Moving from pylint+black+isort+bandit to Ruff Linter

mypy.ini

@@ -5,6 +5,8 @@ files =
     securesystemslib/storage.py,
     securesystemslib/_gpg/constants.py
 
+exclude = securesystemslib/_vendor
+
 # Supress error messages until enough modules
 # are type annotated
 follow_imports = silent

pyproject.toml

@@ -70,12 +70,35 @@ include = [
   "/.coveragerc",
 ]
 
-[tool.black]
-line-length=80
-extend-exclude="_vendor"
+# Ruff section
+[tool.ruff]
+lint.select = [
+    "I",      # isort: all
+    "PL",     # pylint: all
+    "S",      # flake8-bandit: all
+    "N",      # pep8-naming: all
+    "RUF100"  # ruff: find unused noqa
+]
+exclude = ["_vendor"]
+
+# Same as Black.
+line-length = 80
+indent-width = 4
+
+[tool.ruff.format]
+# Like Black, use double quotes for strings.
+quote-style = "double"
+
+# Like Black, indent with spaces, rather than tabs.
+indent-style = "space"
+
+# Like Black, respect magic trailing commas.
+skip-magic-trailing-comma = false
+
+# Like Black, automatically detect the appropriate line ending.
+line-ending = "auto"
 
-[tool.isort]
-profile="black"
-line_length=80
-known_first_party = ["securesystemslib"]
-extend_skip_glob=["*/_vendor/*"]
+[tool.ruff.lint.per-file-ignores]
+"tests/*" = [
+    "S",      # bandit: Not running bandit on tests
+]

requirements-lint.txt

@@ -3,3 +3,4 @@ black==24.4.2
 isort==5.13.2
 pylint==3.2.3
 bandit==1.7.9
+ruff==0.4.10

securesystemslib/_gpg/common.py

@@ -449,9 +449,9 @@ def _assign_certified_key_info(bundle):
                 sig_creation_time = tmp_sig_creation_time
 
     if validity_period is not None:
-        bundle[PACKET_TYPE_PRIMARY_KEY]["key"][
-            "validity_period"
-        ] = validity_period
+        bundle[PACKET_TYPE_PRIMARY_KEY]["key"]["validity_period"] = (
+            validity_period
+        )
 
     return bundle[PACKET_TYPE_PRIMARY_KEY]["key"]
 
@@ -654,6 +654,7 @@ def get_pubkey_bundle(data, keyid):
     return master_public_key
 
 
+# ruff: noqa: PLR0912, PLR0915
 def parse_signature_packet(  # pylint: disable=too-many-locals,too-many-branches,too-many-statements
     data,
     supported_signature_types=None,

securesystemslib/_gpg/constants.py

@@ -37,7 +37,7 @@ def is_available_gnupg(gnupg: str, timeout: Optional[int] = None) -> bool:
     gpg_version_cmd = shlex.split(f"{gnupg} --version")
     try:
         subprocess.run(  # nosec
-            gpg_version_cmd,
+            gpg_version_cmd,  # noqa: S603
             capture_output=True,
             timeout=timeout,
             check=True,

securesystemslib/_gpg/dsa.py

@@ -28,6 +28,7 @@
     CRYPTO = False
 
 # pylint: disable=wrong-import-position
+# ruff: noqa: E402
 from securesystemslib import exceptions
 from securesystemslib._gpg import util as gpg_util
 from securesystemslib._gpg.exceptions import PacketParsingError

securesystemslib/_gpg/functions.py

@@ -104,24 +104,20 @@ def create_signature(content, keyid=None, homedir=None, timeout=GPG_TIMEOUT):
 
     keyarg = ""
     if keyid:
-        keyarg = (
-            "--local-user {}".format(  # pylint: disable=consider-using-f-string
-                keyid
-            )
+        keyarg = "--local-user {}".format(  # pylint: disable=consider-using-f-string
+            keyid
         )
 
     homearg = ""
     if homedir:
-        homearg = (
-            "--homedir {}".format(  # pylint: disable=consider-using-f-string
-                homedir
-            ).replace("\\", "/")
-        )
+        homearg = "--homedir {}".format(  # pylint: disable=consider-using-f-string
+            homedir
+        ).replace("\\", "/")
 
     command = gpg_sign_command(keyarg=keyarg, homearg=homearg)
 
     gpg_process = subprocess.run(  # nosec
-        command,
+        command,  # noqa: S603
         input=content,
         check=False,
         capture_output=True,
@@ -283,17 +279,15 @@ def export_pubkey(keyid, homedir=None, timeout=GPG_TIMEOUT):
 
     homearg = ""
     if homedir:
-        homearg = (
-            "--homedir {}".format(  # pylint: disable=consider-using-f-string
-                homedir
-            ).replace("\\", "/")
-        )
+        homearg = "--homedir {}".format(  # pylint: disable=consider-using-f-string
+            homedir
+        ).replace("\\", "/")
 
