From 06736c54a587171e9a3a66a545f7a6f265dd7248 Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Fri, 14 Oct 2022 18:05:18 -0500 Subject: [PATCH 1/6] use bandit via pantsbuild --- pants.toml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pants.toml b/pants.toml index 18c350d14e..9e95c904c3 100644 --- a/pants.toml +++ b/pants.toml @@ -12,6 +12,7 @@ backend_packages = [ "pants.backend.python", "pants.backend.experimental.python", # activates twine `publish` support "pants.backend.python.mixed_interpreter_constraints", + "pants.backend.python.lint.bandit", "pants.backend.python.lint.black", "pants.backend.python.lint.flake8", @@ -83,6 +84,15 @@ root_patterns = [ "/st2common/benchmarks/micro", ] +[bandit] +version = "bandit==1.7.0" +args = [ + "-lll", # only HIGH severity level + "--exclude", + "build,dist", + "--quiet", # only show output in the case of an error +] + [black] lockfile = "lockfiles/black.lock" version = "black==22.3.0" From 5ad28dee1632a7c928a8791f0fcc0050b31a9a9b Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Fri, 14 Oct 2022 18:08:20 -0500 Subject: [PATCH 2/6] pants: add pex lockfile for bandit --- lockfiles/bandit | 481 +++++++++++++++++++++++++++++++++++++++++++++++ pants.toml | 9 +- 2 files changed, 489 insertions(+), 1 deletion(-) create mode 100644 lockfiles/bandit diff --git a/lockfiles/bandit b/lockfiles/bandit new file mode 100644 index 0000000000..b6599ba4e6 --- /dev/null +++ b/lockfiles/bandit @@ -0,0 +1,481 @@ +// This lockfile was autogenerated by Pants. To regenerate, run: +// +// ./pants generate-lockfiles --resolve=bandit +// +// --- BEGIN PANTS LOCKFILE METADATA: DO NOT EDIT OR REMOVE --- +// { +// "version": 3, +// "valid_for_interpreter_constraints": [ +// "CPython<4,>=3.7" +// ], +// "generated_with_requirements": [ +// "bandit==1.7.0", +// "importlib-metadata<5; python_version < \"3.8\"", +// "setuptools" +// ], +// "manylinux": "manylinux2014", +// "requirement_constraints": [], +// "only_binary": [], +// "no_binary": [] +// } +// --- END PANTS LOCKFILE METADATA --- + +{ + "allow_builds": true, + "allow_prereleases": false, + "allow_wheels": true, + "build_isolation": true, + "constraints": [], + "locked_resolves": [ + { + "locked_requirements": [ + { + "artifacts": [ + { + "algorithm": "sha256", + "hash": "216be4d044209fa06cf2a3e51b319769a51be8318140659719aa7a115c35ed07", + "url": "https://files.pythonhosted.org/packages/6e/68/dc39991eb6074cabeed2ee78f6e101054869f79ba806f8b6e4b1f4f7c3f6/bandit-1.7.0-py3-none-any.whl" + }, + { + "algorithm": "sha256", + "hash": "8a4c7415254d75df8ff3c3b15cfe9042ecee628a1e40b44c15a98890fbfc2608", + "url": "https://files.pythonhosted.org/packages/6c/a1/14b70b67ea9c69e863dd65386bbc948ae34a502512d6f36e2a5a9fd5513b/bandit-1.7.0.tar.gz" + } + ], + "project_name": "bandit", + "requires_dists": [ + "GitPython>=1.0.1", + "PyYAML>=5.3.1", + "colorama>=0.3.9; platform_system == \"Windows\"", + "six>=1.10.0", + "stevedore>=1.20.0" + ], + "requires_python": ">=3.5", + "version": "1.7" + }, + { + "artifacts": [ + { + "algorithm": "sha256", + "hash": "8033ad4e853066ba6ca92050b9df2f89301b8fc8bf7e9324d412a63f8bf1a8fd", + "url": "https://files.pythonhosted.org/packages/a3/7c/5d747655049bfbf75b5fcec57c8115896cb78d6fafa84f6d3ef4c0f13a98/gitdb-4.0.9-py3-none-any.whl" + }, + { + "algorithm": "sha256", + "hash": "bac2fd45c0a1c9cf619e63a90d62bdc63892ef92387424b855792a6cabe789aa", + "url": "https://files.pythonhosted.org/packages/fc/44/64e02ef96f20b347385f0e9c03098659cb5a1285d36c3d17c56e534d80cf/gitdb-4.0.9.tar.gz" + } + ], + "project_name": "gitdb", + "requires_dists": [ + "smmap<6,>=3.0.1" + ], + "requires_python": ">=3.6", + "version": "4.0.9" + }, + { + "artifacts": [ + { + "algorithm": "sha256", + "hash": "41eea0deec2deea139b459ac03656f0dd28fc4a3387240ec1d3c259a2c47850f", + "url": "https://files.pythonhosted.org/packages/1f/d3/020efb312a7d25fa00e144497a33378d415552e5581be080a99017af6d39/GitPython-3.1.29-py3-none-any.whl" + }, + { + "algorithm": "sha256", + "hash": "cc36bfc4a3f913e66805a28e84703e419d9c264c1077e537b54f0e1af85dbefd", + "url": "https://files.pythonhosted.org/packages/22/ab/3dd8b8a24399cee9c903d5f7600d20e8703d48904020f46f7fa5ac5474e9/GitPython-3.1.29.tar.gz" + } + ], + "project_name": "gitpython", + "requires_dists": [ + "gitdb<5,>=4.0.1", + "typing-extensions>=3.7.4.3; python_version < \"3.8\"" + ], + "requires_python": ">=3.7", + "version": "3.1.29" + }, + { + "artifacts": [ + { + "algorithm": "sha256", + "hash": "8a8a81bcf996e74fee46f0d16bd3eaa382a7eb20fd82445c3ad11f4090334116", + "url": "https://files.pythonhosted.org/packages/d0/98/c277899f5aa21f6e6946e1c83f2af650cbfee982763ffb91db07ff7d3a13/importlib_metadata-4.13.0-py3-none-any.whl" + }, + { + "algorithm": "sha256", + "hash": "dd0173e8f150d6815e098fd354f6414b0f079af4644ddfe90c71e2fc6174346d", + "url": "https://files.pythonhosted.org/packages/55/12/ab288357b884ebc807e3f4eff63ce5ba6b941ba61499071bf19f1bbc7f7f/importlib_metadata-4.13.0.tar.gz" + } + ], + "project_name": "importlib-metadata", + "requires_dists": [ + "flake8<5; extra == \"testing\"", + "flufl.flake8; extra == \"testing\"", + "furo; extra == \"docs\"", + "importlib-resources>=1.3; python_version < \"3.9\" and extra == \"testing\"", + "ipython; extra == \"perf\"", + "jaraco.packaging>=9; extra == \"docs\"", + "jaraco.tidelift>=1.4; extra == \"docs\"", + "packaging; extra == \"testing\"", + "pyfakefs; extra == \"testing\"", + "pytest-black>=0.3.7; platform_python_implementation != \"PyPy\" and extra == \"testing\"", + "pytest-checkdocs>=2.4; extra == \"testing\"", + "pytest-cov; extra == \"testing\"", + "pytest-enabler>=1.3; extra == \"testing\"", + "pytest-flake8; extra == \"testing\"", + "pytest-mypy>=0.9.1; platform_python_implementation != \"PyPy\" and extra == \"testing\"", + "pytest-perf>=0.9.2; extra == \"testing\"", + "pytest>=6; extra == \"testing\"", + "rst.linker>=1.9; extra == \"docs\"", + "sphinx>=3.5; extra == \"docs\"", + "typing-extensions>=3.6.4; python_version < \"3.8\"", + "zipp>=0.5" + ], + "requires_python": ">=3.7", + "version": "4.13" + }, + { + "artifacts": [ + { + "algorithm": "sha256", + "hash": "da3e18aac0a3c003e9eea1a81bd23e5a3a75d745670dcf736317b7d966887fdf", + "url": "https://files.pythonhosted.org/packages/88/fb/c7958b2d571c7b15091b8574a727ad14328e8de590644198e57de9b5ee57/pbr-5.10.0-py2.py3-none-any.whl" + }, + { + "algorithm": "sha256", + "hash": "cfcc4ff8e698256fc17ea3ff796478b050852585aa5bae79ecd05b2ab7b39b9a", + "url": "https://files.pythonhosted.org/packages/b4/40/4c5d3681b141a10c24c890c28345fac915dd67f34b8c910df7b81ac5c7b3/pbr-5.10.0.tar.gz" + } + ], + "project_name": "pbr", + "requires_dists": [], + "requires_python": ">=2.6", + "version": "5.10" + }, + { + "artifacts": [ + { + "algorithm": "sha256", + "hash": "40527857252b61eacd1d9af500c3337ba8deb8fc298940291486c465c8b46ec0", + "url": "https://files.pythonhosted.org/packages/12/fc/a4d5a7554e0067677823f7265cb3ae22aed8a238560b5133b58cda252dad/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl" + }, + { + "algorithm": "sha256", + "hash": "f84fbc98b019fef2ee9a1cb3ce93e3187a6df0b2538a651bfb890254ba9f90b5", + "url": "https://files.pythonhosted.org/packages/02/25/6ba9f6bb50a3d4fbe22c1a02554dc670682a07c8701d1716d19ddea2c940/PyYAML-6.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl" + }, + { + "algorithm": "sha256", + "hash": "d67d839ede4ed1b28a4e8909735fc992a923cdb84e618544973d7dfc71540803", + "url": "https://files.pythonhosted.org/packages/21/67/b42191239c5650c9e419c4a08a7a022bbf1abf55b0391c380a72c3af5462/PyYAML-6.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl" + }, + { + "algorithm": "sha256", + "hash": "68fb519c14306fec9720a2a5b45bc9f0c8d1b9c72adf45c37baedfcd949c35a2", + "url": "https://files.pythonhosted.org/packages/36/2b/61d51a2c4f25ef062ae3f74576b01638bebad5e045f747ff12643df63844/PyYAML-6.0.tar.gz" + }, + { + "algorithm": "sha256", + "hash": "d4db7c7aef085872ef65a8fd7d6d09a14ae91f691dec3e87ee5ee0539d516f53", + "url": "https://files.pythonhosted.org/packages/44/e5/4fea13230bcebf24b28c0efd774a2dd65a0937a2d39e94a4503438b078ed/PyYAML-6.0-cp310-cp310-macosx_10_9_x86_64.whl" + }, + { + "algorithm": "sha256", + "hash": "432557aa2c09802be39460360ddffd48156e30721f5e8d917f01d31694216782", + "url": "https://files.pythonhosted.org/packages/56/8f/e8b49ad21d26111493dc2d5cae4d7efbd0e2e065440665f5023515f87f64/PyYAML-6.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" + }, + { + "algorithm": "sha256", + "hash": "77f396e6ef4c73fdc33a9157446466f1cff553d979bd00ecb64385760c6babdc", + "url": "https://files.pythonhosted.org/packages/5e/f4/7b4bb01873be78fc9fde307f38f62e380b7111862c165372cf094ca2b093/PyYAML-6.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl" + }, + { + "algorithm": "sha256", + "hash": "9fa600030013c4de8165339db93d182b9431076eb98eb40ee068700c9c813e34", + "url": "https://files.pythonhosted.org/packages/63/6b/f5dc7942bac17192f4ef00b2d0cdd1ae45eea453d05c1944c0573debe945/PyYAML-6.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl" + }, + { + "algorithm": "sha256", + "hash": "e61ceaab6f49fb8bdfaa0f92c4b57bcfbea54c09277b1b4f7ac376bfb7a7c174", + "url": "https://files.pythonhosted.org/packages/67/d4/b95266228a25ef5bd70984c08b4efce2c035a4baa5ccafa827b266e3dc36/PyYAML-6.0-cp39-cp39-macosx_11_0_arm64.whl" + }, + { + "algorithm": "sha256", + "hash": "dbad0e9d368bb989f4515da330b88a057617d16b6a8245084f1b05400f24609f", + "url": "https://files.pythonhosted.org/packages/68/3f/c027422e49433239267c62323fbc6320d6ac8d7d50cf0cb2a376260dad5f/PyYAML-6.