Set up bandit

.pre-commit-config.yaml

@@ -3,6 +3,10 @@ repos:
   rev: 4.0.1
   hooks:
     - id: flake8
+- repo: https://github.com/pycqa/bandit
+  rev: 1.7.4
+  hooks:
+    - id: bandit
 - repo: https://github.com/ambv/black
   rev: 22.6.0
   hooks:

pyproject.toml

@@ -1,7 +1,7 @@
 [build-system]
 requires = [
-  "setuptools>=45",
-  "setuptools_scm[toml]>=7.0",
+    "setuptools>=45",
+    "setuptools_scm[toml]>=7.0",
 ]
 build-backend = "setuptools.build_meta"
 
@@ -11,9 +11,12 @@ build-backend = "setuptools.build_meta"
 addopts = "-ra -v"
 testpaths = "tests"
 filterwarnings = [
-  "error",
+    "error",
 ]
 
 [tool.mypy]
 mypy_path = "src"
 ignore_missing_imports = true
+
+[tool.bandit]
+exclude_dirs = ["docs/conf.py"]

requirements/base.txt

@@ -5,7 +5,7 @@
 #
 #    pip-compile-multi
 #
-bcrypt==4.0.0
+bcrypt==4.0.1
     # via paramiko
 certifi==2022.9.24
     # via requests
@@ -41,7 +41,7 @@ six==1.16.0
     # via
     #   paramiko
     #   pathlib2
-typing-extensions==4.3.0
+typing-extensions==4.4.0
     # via pydantic
 urllib3==1.26.12
     # via requests

requirements/dev.txt

@@ -12,18 +12,16 @@
 -r wheels.txt
 cfgv==3.3.1
     # via pre-commit
-identify==2.5.5
+identify==2.5.6
     # via pre-commit
 nodeenv==1.7.0
     # via pre-commit
 pip-compile-multi==2.4.6
     # via -r requirements/dev.in
-pip-tools==6.8.0
+pip-tools==6.9.0
     # via pip-compile-multi
 pre-commit==2.20.0
     # via -r requirements/dev.in
-toml==0.10.2
-    # via pre-commit
 toposort==1.7
     # via pip-compile-multi
 wheel==0.37.1

requirements/static.in

@@ -1,3 +1,4 @@
+bandit[toml]
 black
 flake8
 flake8-bugbear

requirements/static.txt

@@ -1,4 +1,4 @@
-# SHA1:d568d57e6eea49c34bc76377b594a0be25e0f125
+# SHA1:748339436f1ea4c854f8d7d55ca7812f6d998835
 #
 # This file is autogenerated by pip-compile-multi
 # To update, run:
@@ -7,7 +7,9 @@
 #
 attrs==22.1.0
     # via flake8-bugbear
-black==22.8.0
+bandit[toml]==1.7.4
+    # via -r requirements/static.in
+black==22.10.0
     # via -r requirements/static.in
 click==8.1.3
     # via black
@@ -17,17 +19,31 @@ flake8==5.0.4
     #   flake8-bugbear
 flake8-bugbear==22.9.23
     # via -r requirements/static.in
+gitdb==4.0.9
+    # via gitpython
+gitpython==3.1.29
+    # via bandit
 mccabe==0.7.0
     # via flake8
 mypy-extensions==0.4.3
     # via black
 pathspec==0.10.1
     # via black
+pbr==5.10.0
+    # via stevedore
 platformdirs==2.5.2
     # via black
 pycodestyle==2.9.1
     # via flake8
 pyflakes==2.5.0
     # via flake8
+pyyaml==6.0
+    # via bandit
+smmap==5.0.0
+    # via gitdb
+stevedore==4.0.0
+    # via bandit
+toml==0.10.2
+    # via bandit
 tomli==2.0.1
     # via black

requirements/test.txt

@@ -12,7 +12,7 @@ attrs==22.1.0
     #   pytest
 exceptiongroup==1.0.0rc9
     # via hypothesis
-hypothesis==6.56.0
+hypothesis==6.56.2
     # via -r requirements/test.in
 iniconfig==1.1.1
     # via pytest
@@ -22,7 +22,7 @@ pluggy==1.0.0
     # via pytest
 py==1.11.0
     # via pytest
-pyfakefs==4.7.0
+pyfakefs==5.0.0
     # via -r requirements/test.in
 pyparsing==3.0.9
     # via packaging

src/scitacean/file.py

@@ -197,9 +197,17 @@ def _creation_time_str(st: os.stat_result) -> str:
     )
 
 
+def _new_hash(algorithm: str):
+    try:
+        return hashlib.new(algorithm, usedforsecurity=False)
+    except TypeError:
+        # Fallback for Python < 3.9
+        return hashlib.new(algorithm)
+
+
 # size based on http://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=blob;f=src/ioblksize.h;h=ed2f4a9c4d77462f357353eb73ee4306c28b37f1;hb=HEAD#l23  # noqa
 def checksum_of_file(path: Union[str, Path], *, algorithm: str) -> str:
-    chk = hashlib.new(algorithm)
+    chk = _new_hash(algorithm)
     buffer = memoryview(bytearray(128 * 1024))
     with open(path, "rb", buffering=0) as file:
         for n in iter(lambda: file.readinto(buffer), 0):

tox.ini

@@ -24,3 +24,4 @@ skip_install = true
 deps = -r requirements/static.txt
 commands = black .
            flake8 .
+           bandit -c pyproject.toml -r src tools docs