     # TODO: Consider adopting command error handling from `create_signature`
     # above, e.g. in a common 'run gpg command' utility function
     command = gpg_export_pubkey_command(keyid=keyid, homearg=homearg)
     gpg_process = subprocess.run(  # nosec
-        command,
+        command,  # noqa: S603
         capture_output=True,
         timeout=timeout,
         check=True,

securesystemslib/_gpg/rsa.py

@@ -27,6 +27,7 @@
     CRYPTO = False
 
 # pylint: disable=wrong-import-position
+# ruff: noqa: E402
 from securesystemslib import exceptions
 from securesystemslib._gpg import util as gpg_util
 from securesystemslib._gpg.exceptions import PacketParsingError
@@ -185,10 +186,8 @@ def verify_signature(signature_object, pubkey_info, content, hash_algorithm_id):
     signature_length = len(signature_object["signature"])
     if pubkey_length != signature_length:  # pragma: no cover
         zero_pad = "0" * (pubkey_length - signature_length)
-        signature_object["signature"] = (
-            "{}{}".format(  # pylint: disable=consider-using-f-string
-                zero_pad, signature_object["signature"]
-            )
+        signature_object["signature"] = "{}{}".format(  # pylint: disable=consider-using-f-string
+            zero_pad, signature_object["signature"]
         )
 
     digest = gpg_util.hash_object(

securesystemslib/_gpg/util.py

@@ -15,6 +15,9 @@
   general-purpose utilities for binary data handling and pgp data parsing
 """
 
+# ruff: noqa: PLR2004
+# (disbales "Magic value used in comparison", like on line 150)
+
 import binascii
 import logging
 import struct
@@ -28,6 +31,7 @@
     CRYPTO = False
 
 # pylint: disable=wrong-import-position
+# ruff: noqa: E402
 from securesystemslib import exceptions
 from securesystemslib._gpg import constants
 from securesystemslib._gpg.exceptions import PacketParsingError
@@ -100,9 +104,7 @@ def hash_object(headers, algorithm, content):
     return hasher.finalize()
 
 
-def parse_packet_header(
-    data, expected_type=None
-):  # pylint: disable=too-many-branches
+def parse_packet_header(data, expected_type=None):  # pylint: disable=too-many-branches # noqa: PLR0912
     """
     <Purpose>
       Parse out packet type and header and body lengths from an RFC4880 packet.
@@ -235,7 +237,8 @@ def compute_keyid(pubkey_packet_data):
         raise exceptions.UnsupportedLibraryError(NO_CRYPTO_MSG)
 
     hasher = hashing.Hash(
-        hashing.SHA1(), backend=backends.default_backend()  # nosec
+        hashing.SHA1(),  # noqa: S303
+        backend=backends.default_backend(),  # nosec
     )
     hasher.update(b"\x99")
     hasher.update(struct.pack(">H", len(pubkey_packet_data)))

securesystemslib/dsse.py

@@ -1,5 +1,4 @@
-"""Dead Simple Signing Envelope
-"""
+"""Dead Simple Signing Envelope"""
 
 import logging
 from typing import Any, Dict, List
@@ -64,7 +63,7 @@ def from_dict(cls, data: dict) -> "Envelope":
         signatures = {}
         for signature in data["signatures"]:
             signature["sig"] = b64dec(signature["sig"]).hex()
-            signature = Signature.from_dict(signature)
+            signature = Signature.from_dict(signature)  # noqa: PLW2901
             if signature.keyid in signatures:
                 raise ValueError(
                     f"Multiple signatures found for keyid {signature.keyid}"

securesystemslib/formats.py

@@ -47,9 +47,7 @@ def _canonical_string_encoder(string):
     return string
 
 
-def _encode_canonical(
-    object, output_function
-):  # pylint: disable=missing-function-docstring,redefined-builtin
+def _encode_canonical(object, output_function):  # pylint: disable=missing-function-docstring,redefined-builtin
     # Helper for encode_canonical.  Older versions of json.encoder don't
     # even let us replace the separators.
 
@@ -90,7 +88,8 @@ def _encode_canonical(
 
 
 def encode_canonical(  # pylint: disable=inconsistent-return-statements
-    object, output_function=None  # pylint: disable=redefined-builtin
+    object,
+    output_function=None,  # pylint: disable=redefined-builtin
 ):
     """
     <Purpose>

securesystemslib/hash.py

@@ -49,9 +49,7 @@
 
     SUPPORTED_LIBRARIES.append("pyca_crypto")
 
-    class PycaDiggestWrapper(
-        object
-    ):  # pylint: disable=useless-object-inheritance
+    class PycaDiggestWrapper(object):  # pylint: disable=useless-object-inheritance
         """
         <Purpose>
           A wrapper around `cryptography.hazmat.primitives.hashes.Hash` which adds

securesystemslib/signer/__init__.py

@@ -5,6 +5,7 @@
 Some implementations are provided by default but more can be added by users.
 """
 
