Huggingface revision pinning (#1281)

* Huggingface revision pinning

In much the same way as unpinned container images benefit from
digest pinning, fixing a model, dataset or file to a revision digest
uniquely and immutably fixes use to a paricular model snapshot (commit)

* Add more example unsafe patterns

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Fix PEP8

* Reduce to 79 chars

* Additional Changes to Huggingface Revision Checks

- Add an entry for CWE 494
- Use string.hexdigits
- Set to 18.6 release
- Remove Copywright
- Order after markupsafe

* Sort CWE by Numbers

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

---------

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

Fix for publish to PyPI failure (#1273)

This change fix the publishing step to PyPI and Test PyPI
but ensuring that tox is installed.

Fixes: #1272

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

add github-actions documentation (#1172)

* add github-actions documentation

* made suggested changes to documentation

* doc: make suggested change to the file

* fix: added index.rst for ci-cd directory

* fix: reference ci-cd in toctree

* fix: completed all suggested fixes

---------

Co-authored-by: Luke Hinds <luke@stacklok.com>
Co-authored-by: Luke Hinds <lukehinds@gmail.com>

Pytorch fix (#1231)

* Fix pytorch weights check

* B614: Fix PyTorch plugin to handle weights_only parameter correctly

The PyTorch plugin (B614) has been updated to properly handle the weights_only
parameter in torch.load calls. When weights_only=True is specified, PyTorch will
only deserialize known safe types, making the operation more secure.

I also removed torch.save as there is no certain insecure element as
such, saving any file or artifact requires consideration of what it is
you are saving.

Changes:
- Update plugin to only check torch.load calls (not torch.save)
- Fix weights_only check to handle both string and boolean True values
- Remove map_location check as it doesn't affect security
- Update example file to demonstrate both safe and unsafe cases
- Update plugin documentation to mention weights_only as a safe alternative

The plugin now correctly identifies unsafe torch.load calls while allowing safe
usage with weights_only=True to pass without warning.

Fixes: #1224

* Fix  E501 line too long

* Rename files to new test scope

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Update doc/source/plugins/b614_pytorch_load.rst

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* Update pytorch_load.py

---------

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

Revert "Start testing with 3.14 alphas" (#1217)

Revert "Start testing with 3.14 alphas (#1189)"

This reverts commit 13d3406.

Clarify "getting started" docs (#963)

* Clarify "getting started" docs

This makes it clearer that you don't need to use both virtualenv and venv at the same time

* Update doc/source/start.rst

---------

Co-authored-by: Luke Hinds <7058938+lukehinds@users.noreply.github.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

Remove more leftover OpenStack references (#1195)

The tox.ini still had some test environments specifically for
testing within OpenStack. This is no longer needed. Also no
longer necessary is stestr configuration that used OpenStack
variables.

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

Pytorch Load / Save Plugin (#1114)

* Pytorch Load / Save Plugin

This plugin checks for the use of `torch.load` and `torch.save`.
Using `torch.load` with untrusted data can lead to arbitrary code
execution, and improper use of `torch.save` might expose sensitive
data or lead to data corruption.

Signed-off-by: Luke Hinds <luke@stacklok.com>

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Add missing save check

Signed-off-by: Luke Hinds <luke@stacklok.com>

* Review fixes from 8b92a02

Signed-off-by: Luke Hinds <luke@stacklok.com>

* Fix tox issues

Signed-off-by: Luke Hinds <luke@stacklok.com>

* Review fixes

Signed-off-by: Luke Hinds <luke@stacklok.com>

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Update test_functional.py

* Update bandit/plugins/pytorch_load_save.py

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* Update bandit/plugins/pytorch_load_save.py

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* Update doc/source/plugins/b704_pytorch_load_save.rst

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* Update bandit/plugins/pytorch_load_save.py

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

---------

Signed-off-by: Luke Hinds <luke@stacklok.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

Support `configfile` in `.bandit` file (#1052)

* Support `(--)config` in `.bandit` file

* Use `configfile` instead of `config`

---------

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

Add a SARIF output formatter (#1113)

This commit adds a formatter that outputs JSON in a specific
SARIF format according to spec at [1].

This code is largely leveraged from an existing implementation
found here [2].

SARIF format is very useful for integration into ecosystems such
as GitHub's Actions.

[1] https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html
[2] https://github.com/microsoft/bandit-sarif-formatter

Closes #646

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>