Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-bandit for openSUSE:Factory checked in at 2026-03-05 17:14:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-bandit (Old) and /work/SRC/openSUSE:Factory/.python-bandit.new.561 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-bandit" Thu Mar 5 17:14:59 2026 rev:21 rq:1336596 version:1.9.4 Changes: -------- --- /work/SRC/openSUSE:Factory/python-bandit/python-bandit.changes 2026-02-10 21:13:58.815479333 +0100 +++ /work/SRC/openSUSE:Factory/.python-bandit.new.561/python-bandit.changes 2026-03-05 17:18:18.882516505 +0100 @@ -1,0 +2,16 @@ +Wed Mar 4 21:40:34 UTC 2026 - Dirk Müller <[email protected]> + +- update to 1.9.4: + * Fix B106 reporting wrong line number on multiline function + calls (#1360) + * Lower version guard in check\_ast\_node to Python 3.12 + (#1355) + * Fix B615 false positive when revision is set via variable + (#1358) + * Include filename in nosec 'no failed test' warning (#1363) + * Fix B613 crash when reading from stdin (#1361) + * Bump docker/build-push-action from 6.18.0 to 6.19.2 (#1357) + * Bump docker/login-action from 3.6.0 to 3.7.0 (#1353) + * chore: fixed some typos in comments (#1351) + +------------------------------------------------------------------- Old: ---- bandit-1.9.3.tar.gz New: ---- bandit-1.9.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-bandit.spec ++++++ --- /var/tmp/diff_new_pack.UMlTqG/_old 2026-03-05 17:18:19.698550277 +0100 +++ /var/tmp/diff_new_pack.UMlTqG/_new 2026-03-05 17:18:19.702550442 +0100 @@ -34,7 +34,7 @@ %bcond_without builddocs %{?sle15_python_module_pythons} Name: python-bandit -Version: 1.9.3 +Version: 1.9.4 Release: 0 Summary: Security oriented static analyser for Python code License: Apache-2.0 ++++++ bandit-1.9.3.tar.gz -> bandit-1.9.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/.github/workflows/build-publish-image.yml new/bandit-1.9.4/.github/workflows/build-publish-image.yml --- old/bandit-1.9.3/.github/workflows/build-publish-image.yml 2026-01-19 05:04:48.000000000 +0100 +++ new/bandit-1.9.4/.github/workflows/build-publish-image.yml 2026-02-25 07:43:39.000000000 +0100 @@ -34,7 +34,7 @@ uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Log in to GitHub Container Registry - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -51,7 +51,7 @@ - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . file: ./docker/Dockerfile diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/AUTHORS new/bandit-1.9.4/AUTHORS --- old/bandit-1.9.3/AUTHORS 2026-01-19 05:05:09.000000000 +0100 +++ new/bandit-1.9.4/AUTHORS 2026-02-25 07:44:02.000000000 +0100 @@ -31,6 +31,7 @@ Chris DiBussolo <[email protected]> Christopher Goes <[email protected]> Christopher J Schaefer <[email protected]> +Claude Opus 4.6 <[email protected]> Costa Paraskevopoulos <[email protected]> Cyril Roelandt <[email protected]> Dani Alcala <[email protected]> @@ -55,6 +56,7 @@ Etienne Schalk <[email protected]> Flavio Percoco <[email protected]> Frank Niessink <[email protected]> +Fridayai700 <[email protected]> Gage Hugo <[email protected]> Giblin <[email protected]> Gram <[email protected]> @@ -66,6 +68,8 @@ Ian Cordasco <[email protected]> Ian Cordasco <[email protected]> Ian Stapleton Cordasco <[email protected]> +Jakob Guldberg Aaes <[email protected]> +Jakob Stender Gulberg <[email protected]> James E. Blair <[email protected]> Jamie Finnigan <[email protected]> Jamie Finnigan <[email protected]> @@ -134,6 +138,7 @@ Rhein <[email protected]> Rob Fletcher <[email