Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

flake8-bandit's S4 rules don't apply to stubs #15207

Open
Avasam opened this issue Dec 30, 2024 · 2 comments
Open

flake8-bandit's S4 rules don't apply to stubs #15207

Avasam opened this issue Dec 30, 2024 · 2 comments
Labels
accepted Ready for implementation help wanted Contributions especially welcome rule Implementing or modifying a lint rule

Comments

@Avasam
Copy link
Contributor

Avasam commented Dec 30, 2024
edited
Loading

When enabling the flake8-bandit (S) category (with preview mode), S4 rules will trigger on imports in stubs of a project. I believe these will always be false-positives and there's no need no need to warn about importing insecure and vulnerable libraries in stubs. Since those are not runtime files. Nothing gets executed.

Ruff: 0.8.4 (rules are currently in preview)

(this report is extracted from #14535 (comment) for ease of tracking and discussion)
@Avasam Avasam mentioned this issue Dec 30, 2024
Open
@dhruvmanila dhruvmanila added the rule Implementing or modifying a lint rule label Dec 31, 2024
@dhruvmanila
Copy link
Member

Thank you for the report!

Thinking from a user perspective, I think this might still be useful when removing the import from both the Python and the respective stub files. Without this rule highlighting the fact that the import exists in the stub file as well, the user might forget to remove them. Your point is correct that this wouldn't affect anyone as stub files aren't executed but it might still be useful.

I'd prefer to get opinions from @AlexWaygood, he's currently on vacation this week so not expecting any reply this week.

@Avasam Avasam mentioned this issue Dec 31, 2024
Closed
@AlexWaygood
Copy link
Member

Heh, interesting question! I think I'm inclined to side with @Avasam on this one, because of the fact that stubs are so often written by people who aren't the authors of the corresponding runtime package. In that scenario, it's out of the control of the stub author whether or not the runtime package uses the insecure API; the stub author's responsibility is just to copy what happens at runtime.

Without this rule highlighting the fact that the import exists in the stub file as well, the user might forget to remove them.

If you remove the problematic import from the file at runtime, it's true that you might forget to update the stub file at the same time. However, there are excellent tools such as stubtest that will error if there are significant discrepancies between the runtime module and the stub. There are also tools such as Ruff that will emit errors if you have unused imports in a stub file! So in practice, I don't think this is a major issue. Disabling this rule for stubs also feels like it follows the precedent we set when we disabled E741 for stubs.

@AlexWaygood AlexWaygood added help wanted Contributions especially welcome accepted Ready for implementation labels Jan 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted Ready for implementation help wanted Contributions especially welcome rule Implementing or modifying a lint rule
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Avasam @AlexWaygood @dhruvmanila