Tags: PyCQA/bandit
Tags
Check whether Constant value is str (#1333) This change fixes a case of a missed check on the value of a ast.Constant to be a str or not. PR #1323 fixed many of these as part of the Python 3.14 compatibility since ast.Str was removed. So when checking ast.Constant, the value can many types of literals, not just str. Fixes #1332 Signed-off-by: Eric Brown <[email protected]>
More Python version related fixes (#1327) * Put python versions in quotes for the publish build step. This is required, since the publish of 1.9.0 failed as 3.10 mapped to 3.1. * Also dropped Bandit versions over 2 years old from bug template Signed-off-by: Eric Brown <[email protected]>
[pre-commit.ci] pre-commit autoupdate (#1324) updates: - [github.com/psf/black-pre-commit-mirror: 25.9.0 → 25.11.0](psf/black-pre-commit-mirror@25.9.0...25.11.0) - [github.com/asottile/pyupgrade: v3.21.0 → v3.21.1](asottile/pyupgrade@v3.21.0...v3.21.1) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Eric Brown <[email protected]>
Huggingface revision pinning (#1281) * Huggingface revision pinning In much the same way as unpinned container images benefit from digest pinning, fixing a model, dataset or file to a revision digest uniquely and immutably fixes use to a paricular model snapshot (commit) * Add more example unsafe patterns * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Fix PEP8 * Reduce to 79 chars * Additional Changes to Huggingface Revision Checks - Add an entry for CWE 494 - Use string.hexdigits - Set to 18.6 release - Remove Copywright - Order after markupsafe * Sort CWE by Numbers * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
add github-actions documentation (#1172) * add github-actions documentation * made suggested changes to documentation * doc: make suggested change to the file * fix: added index.rst for ci-cd directory * fix: reference ci-cd in toctree * fix: completed all suggested fixes --------- Co-authored-by: Luke Hinds <[email protected]> Co-authored-by: Luke Hinds <[email protected]>
Pytorch fix (#1231) * Fix pytorch weights check * B614: Fix PyTorch plugin to handle weights_only parameter correctly The PyTorch plugin (B614) has been updated to properly handle the weights_only parameter in torch.load calls. When weights_only=True is specified, PyTorch will only deserialize known safe types, making the operation more secure. I also removed torch.save as there is no certain insecure element as such, saving any file or artifact requires consideration of what it is you are saving. Changes: - Update plugin to only check torch.load calls (not torch.save) - Fix weights_only check to handle both string and boolean True values - Remove map_location check as it doesn't affect security - Update example file to demonstrate both safe and unsafe cases - Update plugin documentation to mention weights_only as a safe alternative The plugin now correctly identifies unsafe torch.load calls while allowing safe usage with weights_only=True to pass without warning. Fixes: #1224 * Fix E501 line too long * Rename files to new test scope * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Update doc/source/plugins/b614_pytorch_load.rst Co-authored-by: Eric Brown <[email protected]> * Update pytorch_load.py --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Eric Brown <[email protected]>
Clarify "getting started" docs (#963) * Clarify "getting started" docs This makes it clearer that you don't need to use both virtualenv and venv at the same time * Update doc/source/start.rst --------- Co-authored-by: Luke Hinds <[email protected]> Co-authored-by: Eric Brown <[email protected]>
Remove more leftover OpenStack references (#1195) The tox.ini still had some test environments specifically for testing within OpenStack. This is no longer needed. Also no longer necessary is stestr configuration that used OpenStack variables. Signed-off-by: Eric Brown <[email protected]>
PreviousNext