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl" + }, + { + "algorithm": "sha256", + "hash": "213c60cd50106436cc818accf5baa1aba61c0189ff610f64f4a3e8c6726218ba", + "url": "https://files.pythonhosted.org/packages/6c/3d/524c642f3db37e7e7ab8d13a3f8b0c72d04a619abc19100097d987378fc6/PyYAML-6.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl" + }, + { + "algorithm": "sha256", + "hash": "cba8c411ef271aa037d7357a2bc8f9ee8b58b9965831d9e51baf703280dc73d3", + "url": "https://files.pythonhosted.org/packages/77/da/e845437ffe0dffae4e7562faf23a4f264d886431c5d2a2816c853288dc8e/PyYAML-6.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl" + }, + { + "algorithm": "sha256", + "hash": "afa17f5bc4d1b10afd4466fd3a44dc0e245382deca5b3c353d8b757f9e3ecb8d", + "url": "https://files.pythonhosted.org/packages/7f/d9/6a0d14ac8d3b5605dc925d177c1d21ee9f0b7b39287799db1e50d197b2f4/PyYAML-6.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl" + }, + { + "algorithm": "sha256", + "hash": "0ce82d761c532fe4ec3f87fc45688bdd3a4c1dc5e0b4a19814b9009a29baefd4", + "url": "https://files.pythonhosted.org/packages/81/59/561f7e46916b78f3c4cab8d0c307c81656f11e32c846c0c97fda0019ed76/PyYAML-6.0-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl" + }, + { + "algorithm": "sha256", + "hash": "9df7ed3b3d2e0ecfe09e14741b857df43adb5a3ddadc919a2d94fbdf78fea53c", + "url": "https://files.pythonhosted.org/packages/91/49/d46d7b15cddfa98533e89f3832f391aedf7e31f37b4d4df3a7a7855a7073/PyYAML-6.0-cp310-cp310-macosx_11_0_arm64.whl" + }, + { + "algorithm": "sha256", + "hash": "819b3830a1543db06c4d4b865e70ded25be52a2e0631ccd2f6a47a2822f2fd7c", + "url": "https://files.pythonhosted.org/packages/9d/f6/7e91fbb58c9ee528759aea5892e062cccb426720c5830ddcce92eba00ff1/PyYAML-6.0-cp37-cp37m-macosx_10_9_x86_64.whl" + }, + { + "algorithm": "sha256", + "hash": "81957921f441d50af23654aa6c5e5eaf9b06aba7f0a19c18a538dc7ef291c5a1", + "url": "https://files.pythonhosted.org/packages/cb/5f/05dd91f5046e2256e35d885f3b8f0f280148568f08e1bf20421887523e9a/PyYAML-6.0-cp311-cp311-macosx_11_0_arm64.whl" + }, + { + "algorithm": "sha256", + "hash": "277a0ef2981ca40581a47093e9e2d13b3f1fbbeffae064c1d21bfceba2030287", + "url": "https://files.pythonhosted.org/packages/d7/42/7ad4b6d67a16229496d4f6e74201bdbebcf4bc1e87d5a70c9297d4961bd2/PyYAML-6.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl" + }, + { + "algorithm": "sha256", + "hash": "0b4624f379dab24d3725ffde76559cff63d9ec94e1736b556dacdfebe5ab6d4b", + "url": "https://files.pythonhosted.org/packages/db/4e/74bc723f2d22677387ab90cd9139e62874d14211be7172ed8c9f9a7c81a9/PyYAML-6.0-cp38-cp38-macosx_10_9_x86_64.whl" + }, + { + "algorithm": "sha256", + "hash": "473f9edb243cb1935ab5a084eb238d842fb8f404ed2193a915d1784b5a6b5fc0", + "url": "https://files.pythonhosted.org/packages/df/75/ee0565bbf65133e5b6ffa154db43544af96ea4c42439e6b58c1e0eb44b4e/PyYAML-6.