On Sat, Jul 04, 2026 at 05:06:04PM +0200, Landry Breuil wrote: > Le Fri, Jun 26, 2026 at 09:20:22PM +0200, Caspar Schutijser a écrit : > > Hey, > > > > On Fri, Jun 26, 2026 at 03:45:13PM +0200, [email protected] wrote: > > > here's a quick ('n'dirty?) port for > > > https://bandit.readthedocs.io/en/latest/ and its dependency > > > https://opendev.org/openstack/stevedore, i've used it on some python > > > codebases and it nicely flags potential security issues in the code. > > > > > > oks/tests/improvements ? > > > > I tweaked devel/py-stevedore/pkg/DESCR a little bit (remove a stray '_', > > add an empty line between the two paragraphs and run it through fmt). > > The new file is attached, feel free to use it if you want. > > > > The indenting of RUN_DEPENDS and TEST_DEPENDS in the bandit Makefile > > looks a bit funny, can you fix that? > > > > make test works fine for the stevedore port, even though there's the > > "# missing stestr ?" comment in the Makefile. > > https://pypi.org/project/stestr/ suggests that stestr is a tool that can > > be used to execute the tests, but apparently the tests also run without? > > In that case I guess the comment can be removed. > > > > In the case of bandit, 3 tests fail because of some missing Python > > modules (git, bs4 and sarif_om). Installing py3-beautifulsoup4 solves > > the middle one, I'm not sure how to fix the other two. > > > > Besides that it looks good to me and it works well. > > thanks for the feedback, i've added the two missing TDEPs we have in > ports, now there's only 1 failing test left. I think i've also fixed the > other nits, does this look good to import ?
Yes, it does! OK caspar@ for import. Thanks :) > thoughts on importing it as security/bandit or security/py-bandit ? I get the impression that Python libraries are usually prefixed with py- but ports that contain programs to be run by a user usually do not, but I did not do a very exhaustive search. I grepped the ports tree for "MODPY_DIST" and I found a couple of ports that contain "binaries", such as ansible, beets and cplay. So I'd say: security/bandit. Caspar
