Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove lxml (B320 & B410) from blacklist #1212

Merged
merged 4 commits into from
Jan 7, 2025
Merged

Remove lxml (B320 & B410) from blacklist #1212

merged 4 commits into from
Jan 7, 2025
+15 −51

Conversation

djbrown
Copy link
Contributor

@djbrown djbrown commented Dec 19, 2024

removes B320 (xml_bad_etree) and B410 (import_lxml)

fixes #767

@djbrown djbrown marked this pull request as ready for review December 19, 2024 02:45
@djbrown djbrown mentioned this pull request Dec 19, 2024
Closed
sigmavirus24
sigmavirus24 reviewed Dec 19, 2024
View reviewed changes
Copy link
Member

@sigmavirus24 sigmavirus24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my opinion:

  • We should do this
  • We should add very clear notes to our changelog
  • We should start pointing people away from defused XML as it's maintenance status means lxml is likely to be safer going forward

@djbrown
Copy link
Contributor Author

djbrown commented Dec 26, 2024

I couldn't find any changelog files. @ericwb do you know what Ian meant?

@sigmavirus24
Copy link
Member

My mistake. I thought we had one but I guess not

@djbrown djbrown changed the title remove lxml from blacklist Remove lxml (B320 & B410) from blacklist Dec 27, 2024
@djbrown
Copy link
Contributor Author

djbrown commented Dec 27, 2024

@sigmavirus24 thank you for your reply! :)
I saw this project actually does have a nice changelog via GitHub release descriptions generated from PRs:
https://github.com/PyCQA/bandit/releases
I updated this PRs title to be more suitable for the changelog.
And I guess this change would require a minor version bump (currently 1.8.0 -> 1.9.0)
@ericwb @lukehinds is there anything else I may help with to get this merged?

ericwb
ericwb requested changes Dec 27, 2024
View reviewed changes
Copy link
Member

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So when removing a rule, we should keep the documentation for historical reasons and denote that the plugin or test was removed. This is to prevent someone in the future accidentally reusing the same Bandit ID number, thus leading to a conflict.

As for the code for the test, we can disable is functionality but keep it in order to reserve the Bandit ID associated with it.

For example, see the following. Notice how we kept the docs and denoted that the plugin was removed in what version. Please follow this example.

https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b309-httpsconnection

https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b322-input

https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b322-input

@djbrown djbrown requested a review from ericwb December 28, 2024 02:28
@djbrown
Copy link
Contributor Author

djbrown commented Dec 28, 2024

thank you @ericwb for the review!
I made another commit, restoring the documentation and denoting the removal

djbrown and others added 2 commits December 28, 2024 16:30
@djbrown @sigmavirus24
fix missing newline
50ab30a 
Co-authored-by: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>
@ericwb
Merge branch 'main' into lxml-guidance
ccded51
@ericwb
Copy link
Member

ericwb commented Jan 7, 2025

I couldn't find any changelog files. @ericwb do you know what Ian meant?

There is a changelog, but it is generated from pbr based on the git commits. So we don't update manually.

Also, with each release we generate a log of changes included as well.

@ericwb ericwb merged commit e4da0b3 into PyCQA:main Jan 7, 2025
16 checks passed
@djbrown djbrown deleted the lxml-guidance branch January 7, 2025 20:55
@ericwb ericwb mentioned this pull request Jan 11, 2025
Closed
apaniukov added a commit to apaniukov/openvino_tokenizers that referenced this pull request Jan 14, 2025
@apaniukov
Update Bandit Flags
5d658ae 
B320 was removed: PyCQA/bandit#1212
@apaniukov apaniukov mentioned this pull request Jan 14, 2025
Merged
apaniukov added a commit to apaniukov/openvino_tokenizers that referenced this pull request Jan 14, 2025
@apaniukov
Update Bandit Flags
2de83fa 
B320 and B410 were removed: PyCQA/bandit#1212
github-merge-queue bot pushed a commit to openvinotoolkit/openvino_tokenizers that referenced this pull request Jan 14, 2025
@apaniukov
Update Bandit Flags (#368)
a8b3c49 
* Update Bandit Flags

B320 was removed: PyCQA/bandit#1212

* Update Bandit Flags

B320 and B410 were removed: PyCQA/bandit#1212
openstack-mirroring pushed a commit to openstack/swift that referenced this pull request Jan 14, 2025
@tipabu
CI: Remove B320 and B410 bandit skips
f95315b 
They were removed upstream recently, so now Bandit is complaining about
the unknown test.

See PyCQA/bandit#1212

Change-Id: Ie668d49a56c0a6542d28128656cfd44f7c089ec4
openstack-mirroring pushed a commit to openstack/openstack that referenced this pull request Jan 14, 2025
@tipabu @openstack-gerrit
Update git submodules
bc03db4 
* Update swift from branch 'master'
  to f95315b7111746fc54e4ab17c96ee1c1909ee256
  - CI: Remove B320 and B410 bandit skips
    
    They were removed upstream recently, so now Bandit is complaining about
    the unknown test.
    
    See PyCQA/bandit#1212
    
    Change-Id: Ie668d49a56c0a6542d28128656cfd44f7c089ec4
ilya-lavrenov pushed a commit to openvinotoolkit/openvino_tokenizers that referenced this pull request Jan 14, 2025
@apaniukov
Update Bandit Flags (#368)
80fb404 
* Update Bandit Flags

B320 was removed: PyCQA/bandit#1212

* Update Bandit Flags

B320 and B410 were removed: PyCQA/bandit#1212
hubot pushed a commit to f-droid/fdroidserver that referenced this pull request Jan 15, 2025
@eighthave
bandit no longer includes B410 lxml check
f5a6aa2 
PyCQA/bandit#1212
ilya-lavrenov pushed a commit to ilya-lavrenov/openvino_tokenizers that referenced this pull request Jan 17, 2025
@apaniukov @ilya-lavrenov
Update Bandit Flags (openvinotoolkit#368)
c549e51 
* Update Bandit Flags

B320 was removed: PyCQA/bandit#1212

* Update Bandit Flags

B320 and B410 were removed: PyCQA/bandit#1212
mryzhov pushed a commit to openvinotoolkit/openvino_tokenizers that referenced this pull request Jan 17, 2025
@ilya-lavrenov @apaniukov
GHA: use official 2024.6.0 (#376)
d99420c 
* GHA: use official 2024.6.0

* Update Bandit Flags (#368)

* Update Bandit Flags

B320 was removed: PyCQA/bandit#1212

* Update Bandit Flags

B320 and B410 were removed: PyCQA/bandit#1212

---------

Co-authored-by: Artur Paniukov <artur.paniukov@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sigmavirus24 sigmavirus24 sigmavirus24 approved these changes

@ericwb ericwb ericwb approved these changes

@lukehinds lukehinds Awaiting requested review from lukehinds lukehinds is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

lxml guidance is not useful
3 participants
@djbrown @sigmavirus24 @ericwb