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl" + }, + { + "algorithm": "sha256", + "hash": "231710d57adfd809ef5d34183b8ed1eeae3f76459c18fb4a0b373ad56bedcdd9", + "url": "https://files.pythonhosted.org/packages/eb/5f/6e6fe6904e1a9c67bc2ca5629a69e7a5a0b17f079da838bab98a1e548b25/PyYAML-6.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl" + }, + { + "algorithm": "sha256", + "hash": "a80a78046a72361de73f8f395f1f1e49f956c6be882eed58505a15f3e430962b", + "url": "https://files.pythonhosted.org/packages/ef/ad/b443cce94539e57e1a745a845f95c100ad7b97593d7e104051e43f730ecd/PyYAML-6.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl" + }, + { + "algorithm": "sha256", + "hash": "055d937d65826939cb044fc8c9b08889e8c743fdc6a32b33e2390f66013e449b", + "url": "https://files.pythonhosted.org/packages/f5/6f/b8b4515346af7c33d3b07cd8ca8ea0700ca72e8d7a750b2b87ac0268ca4e/PyYAML-6.0-cp39-cp39-macosx_10_9_x86_64.whl" + }, + { + "algorithm": "sha256", + "hash": "d4b0ba9512519522b118090257be113b9468d804b19d63c71dbcf4a48fa32358", + "url": "https://files.pythonhosted.org/packages/f8/54/799b059314b13e1063473f76e908f44106014d18f54b16c83a16edccd5ec/PyYAML-6.0-cp311-cp311-macosx_10_9_x86_64.whl" + } + ], + "project_name": "pyyaml", + "requires_dists": [], + "requires_python": ">=3.6", + "version": "6" + }, + { + "artifacts": [ + { + "algorithm": "sha256", + "hash": "f62ea9da9ed6289bfe868cd6845968a2c854d1427f8548d52cae02a42b4f0356", + "url": "https://files.pythonhosted.org/packages/41/82/7f54bbfe5c247a8c9f78d8d1d7c051847bcb78843c397b866dba335c1e88/setuptools-65.5.0-py3-none-any.whl" + }, + { + "algorithm": "sha256", + "hash": "512e5536220e38146176efb833d4a62aa726b7bbff82cfbc8ba9eaa3996e0b17", + "url": "https://files.pythonhosted.org/packages/c5/41/247814d8b7a044717164c74080725a6c8f3d2b5fc82b34bd825b617df663/setuptools-65.5.0.tar.gz" + } + ], + "project_name": "setuptools", + "requires_dists": [ + "build[virtualenv]; extra == \"testing\"", + "build[virtualenv]; extra == \"testing-integration\"", + "filelock>=3.4.0; extra == \"testing\"", + "filelock>=3.4.0; extra == \"testing-integration\"", + "flake8-2020; extra == \"testing\"", + "flake8<5; extra == \"testing\"", + "furo; extra == \"docs\"", + "ini2toml[lite]>=0.9; extra == \"testing\"", + "jaraco.envs>=2.2; extra == \"testing\"", + "jaraco.envs>=2.2; extra == \"testing-integration\"", + "jaraco.packaging>=9; extra == \"docs\"", + "jaraco.path>=3.2.0; extra == \"testing\"", + "jaraco.path>=3.2.0; extra == \"testing-integration\"", + "jaraco.tidelift>=1.4; extra == \"docs\"", + "mock; extra == \"testing\"", + "pip-run>=8.8; extra == \"testing\"", + "pip>=19.1; extra == \"testing\"", + "pygments-github-lexers==0.0.5; extra == \"docs\"", + "pytest-black>=0.3.7; platform_python_implementation != \"PyPy\" and extra == \"testing\"", + "pytest-checkdocs>=2.4; extra == \"testing\"", + "pytest-cov; platform_python_implementation != \"PyPy\" and extra == \"testing\"", + "pytest-enabler; extra == \"testing-integration\"", + "pytest-enabler>=1.3; extra == \"testing\"", + "pytest-flake8; extra == \"testing\"", + "pytest-mypy>=0.9.1; platform_python_implementation != \"PyPy\" and extra == \"testing\"", + "pytest-perf; extra == \"testing\"", + "pytest-xdist; extra == \"testing\"", + "pytest-xdist; extra == \"testing-integration\"", + "pytest; extra == \"testing-integration\"", + "pytest>=6; extra == \"testing\"", + "rst.linker>=1.9; extra == \"docs\"", + "sphinx-favicon; extra == \"docs\"", + "sphinx-hoverxref<2; extra == \"docs\"", + "sphinx-inline-tabs; extra == \"docs\"", + "sphinx-notfound-page==0.8.3; extra == \"docs\"", + "sphinx-reredirects; extra == \"docs\"", + "sphinx>=3.5; extra == \"docs\"", + "sphinxcontrib-towncrier; extra == \"docs\"", + "tomli-w>=1.0.0; extra == \"testing\"", + "tomli; extra == \"testing-integration\"", + "virtualenv>=13.0.0; extra == \"testing\"", + "virtualenv>=13.0.0; extra == \"testing-integration\"", + "wheel; extra == \"testing\"", + "wheel; extra == \"testing-integration\"" + ], + "requires_python": ">=3.7", + "version": "65.5" + }, + { + "artifacts": [ + { + "algorithm": "sha256", + "hash": "8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254", + "url": "https://files.pythonhosted.org/packages/d9/5a/e7c31adbe875f2abbb91bd84cf2dc52d792b5a01506781dbcf25c91daf11/six-1.16.0-py2.py3-none-any.whl" + }, + { + "algorithm": "sha256", + "hash": "1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", + "url": "https://files.pythonhosted.org/packages/71/39/171f1c67cd00715f190ba0b100d606d440a28c93c7714febeca8b79af85e/six-1.16.0.tar.gz" + } + ], + "project_name": "six", + "requires_dists": [], + "requires_python": "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7", + "version": "1.16" + }, + { + "artifacts": [ + { + "algorithm": "sha256", + "hash": "2aba19d6a040e78d8b09de5c57e96207b09ed71d8e55ce0959eeee6c8e190d94", + "url": "https://files.pythonhosted.org/packages/6d/01/7caa71608bc29952ae09b0be63a539e50d2484bc37747797a66a60679856/smmap-5.0.0-py3-none-any.whl" + }, + { + "algorithm": "sha256", + "hash": "c840e62059cd3be204b0c9c9f74be2c09d5648eddd4580d9314c3ecde0b30936", + "url": "https://files.pythonhosted.org/packages/21/2d/39c6c57032f786f1965022563eec60623bb3e1409ade6ad834ff703724f3/smmap-5.0.0.tar.gz" + } + ], + "project_name": "smmap", + "requires_dists": [], + "requires_python": ">=3.6", + "version": "5" + }, + { + "artifacts": [ + { + "algorithm": "sha256", + "hash": "df36e6c003264de286d6e589994552d3254052e7fc6a117753d87c471f06de2a", + "url": "https://files.pythonhosted.org/packages/77/c9/9b0861a906b214932f83cee9d4ec4e06c9e8dcfc79606d96a993b01f6f0b/stevedore-3.5.1-py3-none-any.whl" + }, + { + "algorithm": "sha256", + "hash": "1fecadf3d7805b940227f10e6a0140b202c9a24ba5c60cb539159046dc11e8d7", + "url": "https://files.pythonhosted.org/packages/69/e0/1bd9530bee0b25a8d4f8c4c339dfbe369140be10a5a14afdc69bc65fecc1/stevedore-3.5.1.tar.gz" + } + ], + "project_name": "stevedore", + "requires_dists": [ + "importlib-metadata>=1.7.0; python_version < \"3.8\"", + "pbr!