+# ruff: noqa: F401
 from securesystemslib.signer._aws_signer import AWSSigner
 from securesystemslib.signer._azure_signer import AzureSigner
 from securesystemslib.signer._crypto_signer import CryptoSigner

securesystemslib/signer/_azure_signer.py

@@ -33,7 +33,7 @@
 logger = logging.getLogger(__name__)
 
 
-class UnsupportedKeyType(Exception):
+class UnsupportedKeyType(Exception):  # noqa: N818
     pass
 
 
@@ -132,7 +132,7 @@ def _get_signature_algorithm(public_key: Key) -> "SignatureAlgorithm":
             raise UnsupportedKeyType("Supplied key must be an EC key")
         # Format is "ecdsa-sha2-nistp256"
         comps = public_key.scheme.split("-")
-        if len(comps) != 3:
+        if len(comps) != 3:  # noqa: PLR2004
             raise UnsupportedKeyType("Invalid scheme found")
 
         if comps[2] == "nistp256":
@@ -149,7 +149,7 @@ def _get_hash_algorithm(public_key: "Key") -> str:
         """Return the hash algorithm used by the public key"""
         # Format is "ecdsa-sha2-nistp256"
         comps = public_key.scheme.split("-")
-        if len(comps) != 3:
+        if len(comps) != 3:  # noqa: PLR2004
             raise UnsupportedKeyType("Invalid scheme found")
 
         if comps[2] == "nistp256":

securesystemslib/signer/_crypto_signer.py

@@ -1,4 +1,4 @@
-"""Signer implementation for pyca/cryptography signing. """
+"""Signer implementation for pyca/cryptography signing."""
 
 import logging
 import os

securesystemslib/signer/_gpg_signer.py

@@ -1,4 +1,4 @@
-"""Signer implementation for OpenPGP """
+"""Signer implementation for OpenPGP"""
 
 import logging
 from typing import Any, Dict, Optional, Tuple

securesystemslib/signer/_hsm_signer.py

@@ -64,9 +64,9 @@
 _PYKCS11LIB = None
 
 
-def PYKCS11LIB():
+def PYKCS11LIB():  # noqa: N802
     """Pseudo-singleton to load shared library using PYKCS11LIB envvar only once."""
-    global _PYKCS11LIB  # pylint: disable=global-statement
+    global _PYKCS11LIB  # pylint: disable=global-statement # noqa: PLW0603
     if _PYKCS11LIB is None:
         _PYKCS11LIB = PyKCS11.PyKCS11Lib()
         _PYKCS11LIB.load()

securesystemslib/signer/_key.py

@@ -87,7 +87,7 @@ class Key(metaclass=ABCMeta):
         TypeError: Invalid type for an argument.
     """
 
-    def __init__(
+    def __init__(  # noqa: PLR0913
         self,
         keyid: str,
         keytype: str,
@@ -200,7 +200,7 @@ def verify_signature(self, signature: Signature, data: bytes) -> None:
 class SSlibKey(Key):
     """Key implementation for RSA, Ed25519, ECDSA keys"""
 
-    def __init__(
+    def __init__(  # noqa: PLR0913
         self,
         keyid: str,
         keytype: str,

securesystemslib/signer/_signer.py

@@ -1,4 +1,4 @@
-"""Signer interface """
+"""Signer interface"""
 
 import logging
 from abc import ABCMeta, abstractmethod

securesystemslib/signer/_sigstore_signer.py

@@ -1,5 +1,4 @@
-"""Signer implementation for project sigstore.
-"""
+"""Signer implementation for project sigstore."""
 
 import json
 import logging
@@ -35,7 +34,7 @@ class SigstoreKey(Key):
     DEFAULT_KEY_TYPE = "sigstore-oidc"
     DEFAULT_SCHEME = "Fulcio"
 
-    def __init__(
+    def __init__(  # noqa: PLR0913
         self,
         keyid: str,
         keytype: str,

securesystemslib/signer/_spx_signer.py

@@ -1,6 +1,4 @@
-"""Signer implementation for project SPHINCS+ post-quantum signature support.
-
-"""
+"""Signer implementation for project SPHINCS+ post-quantum signature support."""
 
 import logging
 import os

securesystemslib/signer/_utils.py

@@ -1,4 +1,4 @@
-"""Signer utils for internal use. """
+"""Signer utils for internal use."""
 
 from typing import Any, Dict
 

tests/check_aws_signer.py

@@ -1,6 +1,4 @@
-"""Test AWSSigner
-
-"""
+"""Test AWSSigner"""
 
 import unittest
 

tests/check_public_interfaces.py

@@ -52,9 +52,7 @@
 from securesystemslib.signer._sigstore_signer import SigstoreKey
 
 
-class TestPublicInterfaces(
-    unittest.TestCase
-):  # pylint: disable=missing-class-docstring
+class TestPublicInterfaces(unittest.TestCase):  # pylint: disable=missing-class-docstring
     @classmethod
     def setUpClass(cls):
         cls.temp_dir = tempfile.mkdtemp(dir=os.getcwd())