protected]> Robbe Sneyders <[email protected]> +Robert C. Gray <[email protected]> Robert Clark <[email protected]> Rodrigo Fernandes <[email protected]> Roman Vlasenko <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/ChangeLog new/bandit-1.9.4/ChangeLog --- old/bandit-1.9.3/ChangeLog 2026-01-19 05:05:09.000000000 +0100 +++ new/bandit-1.9.4/ChangeLog 2026-02-25 07:44:02.000000000 +0100 @@ -1,6 +1,18 @@ CHANGES ======= +1.9.4 +----- + +* Fix B106 reporting wrong line number on multiline function calls (#1360) +* Lower version guard in check\_ast\_node to Python 3.12 (#1355) +* Fix B615 false positive when revision is set via variable (#1358) +* Include filename in nosec 'no failed test' warning (#1363) +* Fix B613 crash when reading from stdin (#1361) +* Bump docker/build-push-action from 6.18.0 to 6.19.2 (#1357) +* Bump docker/login-action from 3.6.0 to 3.7.0 (#1353) +* chore: fixed some typos in comments (#1351) + 1.9.3 ----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/PKG-INFO new/bandit-1.9.4/PKG-INFO --- old/bandit-1.9.3/PKG-INFO 2026-01-19 05:05:10.336733600 +0100 +++ new/bandit-1.9.4/PKG-INFO 2026-02-25 07:44:03.181910500 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.4 Name: bandit -Version: 1.9.3 +Version: 1.9.4 Summary: Security oriented static analyser for python code. Home-page: https://bandit.readthedocs.io/ Author: PyCQA diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/bandit/cli/main.py new/bandit-1.9.4/bandit/cli/main.py --- old/bandit-1.9.3/bandit/cli/main.py 2026-01-19 05:04:48.000000000 +0100 +++ new/bandit-1.9.4/bandit/cli/main.py 2026-02-25 07:43:39.000000000 +0100 @@ -93,10 +93,10 @@ return ini_val else: return None - # No value passed to commad line and default value is used + # No value passed to command line and default value is used elif default_val == arg_val: return ini_val if ini_val else arg_val - # Certainly a value is passed to commad line + # Certainly a value is passed to command line else: return arg_val diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/bandit/core/manager.py new/bandit-1.9.4/bandit/core/manager.py --- old/bandit-1.9.3/bandit/core/manager.py 2026-01-19 05:04:48.000000000 +0100 +++ new/bandit-1.9.4/bandit/core/manager.py 2026-02-25 07:43:39.000000000 +0100 @@ -204,7 +204,7 @@ :param recursive: True/False - whether to add all files from dirs :return: """ - # We'll mantain a list of files which are added, and ones which have + # We'll maintain a list of files which are added, and ones which have # been explicitly excluded files_list = set() excluded_files = set() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/bandit/core/tester.py new/bandit-1.9.4/bandit/core/tester.py --- old/bandit-1.9.3/bandit/core/tester.py 2026-01-19 05:04:48.000000000 +0100 +++ new/bandit-1.9.4/bandit/core/tester.py 2026-02-25 07:43:39.000000000 +0100 @@ -112,7 +112,9 @@ ): LOG.warning( f"nosec encountered ({test._test_id}), but no " - f"failed test on line {temp_context['lineno']}" + f"failed test on file " + f"{temp_context['filename']}:" + f"{temp_context['lineno']}" ) except Exception as e: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/bandit/core/utils.py new/bandit-1.9.4/bandit/core/utils.py --- old/bandit-1.9.3/bandit/core/utils.py 2026-01-19 05:04:48.000000000 +0100 +++ new/bandit-1.9.4/bandit/core/utils.py 2026-02-25 07:43:39.000000000 +0100 @@ -370,9 +370,9 @@ def check_ast_node(name): "Check if the given name is that of a valid AST node." try: - # These ast Node types don't exist