=2.1.0,>=2.0.0" + ], + "requires_python": ">=3.6", + "version": "3.5.1" + }, + { + "artifacts": [ + { + "algorithm": "sha256", + "hash": "16fa4864408f655d35ec496218b85f79b3437c829e93320c7c9215ccfd92489e", + "url": "https://files.pythonhosted.org/packages/0b/8e/f1a0a5a76cfef77e1eb6004cb49e5f8d72634da638420b9ea492ce8305e8/typing_extensions-4.4.0-py3-none-any.whl" + }, + { + "algorithm": "sha256", + "hash": "1511434bb92bf8dd198c12b1cc812e800d4181cfcb867674e0f8279cc93087aa", + "url": "https://files.pythonhosted.org/packages/e3/a7/8f4e456ef0adac43f452efc2d0e4b242ab831297f1bac60ac815d37eb9cf/typing_extensions-4.4.0.tar.gz" + } + ], + "project_name": "typing-extensions", + "requires_dists": [], + "requires_python": ">=3.7", + "version": "4.4" + }, + { + "artifacts": [ + { + "algorithm": "sha256", + "hash": "972cfa31bc2fedd3fa838a51e9bc7e64b7fb725a8c00e7431554311f180e9980", + "url": "https://files.pythonhosted.org/packages/09/85/302c153615db93e9197f13e02f448b3f95d7d786948f2fb3d6d5830a481b/zipp-3.9.0-py3-none-any.whl" + }, + { + "algorithm": "sha256", + "hash": "3a7af91c3db40ec72dd9d154ae18e008c69efe8ca88dde4f9a731bb82fe2f9eb", + "url": "https://files.pythonhosted.org/packages/41/2e/1341c5634c25e7254df01ec1f6cbd2bcdee3e647709e7c3647d1b362e3ac/zipp-3.9.0.tar.gz" + } + ], + "project_name": "zipp", + "requires_dists": [ + "flake8<5; extra == \"testing\"", + "func-timeout; extra == \"testing\"", + "furo; extra == \"docs\"", + "jaraco.functools; extra == \"testing\"", + "jaraco.itertools; extra == \"testing\"", + "jaraco.packaging>=9; extra == \"docs\"", + "jaraco.tidelift>=1.4; extra == \"docs\"", + "more-itertools; extra == \"testing\"", + "pytest-black>=0.3.7; platform_python_implementation != \"PyPy\" and extra == \"testing\"", + "pytest-checkdocs>=2.4; extra == \"testing\"", + "pytest-cov; extra == \"testing\"", + "pytest-enabler>=1.3; extra == \"testing\"", + "pytest-flake8; extra == \"testing\"", + "pytest-mypy>=0.9.1; platform_python_implementation != \"PyPy\" and extra == \"testing\"", + "pytest>=6; extra == \"testing\"", + "rst.linker>=1.9; extra == \"docs\"", + "sphinx>=3.5; extra == \"docs\"" + ], + "requires_python": ">=3.7", + "version": "3.9" + } + ], + "platform_tag": null + } + ], + "path_mappings": {}, + "pex_version": "2.1.108", + "pip_version": "20.3.4-patched", + "prefer_older_binary": false, + "requirements": [ + "bandit==1.7.0", + "importlib-metadata<5; python_version < \"3.8\"", + "setuptools" + ], + "requires_python": [ + "<4,>=3.7" + ], + "resolver_version": "pip-2020-resolver", + "style": "universal", + "target_systems": [ + "linux", + "mac" + ], + "transitive": true, + "use_pep517": null +} diff --git a/pants.toml b/pants.toml index 9e95c904c3..daa699a2fc 100644 --- a/pants.toml +++ b/pants.toml @@ -85,12 +85,19 @@ root_patterns = [ ] [bandit] +lockfile = "lockfiles/bandit" version = "bandit==1.7.0" args = [ "-lll", # only HIGH severity level "--exclude", "build,dist", - "--quiet", # only show output in the case of an error + "--quiet", # only show output in the case of an error +] +extra_requirements = [ + "setuptools", + # bandit needs stevedore which needs importlib-metadata<5 + # see: https://github.com/PyCQA/bandit/pull/952 + "importlib-metadata<5;python_version<'3.8'", ] [black] From 84b9a119500ea78f2d57977a0f50c9b044e80131 Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Fri, 14 Oct 2022 