From 9f92296417bf9813d0e8b40b3e02400efa5c450b Mon Sep 17 00:00:00 2001
From: Stephen Finucane <stephenfin@redhat.com>
Date: Wed, 10 Dec 2025 17:10:32 +0000
Subject: [PATCH] ruff: Enable S checks

This lets us remove the bandit pre-commit hook.

We also bump the version of all remaining hooks while here.

Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Change-Id: If86f80abf1805b14139864abbdcf1c3b2e928e4a
---
 .pre-commit-config.yaml           | 17 +++++------------
 keystoneauth1/discover.py         |  3 ++-
 keystoneauth1/identity/v3/oidc.py | 13 +++++++------
 keystoneauth1/session.py          |  5 ++---
 pyproject.toml                    | 15 +++++++--------
 tox.ini                           | 11 -----------
 6 files changed, 23 insertions(+), 41 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 5984f614..557024c8 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,13 +1,13 @@
 ---
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: trailing-whitespace
       - id: mixed-line-ending
         args: ['--fix', 'lf']
         exclude: '.*\.(svg)$'
-      - id: check-byte-order-marker
+      - id: fix-byte-order-marker
       - id: check-executables-have-shebangs
       - id: check-merge-conflict
       - id: debug-statements
@@ -15,20 +15,13 @@ repos:
         files: .*\.(yaml|yml)$
         exclude: '^zuul.d/.*$'
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.11.8
+    rev: v0.14.8
     hooks:
-      - id: ruff
+      - id: ruff-check
         args: ['--fix', '--unsafe-fixes']
       - id: ruff-format
-  - repo: https://github.com/PyCQA/bandit
-    rev: 1.8.3
-    hooks:
-      - id: bandit
-        # We ignore the following:
-        #   B110: except: pass
-        args: ['-x', 'tests', '-s', 'B110']
   - repo: https://opendev.org/openstack/hacking
-    rev: 7.0.0
+    rev: 8.0.0
     hooks:
       - id: hacking
         additional_dependencies:
diff --git a/keystoneauth1/discover.py b/keystoneauth1/discover.py
index 87e43a23..048e36cf 100644
--- a/keystoneauth1/discover.py
+++ b/keystoneauth1/discover.py
@@ -533,7 +533,8 @@ def _version_from_url(url: str | None) -> _PARSED_VERSION_T | None:
             if part[0] != 'v':
                 continue
             return normalize_version_number(part)
-        except Exception:
+        except Exception:  # noqa: S110
+            # we just return None instead
             pass
     return None
 
diff --git a/keystoneauth1/identity/v3/oidc.py b/keystoneauth1/identity/v3/oidc.py
index 05fc4f36..fdd3e6fb 100644
--- a/keystoneauth1/identity/v3/oidc.py
+++ b/keystoneauth1/identity/v3/oidc.py
@@ -180,7 +180,8 @@ class _OidcBase(federation.FederationBaseAuth, metaclass=abc.ABCMeta):
 
             try:
                 self._discovery_document = resp.json()
-            except Exception:
+            except Exception:  # noqa: S110
+                # we handle this below
                 pass
 
             if not self._discovery_document:
@@ -382,7 +383,7 @@ class OidcPassword(_OidcBase):
         protocol: str,
         client_id: str,
         client_secret: str,
-        access_token_type: str = 'access_token',  # nosec B107
+        access_token_type: str = 'access_token',  # noqa: S107
         scope: str = 'openid profile',
         access_token_endpoint: str | None = None,
         discovery_endpoint: str | None = None,
@@ -501,7 +502,7 @@ class OidcClientCredentials(_OidcBase):
         protocol: str,
         client_id: str,
         client_secret: str,
-        access_token_type: str = 'access_token',  # nosec B107
+        access_token_type: str = 'access_token',  # noqa: S107
         scope: str = 'openid profile',
         access_token_endpoint: str | None = None,
         discovery_endpoint: str | None = None,
@@ -574,7 +575,7 @@ class OidcAuthorizationCode(_OidcBase):
         protocol: str,
         client_id: str,
         client_secret: str,
-        access_token_type: str = 'access_token',  # nosec B107
+        access_token_type: str = 'access_token',  # noqa: S107
         scope: str = 'openid profile',
         access_token_endpoint: str | None = None,
         discovery_endpoint: str | None = None,
@@ -651,7 +652,7 @@ class OidcAccessToken(_OidcBase):
         protocol: str,
         # client_id and client_id intentionally omitted since they don't make
         # sense with an access token
-        access_token_type: str = 'access_token',  # nosec B107
+        access_token_type: str = 'access_token',  # noqa: S107
         scope: str = 'openid profile',
         access_token_endpoint: str | None = None,
         discovery_endpoint: str | None = None,
@@ -754,7 +755,7 @@ class OidcDeviceAuthorization(_OidcBase):
         protocol: str,
         client_id: str,
         client_secret: str | None = None,
-        access_token_type: str = "access_token",  # nosec B107
+        access_token_type: str = "access_token",  # noqa: S107
         scope: str = 'openid profile',
         access_token_endpoint: str | None = None,
         discovery_endpoint: str | None = None,
diff --git a/keystoneauth1/session.py b/keystoneauth1/session.py
index 56d158a5..c351845d 100644
--- a/keystoneauth1/session.py
+++ b/keystoneauth1/session.py
@@ -428,7 +428,7 @@ class Session:
             # If we created a requests.Session, try to close it out correctly
             try:
                 self._session.close()
-            except Exception:
+            except Exception:  # noqa: S110
                 pass
             finally:
                 self._session = None
@@ -466,8 +466,7 @@ class Session:
             if 'serviceCatalog' in data['access']:
                 data['access']['serviceCatalog'] = '<removed>'
                 return self._json.encode(data)
-
-        except Exception:
+        except Exception:  # noqa: S110
             # Don't fail trying to clean up the request body.
             pass
         return body
diff --git a/pyproject.toml b/pyproject.toml
index cabbbf4d..35e7c280 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -126,16 +126,15 @@ disallow_untyped_calls = false
 
 [tool.ruff]
 line-length = 79
-target-version = "py310"
 
 [tool.ruff.lint]
-# enable the following rule classes:
-#
-# C4: https://docs.astral.sh/ruff/rules/#flake8-comprehensions-c4
-# E:  https://docs.astral.sh/ruff/rules/#pycodestyle-e-w
-# F:  https://docs.astral.sh/ruff/rules/#pyflakes-f
-# UP: https://docs.astral.sh/ruff/rules/#pyupgrade-up
-select = ["C4", "E4", "E5", "E7", "E9", "F", "UP"]
+select = ["C4", "E4", "E5", "E7", "E9", "F", "S", "UP"]
+ignore = [
+    "S101",  # asserts are only used for type narrowing
+]
+
+[tool.ruff.lint.per-file-ignores]
+"keystoneauth1/tests/*" = ["S"]
 
 [tool.ruff.format]
 quote-style = "preserve"
diff --git a/tox.ini b/tox.ini
index c09f38b9..fc152969 100644
--- a/tox.ini
+++ b/tox.ini
@@ -25,17 +25,6 @@ deps =
 commands =
     pre-commit run --all-files --show-diff-on-failure
 
-# NOTE(browne): This is required for the integration test job of the bandit
-# project. Please do not remove.
-[testenv:bandit]
-description =
-    Run bandit security checks.
-skip_install = true
-deps =
-    pre-commit
-commands =
-    pre-commit run --all-files --show-diff-on-failure bandit
-
 [testenv:venv]
 commands = {posargs}