in Python 3.14, but plugins may - # still check on them. - if sys.version_info >= (3, 14) and name in ( + # These ast Node types were deprecated in Python 3.12 and removed + # in Python 3.14, but plugins may still check on them. + if sys.version_info >= (3, 12) and name in ( "Num", "Str", "Ellipsis", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/bandit/plugins/general_hardcoded_password.py new/bandit-1.9.4/bandit/plugins/general_hardcoded_password.py --- old/bandit-1.9.3/bandit/plugins/general_hardcoded_password.py 2026-01-19 05:04:48.000000000 +0100 +++ new/bandit-1.9.4/bandit/plugins/general_hardcoded_password.py 2026-02-25 07:43:39.000000000 +0100 @@ -15,12 +15,13 @@ ) -def _report(value): +def _report(value, lineno=None): return bandit.Issue( severity=bandit.LOW, confidence=bandit.MEDIUM, cwe=issue.Cwe.HARD_CODED_PASSWORD, text=f"Possible hardcoded password: '{value}'", + lineno=lineno, ) @@ -201,7 +202,7 @@ and isinstance(kw.value.value, str) and RE_CANDIDATES.search(kw.arg) ): - return _report(kw.value.value) + return _report(kw.value.value, lineno=kw.value.lineno) @test.checks("FunctionDef") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/bandit/plugins/huggingface_unsafe_download.py new/bandit-1.9.4/bandit/plugins/huggingface_unsafe_download.py --- old/bandit-1.9.3/bandit/plugins/huggingface_unsafe_download.py 2026-01-19 05:04:48.000000000 +0100 +++ new/bandit-1.9.4/bandit/plugins/huggingface_unsafe_download.py 2026-02-25 07:43:39.000000000 +0100 @@ -59,6 +59,7 @@ .. versionadded:: 1.8.6 """ +import ast import string import bandit @@ -113,7 +114,19 @@ if not any(module in qualname_parts for module in required_modules): return - # Check for revision parameter (the key security control) + # Check for revision parameter (the key security control). + # First, check the raw AST to see if a revision/commit_id keyword was + # passed as a non-literal expression (variable, attribute, subscript, + # function call, etc.). In those cases we cannot statically determine + # the value, so we give the user the benefit of the doubt. + call_node = context._context.get("call") + if call_node is not None: + for kw in getattr(call_node, "keywords", []): + if kw.arg in ("revision", "commit_id") and not isinstance( + kw.value, ast.Constant + ): + return + revision_value = context.get_call_arg_value("revision") commit_id_value = context.get_call_arg_value("commit_id") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/bandit/plugins/injection_shell.py new/bandit-1.9.4/bandit/plugins/injection_shell.py --- old/bandit-1.9.3/bandit/plugins/injection_shell.py 2026-01-19 05:04:48.000000000 +0100 +++ new/bandit-1.9.4/bandit/plugins/injection_shell.py 2026-02-25 07:43:39.000000000 +0100 @@ -10,7 +10,7 @@ from bandit.core import test_properties as test # yuck, regex: starts with a windows drive letter (eg C:) -# or one of our path delimeter characters (/, \, .) +# or one of our path delimiter characters (/, \, .) full_path_match = re.compile(r"^(?:[A-Za-z](?=\:)|[\\\/\.])") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/bandit/plugins/trojansource.py new/bandit-1.9.4/bandit/plugins/trojansource.py --- old/bandit-1.9.3/bandit/plugins/trojansource.py 2026-01-19 05:04:48.000000000 +0100 +++ new/bandit-1.9.4/bandit/plugins/trojansource.py 2026-02-25 07:43:39.000000000 +0100 @@ -54,26 +54,29 @@ @test.test_id("B613") @test.checks("File") def trojansource(context): - with open(context.filename, "rb") as src_file: - encoding, _ = detect_encoding(src_file.readline) - with open(context.filename, encoding=encoding) as src_file: - for lineno, line in enumerate(src_file.readlines(), start=1): - for char in BIDI_CHARACTERS: - try: - col_offset = line.index(char) + 1 - except ValueError: - continue - text = ( - "A Python source file contains bidirectional" - " control characters (%r)." % char - ) - b_issue = bandit.Issue( - severity=bandit.HIGH, - confidence=bandit.MEDIUM, - cwe=issue.Cwe.INAPPROPRIATE_ENCODING_FOR_OUTPUT_CONTEXT, - text=text, - lineno=lineno, - col_offset=col_offset, - ) - b_issue.linerange = [lineno] - return b_issue + src_data = context.file_data + src_data.seek(0) + encoding, _ = detect_encoding(src_data.readline) + src_data.seek(0) + for lineno, line in enumerate( + src_data.read().decode(encoding).splitlines(), start=1 + ): + for char in BIDI_CHARACTERS: + try: + col_offset = line.index(char) + 1 + except ValueError: + continue + text = ( + "A Python source file contains bidirectional" + " control characters (%r)." % char + ) + b_issue = bandit.Issue( + severity=bandit.HIGH, + confidence=bandit.MEDIUM, + cwe=issue.Cwe.INAPPROPRIATE_ENCODING_FOR_OUTPUT_CONTEXT, + text=text, + lineno=lineno, + col_offset=col_offset, + ) + b_issue.linerange = [lineno] + return b_issue diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/bandit.egg-info/PKG-INFO new/bandit-1.9.4/bandit.egg-info/PKG-INFO --- old/bandit-1.9.3/bandit.egg-info/PKG-INFO 2026-01-19 05:05:10.000000000 +0100 +++ new/bandit-1.9.4/bandit.egg-info/PKG-INFO 2026-02-25 07:44:02.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.4 Name: bandit -Version: 1.9.3 +Version: 1.9.4 Summary: Security oriented static analyser for python code. Home-page: https://bandit.readthedocs.io/ Author: PyCQA diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/bandit.egg-info/pbr.json new/bandit-1.9.4/bandit.egg-info/pbr.json --- old/bandit-1.9.3/bandit.egg-info/pbr.json 2026-01-19 05:05:10.000000000 +0100 +++ new/bandit-1.9.4/bandit.egg-info/pbr.json 2026-02-25 07:44:02.000000000 +0100 @@ -1 +1 @@ -{"git_version": "765f00d", "is_release": false} \ No newline at end of file +{"git_version": "92ae8b8", "is_release": false} \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/doc/build/man/bandit.1 new/bandit-1.9.4/doc/build/man/bandit.1 --- old/bandit-1.9.3/doc/build/man/bandit.1 2026-01-19 05:05:08.000000000 +0100 +++ new/bandit-1.9.4/doc/build/man/bandit.1 2026-02-25 07:44:01.000000000 +0100 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "BANDIT" "1" "Jan 19, 2026" "" "Bandit" +.TH "BANDIT" "1" "Feb 25, 2026" "" "Bandit" .SH NAME bandit \- Python source code security analyzer .SH SYNOPSIS diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bandit-1.9.3/examples/huggingface_unsafe_download.py new/bandit-1.9.4/examples/huggingface_unsafe_download.py --- old/bandit-1.9.3/examples/huggingface_unsafe_download.py 2026-01-19 05:04:48.000000000 +0100 +++ new/bandit-1.9.4/examples/huggingface_unsafe_download.py 2026-02-25 07:43:39.000000000 +0100 @@ -147,3 +147,18 @@ repo_id="org/model_name", revision="5d0f2e8a7f1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d" ) + + +# Example #24: Revision passed as a variable (can't be statically checked) +MODEL_REVISION = "548fc3543a" +safe_model_variable = AutoModel.from_pretrained( + "org/model_name", + revision=MODEL_REVISION +) + +# Example #25: Revision from a dict/subscript access +config = {"revision": "abc1234567"} +safe_model_subscript = AutoModel.from_pretrained( + "org/model_name", + revision=config["revision"] +)
