[flake8-bandit] Support new PySNMP API paths (S508, S509)
#21374
+245
−8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
ntBre
requested changes
Nov 13, 2025
Contributor
ntBre
left a comment
ntBre
left a comment
There was a problem hiding this comment.
Thanks! I had one suggestion about simplifying the segments checks, and let's make this a preview change just to be safe since these are stable rules.
crates/ruff_linter/src/rules/flake8_bandit/rules/snmp_insecure_version.rs
Outdated
Show resolved
Hide resolved
crates/ruff_linter/src/rules/flake8_bandit/rules/snmp_weak_cryptography.rs
Outdated
Show resolved
Hide resolved
ntBre
added
rule
ntBre
approved these changes
Nov 19, 2025
Contributor
ntBre
left a comment
ntBre
left a comment
There was a problem hiding this comment.
Thanks!
I just reverted the removal of the stable tests and reused the existing preview_rules test runner for these two rules.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Updated
S508(snmp-insecure-version) andS509(snmp-weak-cryptography) rules to support both old and new PySNMP API module paths. Previously, these rules only detected the old API pathpysnmp.hlapi.*, but now they correctly detect all PySNMP API variants includingpysnmp.hlapi.asyncio.*,pysnmp.hlapi.v1arch.*,pysnmp.hlapi.v3arch.*, andpysnmp.hlapi.auth.*.Fixes #21364
Problem Analysis
The
S508andS509rules used exact pattern matching on qualified names:S509only matched["pysnmp", "hlapi", "UsmUserData"]S508only matched["pysnmp", "hlapi", "CommunityData"]This meant that newer PySNMP API paths were not detected, such as:
pysnmp.hlapi.asyncio.UsmUserDatapysnmp.hlapi.v3arch.asyncio.UsmUserDatapysnmp.hlapi.v3arch.asyncio.auth.UsmUserDatapysnmp.hlapi.auth.UsmUserDataCommunityDatainS508Additionally, the old API path
pysnmp.hlapi.auth.*was also missing from both rules.Approach
Instead of exact pattern matching, both rules now check if:
["pysnmp", "hlapi"]"UsmUserData"forS509,"CommunityData"forS508)This flexible approach matches all PySNMP API paths without hardcoding each variant, making the rules more maintainable and future-proof.
Test Plan
Added comprehensive test cases to both
S508.pyandS509.pytest files covering:pysnmp.hlapi.asyncio.*,pysnmp.hlapi.v1arch.*,pysnmp.hlapi.v3arch.*pysnmp.hlapi.auth.*All existing tests pass, and new snapshot tests were added and accepted. Manual verification confirms both rules correctly detect all PySNMP API variants.