18:08:54 -0500 Subject: [PATCH 3/6] mention bandit in GHA lint workflow --- .github/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 33e8ba5c97..609833deae 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -25,7 +25,7 @@ on: jobs: # Lint checks which don't depend on any service containes, etc. to be running. lint-checks: - name: 'Lint Checks (pants runs: shellcheck, black, flake8)' + name: 'Lint Checks (pants runs: shellcheck, bandit, black, flake8)' runs-on: ubuntu-latest env: From f2a7352df11fd065571c8e5821e63fb8c585b01c Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Fri, 14 Oct 2022 18:09:27 -0500 Subject: [PATCH 4/6] update changelog entry --- CHANGELOG.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index bd011605f5..6a792ea942 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -53,7 +53,7 @@ Added * Begin introducing `pants `_ to improve DX (Developer Experience) working on StackStorm, improve our security posture, and improve CI reliability thanks in part - to pants' use of PEX lockfiles. This is not a user-facing addition. #5713 #5724 #5726 #5725 #5732 #5733 #5737 #5738 #5758 #5751 #5774 #5776 + to pants' use of PEX lockfiles. This is not a user-facing addition. #5713 #5724 #5726 #5725 #5732 #5733 #5737 #5738 #5758 #5751 #5774 #5776 #5777 Contributed by @cognifloyd Changed From d7832e68aca0b82f78070ecf37a7a0c3bdbca75b Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Mon, 17 Oct 2022 09:46:32 -0500 Subject: [PATCH 5/6] use a .lock extension on lockfiles --- lockfiles/{bandit => bandit.lock} | 0 pants.toml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename lockfiles/{bandit => bandit.lock} (100%) diff --git a/lockfiles/bandit b/lockfiles/bandit.lock similarity index 100% rename from lockfiles/bandit rename to lockfiles/bandit.lock diff --git a/pants.toml b/pants.toml index daa699a2fc..a3ef441e02 100644 --- a/pants.toml +++ b/pants.toml @@ -85,7 +85,7 @@ root_patterns = [ ] [bandit] -lockfile = "lockfiles/bandit" +lockfile = "lockfiles/bandit.lock" version = "bandit==1.7.0" args = [ "-lll", # only HIGH severity level From f443f391a3a3f800a31babb0db44a7303bd2f52b Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Mon, 17 Oct 2022 12:50:43 -0500 Subject: [PATCH 6/6] add BUILD comments about skipping git submodule contents We do not want to have pants or git complaining about changes in the git submodule as those changes would require a separate PR process. --- st2tests/st2tests/fixtures/packs/BUILD | 2 ++ 1 file changed, 2 insertions(+) diff --git a/st2tests/st2tests/fixtures/packs/BUILD b/st2tests/st2tests/fixtures/packs/BUILD index 34bb7ae63e..407369573e 100644 --- a/st2tests/st2tests/fixtures/packs/BUILD +++ b/st2tests/st2tests/fixtures/packs/BUILD @@ -14,6 +14,7 @@ resources( shell_sources( name="test_content_version_shell", + # do not check across git submodule boundary skip_shellcheck=True, sources=[ "test_content_version/**/*.sh", @@ -22,6 +23,7 @@ shell_sources( python_sources( name="test_content_version", + # do not fmt across git submodule boundary skip_black=True, dependencies=[ ":test_content_version_metadata",