Skip to content

Commit 1f7acc7

Browse files
committed
style: strip free-text rationales from bandit # nosec comments
bandit's nosec parser tokenizes every word after `# nosec BXXX` and tries to match it against its test-id catalog, emitting a "Test in comment: WORD is not a test name or id, ignoring" warning for each one. Seven plugins carried rationales inline with the nosec which produced 30 noisy warnings across the linter sweep: - dhcp-relayed (2x B104) - kemp-services (1x B405) - keycloak-memory-usage, keycloak-stats, keycloak-version (3x B105) - matomo-reporting (1x B105) - openstack-nova-list (1x B105) Move each rationale into a plain comment on the line above the suppressed statement (except kemp-services where the import block does not tolerate a gap; its context is already obvious from the plugin name) and keep the `# nosec BXXX` alone on the suppressed line. Functionally unchanged; the linter sweep now runs without the spurious "Test in comment" warnings.
1 parent 6e42a70 commit 1f7acc7

7 files changed

Lines changed: 17 additions & 8 deletions

File tree

check-plugins/dhcp-relayed/dhcp-relayed

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,9 @@ with both local and relayed DHCP servers, and can target a specific subnet.
3232
Alerts if the server does not respond or the response is invalid.
3333
Requires root or sudo."""
3434

35-
DEFAULT_BIND_ADDRESS = '0.0.0.0' # nosec B104 - DHCP must listen on all interfaces
35+
# DHCP relay must listen on all interfaces to receive broadcast DISCOVER
36+
# packets from any client-facing subnet.
37+
DEFAULT_BIND_ADDRESS = '0.0.0.0' # nosec B104
3638
DEFAULT_TIMEOUT = 7 # seconds
3739

3840

@@ -362,7 +364,9 @@ def main():
362364

363365
# analyze data
364366
state = STATE_OK
365-
if yiaddr == '0.0.0.0': # nosec B104 - string comparison, not a bind
367+
# String comparison against the DHCP wire-format "not assigned" sentinel,
368+
# not a bind address.
369+
if yiaddr == '0.0.0.0': # nosec B104
366370
state = STATE_WARN
367371

368372
# build the message

check-plugins/kemp-services/kemp-services

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
import argparse
1414
import base64
1515
import sys
16-
import xml.etree.ElementTree as ET # nosec B405 - XML comes from admin-configured Kemp LB API
16+
import xml.etree.ElementTree as ET # nosec B405
1717

1818
import lib.args
1919
import lib.base

check-plugins/keycloak-memory-usage/keycloak-memory-usage

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,8 @@ DEFAULT_CLIENT_ID = 'admin-cli'
3030
DEFAULT_CRIT = 90
3131
DEFAULT_INSECURE = False
3232
DEFAULT_NO_PROXY = False
33-
DEFAULT_PASSWORD = 'admin' # nosec B105 - Keycloak install default, not a real secret
33+
# Keycloak's install-time default password, not a real secret.
34+
DEFAULT_PASSWORD = 'admin' # nosec B105
3435
DEFAULT_REALM = 'master'
3536
DEFAULT_TIMEOUT = 8
3637
DEFAULT_URL = 'http://127.0.0.1:8080'

check-plugins/keycloak-stats/keycloak-stats

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,8 @@ client count, user count, and active sessions. Tested with Keycloak 18 and later
2828
DEFAULT_CLIENT_ID = 'admin-cli'
2929
DEFAULT_INSECURE = False
3030
DEFAULT_NO_PROXY = False
31-
DEFAULT_PASSWORD = 'admin' # nosec B105 - Keycloak install default, not a real secret
31+
# Keycloak's install-time default password, not a real secret.
32+
DEFAULT_PASSWORD = 'admin' # nosec B105
3233
DEFAULT_REALM = 'master'
3334
DEFAULT_TIMEOUT = 8
3435
DEFAULT_URL = 'http://127.0.0.1:8080'

check-plugins/keycloak-version/keycloak-version

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,8 @@ DEFAULT_CLIENT_ID = 'admin-cli'
3535
DEFAULT_INSECURE = False
3636
DEFAULT_NO_PROXY = False
3737
DEFAULT_OFFSET_EOL = -30 # days
38-
DEFAULT_PASSWORD = 'admin' # nosec B105 - Keycloak install default, not a real secret
38+
# Keycloak's install-time default password, not a real secret.
39+
DEFAULT_PASSWORD = 'admin' # nosec B105
3940
DEFAULT_PATH = '/opt/keycloak'
4041
DEFAULT_REALM = 'master'
4142
DEFAULT_TIMEOUT = 8

check-plugins/matomo-reporting/matomo-reporting

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,8 @@ DEFAULT_URL = 'https://demo.matomo.org'
3030
DEFAULT_IDSITE = 1
3131
DEFAULT_PERIOD = 'day'
3232
DEFAULT_DATE = 'today'
33-
DEFAULT_PASSWORD = 'anonymous' # nosec B105 - Matomo anonymous API default, not a real secret
33+
# Matomo's "anonymous" API default user password, not a real secret.
34+
DEFAULT_PASSWORD = 'anonymous' # nosec B105
3435

3536
DEFAULT_METRIC = []
3637

check-plugins/openstack-nova-list/openstack-nova-list

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -225,7 +225,8 @@ def main():
225225
'ERROR': 0,
226226
'HARD_REBOOT': 0,
227227
'MIGRATING': 0,
228-
'PASSWORD': 0, # nosec B105 - OpenStack VM state name, not a secret
228+
# 'PASSWORD' is an OpenStack VM state name, not a secret
229+
'PASSWORD': 0, # nosec B105
229230
'PAUSED': 0,
230231
'REBOOT': 0,
231232
'REBUILD': 0,

0 commit comments

Comments
 (0)