ruff: Enable S checks

This lets us remove the bandit pre-commit hook.

We also bump the version of all remaining hooks while here.

Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Change-Id: If86f80abf1805b14139864abbdcf1c3b2e928e4a

.pre-commit-config.yaml

@@ -1,13 +1,13 @@
 ---
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: trailing-whitespace
       - id: mixed-line-ending
         args: ['--fix', 'lf']
         exclude: '.*\.(svg)$'
-      - id: check-byte-order-marker
+      - id: fix-byte-order-marker
       - id: check-executables-have-shebangs
       - id: check-merge-conflict
       - id: debug-statements
@@ -15,20 +15,13 @@ repos:
         files: .*\.(yaml|yml)$
         exclude: '^zuul.d/.*$'
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.11.8
+    rev: v0.14.8
     hooks:
-      - id: ruff
+      - id: ruff-check
         args: ['--fix', '--unsafe-fixes']
       - id: ruff-format
-  - repo: https://github.com/PyCQA/bandit
-    rev: 1.8.3
-    hooks:
-      - id: bandit
-        # We ignore the following:
-        #   B110: except: pass
-        args: ['-x', 'tests', '-s', 'B110']
   - repo: https://opendev.org/openstack/hacking
-    rev: 7.0.0
+    rev: 8.0.0
     hooks:
       - id: hacking
         additional_dependencies:

keystoneauth1/discover.py

@@ -533,7 +533,8 @@ def _version_from_url(url: str | None) -> _PARSED_VERSION_T | None:
             if part[0] != 'v':
                 continue
             return normalize_version_number(part)
-        except Exception:
+        except Exception:  # noqa: S110
+            # we just return None instead
             pass
     return None
 

keystoneauth1/identity/v3/oidc.py

@@ -180,7 +180,8 @@ class _OidcBase(federation.FederationBaseAuth, metaclass=abc.ABCMeta):
 
             try:
                 self._discovery_document = resp.json()
-            except Exception:
+            except Exception:  # noqa: S110
+                # we handle this below
                 pass
 
             if not self._discovery_document:
@@ -382,7 +383,7 @@ class OidcPassword(_OidcBase):
         protocol: str,
         client_id: str,
         client_secret: str,
-        access_token_type: str = 'access_token',  # nosec B107
+        access_token_type: str = 'access_token',  # noqa: S107
         scope: str = 'openid profile',
         access_token_endpoint: str | None = None,
         discovery_endpoint: str | None = None,
@@ -501,7 +502,7 @@ class OidcClientCredentials(_OidcBase):
         protocol: str,
         client_id: str,
         client_secret: str,
-        access_token_type: str = 'access_token',  # nosec B107
+        access_token_type: str = 'access_token',  # noqa: S107
         scope: str = 'openid profile',
         access_token_endpoint: str | None = None,
         discovery_endpoint: str | None = None,
@@ -574,7 +575,7 @@ class OidcAuthorizationCode(_OidcBase):
         protocol: str,
         client_id: str,
         client_secret: str,
-        access_token_type: str = 'access_token',  # nosec B107
+        access_token_type: str = 'access_token',  # noqa: S107
         scope: str = 'openid profile',
         access_token_endpoint: str | None = None,
         discovery_endpoint: str | None = None,
@@ -651,7 +652,7 @@ class OidcAccessToken(_OidcBase):
         protocol: str,
         # client_id and client_id intentionally omitted since they don't make
         # sense with an access token
-        access_token_type: str = 'access_token',  # nosec B107
+        access_token_type: str = 'access_token',  # noqa: S107
         scope: str = 'openid profile',
         access_token_endpoint: str | None = None,
         discovery_endpoint: str | None = None,
@@ -754,7 +755,7 @@ class OidcDeviceAuthorization(_OidcBase):
         protocol: str,
         client_id: str,
         client_secret: str | None = None,
-        access_token_type: str = "access_token",  # nosec B107
+        access_token_type: str = "access_token",  # noqa: S107
         scope: str = 'openid profile',
         access_token_endpoint: str | None = None,
         discovery_endpoint: str | None = None,

keystoneauth1/session.py

@@ -428,7 +428,7 @@ class Session:
             # If we created a requests.Session, try to close it out correctly
             try:
                 self._session.close()
-            except Exception:
+            except Exception:  # noqa: S110
                 pass
             finally:
                 self._session = None
@@ -466,8 +466,7 @@ class Session:
             if 'serviceCatalog' in data['access']:
                 data['access']['serviceCatalog'] = '<removed>'
                 return self._json.encode(data)
-
-        except Exception:
+        except Exception:  # noqa: S110
             # Don't fail trying to clean up the request body.
             pass
         return body

pyproject.toml

@@ -126,16 +126,15 @@ disallow_untyped_calls = false
 
 [tool.ruff]
 line-length = 79
-target-version = "py310"
 
 [tool.ruff.lint]
-# enable the following rule classes:
-#
-# C4: https://docs.astral.sh/ruff/rules/#flake8-comprehensions-c4
-# E:  https://docs.astral.sh/ruff/rules/#pycodestyle-e-w
-# F:  https://docs.astral.sh/ruff/rules/#pyflakes-f
-# UP: https://docs.astral.sh/ruff/rules/#pyupgrade-up
-select = ["C4", "E4", "E5", "E7", "E9", "F", "UP"]
+select = ["C4", "E4", "E5", "E7", "E9", "F", "S", "UP"]
+ignore = [
+    "S101",  # asserts are only used for type narrowing
+]
+
+[tool.ruff.lint.per-file-ignores]
+"keystoneauth1/tests/*" = ["S"]
 
 [tool.ruff.format]
 quote-style = "preserve"

tox.ini

@@ -25,17 +25,6 @@ deps =
 commands =
     pre-commit run --all-files --show-diff-on-failure
 
-# NOTE(browne): This is required for the integration test job of the bandit
-# project. Please do not remove.
-[testenv:bandit]
-description =
-    Run bandit security checks.
-skip_install = true
-deps =
-    pre-commit
-commands =
-    pre-commit run --all-files --show-diff-on-failure bandit
-
 [testenv:venv]
 commands = {posargs}