Skip to content

[flake8-bandit] Implement S502 SslInsecureVersion rule#9390

Merged
charliermarsh merged 5 commits intoastral-sh:mainfrom
qdegraaf:rule/S402
Jan 5, 2024
Merged

[flake8-bandit] Implement S502 SslInsecureVersion rule#9390
charliermarsh merged 5 commits intoastral-sh:mainfrom
qdegraaf:rule/S402

Conversation

@qdegraaf
Copy link
Copy Markdown
Contributor

@qdegraaf qdegraaf commented Jan 4, 2024

Summary

Adds S502 rule for the flake8-bandit plugin port.

Checks for calls to any function with keywords arguments ssl_version or method or for kwargs method in calls to OpenSSL.SSL.Context and ssl_version in calls to ssl.wrap_socket which have an insecure ssl_version valu. See also https://bandit.readthedocs.io/en/latest/_modules/bandit/plugins/insecure_ssl_tls.html#ssl_with_bad_version

Test Plan

Fixture added

Issue Link

Refers: #1646

qdegraaf
qdegraaf commented Jan 4, 2024
View reviewed changes
Comment thread crates/ruff_linter/src/rules/flake8_bandit/rules/ssl_insecure_version.rs Outdated
Comment on lines +65 to +68
_ => vec!["ssl_version", "method"],
}
},
None => vec!["ssl_version", "method"]
Copy link
Copy Markdown
Contributor Author

@qdegraaf qdegraaf Jan 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upstream implementations checks for all calls at MEDIUM severity and the the specific functions at HIGH severity. Unsure if we want to replicate this, as it might be a bit heavy performance wise and Ruff/flake8-bandit has no way of separating the severity levels right now. Just copied upstream implementation for now

Copy link
Copy Markdown
Member

@charliermarsh charliermarsh Jan 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I decided to reduce the rule scope for the same reason.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jan 4, 2024
edited
Loading

ruff-ecosystem results

Linter (stable)

✅ ecosystem check detected no linter changes.

Linter (preview)

✅ ecosystem check detected no linter changes.

@charliermarsh charliermarsh added rule Implementing or modifying a lint rule preview Related to preview mode features labels Jan 4, 2024
@qdegraaf qdegraaf mentioned this pull request Jan 4, 2024
Merged
charliermarsh
charliermarsh approved these changes Jan 5, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@charliermarsh charliermarsh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thanks.

@charliermarsh charliermarsh enabled auto-merge (squash) January 5, 2024 01:20
@charliermarsh charliermarsh merged commit 6dfc1cc into astral-sh:main Jan 5, 2024
charliermarsh pushed a commit that referenced this pull request Jan 5, 2024
@qdegraaf
[flake8-bandit] Implement S503 SslWithBadDefaults rule (#9391)
c11f653 
## Summary

Adds S503 rule for the
[flake8-bandit](https://github.com/tylerwince/flake8-bandit) plugin
port.

Checks for function defs argument defaults which have an insecure
ssl_version value. See also
https://bandit.readthedocs.io/en/latest/_modules/bandit/plugins/insecure_ssl_tls.html#ssl_with_bad_defaults

Some logic and the `const` can be shared with
#9390. When one of the two is
merged.

## Test Plan

Fixture added

## Issue Link

Refers: #1646
@Porkepix Porkepix mentioned this pull request Jan 12, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@charliermarsh charliermarsh charliermarsh approved these changes

Assignees

No one assigned

Labels

preview Related to preview mode features rule Implementing or modifying a lint rule

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@qdegraaf @charliermarsh