Tags: PyCQA/bandit
Tags
Fix B106 reporting wrong line number on multiline function calls (#1360) B106 (hardcoded_password_funcarg) reported the line of the function call node rather than the line of the keyword argument containing the hardcoded password. This made it difficult to locate the actual issue in multiline calls, and caused `# nosec` placed on the correct line to be ineffective. Pass the keyword value's lineno to the Issue so the reported location points to the actual hardcoded string, not the call. Fixes #1328 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Limit B614 to torch.load deserializers (#1348) * Limit B614 to torch.load deserializers Avoids false positives for torch.*.load helpers such as torch.utils.cpp_extension.load while preserving checks for torch.load and torch.serialization.load. Updated docstrings and example to reflect expected behavior. Resolves: #1343 * Update examples/pytorch_load.py --------- Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Check whether Constant value is str (#1333) This change fixes a case of a missed check on the value of a ast.Constant to be a str or not. PR #1323 fixed many of these as part of the Python 3.14 compatibility since ast.Str was removed. So when checking ast.Constant, the value can many types of literals, not just str. Fixes #1332 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
More Python version related fixes (#1327) * Put python versions in quotes for the publish build step. This is required, since the publish of 1.9.0 failed as 3.10 mapped to 3.1. * Also dropped Bandit versions over 2 years old from bug template Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
[pre-commit.ci] pre-commit autoupdate (#1324) updates: - [github.com/psf/black-pre-commit-mirror: 25.9.0 → 25.11.0](psf/black-pre-commit-mirror@25.9.0...25.11.0) - [github.com/asottile/pyupgrade: v3.21.0 → v3.21.1](asottile/pyupgrade@v3.21.0...v3.21.1) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Huggingface revision pinning (#1281) * Huggingface revision pinning In much the same way as unpinned container images benefit from digest pinning, fixing a model, dataset or file to a revision digest uniquely and immutably fixes use to a paricular model snapshot (commit) * Add more example unsafe patterns * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Fix PEP8 * Reduce to 79 chars * Additional Changes to Huggingface Revision Checks - Add an entry for CWE 494 - Use string.hexdigits - Set to 18.6 release - Remove Copywright - Order after markupsafe * Sort CWE by Numbers * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
add github-actions documentation (#1172) * add github-actions documentation * made suggested changes to documentation * doc: make suggested change to the file * fix: added index.rst for ci-cd directory * fix: reference ci-cd in toctree * fix: completed all suggested fixes --------- Co-authored-by: Luke Hinds <luke@stacklok.com> Co-authored-by: Luke Hinds <lukehinds@gmail.com>
Pytorch fix (#1231) * Fix pytorch weights check * B614: Fix PyTorch plugin to handle weights_only parameter correctly The PyTorch plugin (B614) has been updated to properly handle the weights_only parameter in torch.load calls. When weights_only=True is specified, PyTorch will only deserialize known safe types, making the operation more secure. I also removed torch.save as there is no certain insecure element as such, saving any file or artifact requires consideration of what it is you are saving. Changes: - Update plugin to only check torch.load calls (not torch.save) - Fix weights_only check to handle both string and boolean True values - Remove map_location check as it doesn't affect security - Update example file to demonstrate both safe and unsafe cases - Update plugin documentation to mention weights_only as a safe alternative The plugin now correctly identifies unsafe torch.load calls while allowing safe usage with weights_only=True to pass without warning. Fixes: #1224 * Fix E501 line too long * Rename files to new test scope * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Update doc/source/plugins/b614_pytorch_load.rst Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> * Update pytorch_load.py --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
PreviousNext