On Sat, Jul 04, 2026 at 05:06:04PM +0200, Landry Breuil wrote:
> Le Fri, Jun 26, 2026 at 09:20:22PM +0200, Caspar Schutijser a écrit :
> > Hey,
> > 
> > On Fri, Jun 26, 2026 at 03:45:13PM +0200, [email protected] wrote:
> > > here's a quick ('n'dirty?) port for
> > > https://bandit.readthedocs.io/en/latest/ and its dependency
> > > https://opendev.org/openstack/stevedore, i've used it on some python
> > > codebases and it nicely flags potential security issues in the code.
> > > 
> > > oks/tests/improvements ?
> > 
> > I tweaked devel/py-stevedore/pkg/DESCR a little bit (remove a stray '_',
> > add an empty line between the two paragraphs and run it through fmt).
> > The new file is attached, feel free to use it if you want.
> > 
> > The indenting of RUN_DEPENDS and TEST_DEPENDS in the bandit Makefile
> > looks a bit funny, can you fix that?
> > 
> > make test works fine for the stevedore port, even though there's the
> > "# missing stestr ?" comment in the Makefile.
> > https://pypi.org/project/stestr/ suggests that stestr is a tool that can
> > be used to execute the tests, but apparently the tests also run without?
> > In that case I guess the comment can be removed.
> > 
> > In the case of bandit, 3 tests fail because of some missing Python
> > modules (git, bs4 and sarif_om). Installing py3-beautifulsoup4 solves
> > the middle one, I'm not sure how to fix the other two.
> > 
> > Besides that it looks good to me and it works well.
> 
> thanks for the feedback, i've added the two missing TDEPs we have in
> ports, now there's only 1 failing test left. I think i've also fixed the
> other nits, does this look good to import ?

Yes, it does! OK caspar@ for import.

Thanks :)

> thoughts on importing it as security/bandit or security/py-bandit ?

I get the impression that Python libraries are usually prefixed with py-
but ports that contain programs to be run by a user usually do not,
but I did not do a very exhaustive search. I grepped the ports tree
for "MODPY_DIST" and I found a couple of ports that contain
"binaries", such as ansible, beets and cplay.

So I'd say: security/bandit.

Caspar

Reply via email to