tool instead of multiple ones

svartkanin avatar Jun 02 '25 08:06 svartkanin