style: strip free-text rationales from bandit # nosec comments

markuslf · markuslf · commit 1f7acc79afd0 · 2026-04-13T19:18:34.000+02:00
bandit's nosec parser tokenizes every word after `# nosec BXXX` and
tries to match it against its test-id catalog, emitting a
"Test in comment: WORD is not a test name or id, ignoring" warning
for each one. Seven plugins carried rationales inline with the nosec
which produced 30 noisy warnings across the linter sweep:

- dhcp-relayed (2x B104)
- kemp-services (1x B405)
- keycloak-memory-usage, keycloak-stats, keycloak-version (3x B105)
- matomo-reporting (1x B105)
- openstack-nova-list (1x B105)

Move each rationale into a plain comment on the line above the
suppressed statement (except kemp-services where the import block
does not tolerate a gap; its context is already obvious from the
plugin name) and keep the `# nosec BXXX` alone on the suppressed
line. Functionally unchanged; the linter sweep now runs without
the spurious "Test in comment" warnings.
diff --git a/check-plugins/dhcp-relayed/dhcp-relayed b/check-plugins/dhcp-relayed/dhcp-relayed
@@ -32,7 +32,9 @@ with both local and relayed DHCP servers, and can target a specific subnet.
 Alerts if the server does not respond or the response is invalid.
 Requires root or sudo."""
 
-DEFAULT_BIND_ADDRESS = '0.0.0.0'  # nosec B104 - DHCP must listen on all interfaces
+# DHCP relay must listen on all interfaces to receive broadcast DISCOVER
+# packets from any client-facing subnet.
+DEFAULT_BIND_ADDRESS = '0.0.0.0'  # nosec B104
 DEFAULT_TIMEOUT = 7  # seconds
 
 
@@ -362,7 +364,9 @@ def main():
 
     # analyze data
     state = STATE_OK
-    if yiaddr == '0.0.0.0':  # nosec B104 - string comparison, not a bind
+    # String comparison against the DHCP wire-format "not assigned" sentinel,
+    # not a bind address.
+    if yiaddr == '0.0.0.0':  # nosec B104
         state = STATE_WARN
 
     # build the message
diff --git a/check-plugins/kemp-services/kemp-services b/check-plugins/kemp-services/kemp-services
@@ -13,7 +13,7 @@
 import argparse
 import base64
 import sys
-import xml.etree.ElementTree as ET  # nosec B405 - XML comes from admin-configured Kemp LB API
+import xml.etree.ElementTree as ET  # nosec B405
 
 import lib.args
 import lib.base
diff --git a/check-plugins/keycloak-memory-usage/keycloak-memory-usage b/check-plugins/keycloak-memory-usage/keycloak-memory-usage
@@ -30,7 +30,8 @@ DEFAULT_CLIENT_ID = 'admin-cli'
 DEFAULT_CRIT = 90
 DEFAULT_INSECURE = False
 DEFAULT_NO_PROXY = False
-DEFAULT_PASSWORD = 'admin'  # nosec B105 - Keycloak install default, not a real secret
+# Keycloak's install-time default password, not a real secret.
+DEFAULT_PASSWORD = 'admin'  # nosec B105
 DEFAULT_REALM = 'master'
 DEFAULT_TIMEOUT = 8
 DEFAULT_URL = 'http://127.0.0.1:8080'
diff --git a/check-plugins/keycloak-stats/keycloak-stats b/check-plugins/keycloak-stats/keycloak-stats
@@ -28,7 +28,8 @@ client count, user count, and active sessions. Tested with Keycloak 18 and later
 DEFAULT_CLIENT_ID = 'admin-cli'
 DEFAULT_INSECURE = False
 DEFAULT_NO_PROXY = False
-DEFAULT_PASSWORD = 'admin'  # nosec B105 - Keycloak install default, not a real secret
+# Keycloak's install-time default password, not a real secret.
+DEFAULT_PASSWORD = 'admin'  # nosec B105
 DEFAULT_REALM = 'master'
 DEFAULT_TIMEOUT = 8
 DEFAULT_URL = 'http://127.0.0.1:8080'
diff --git a/check-plugins/keycloak-version/keycloak-version b/check-plugins/keycloak-version/keycloak-version
@@ -35,7 +35,8 @@ DEFAULT_CLIENT_ID = 'admin-cli'
 DEFAULT_INSECURE = False
 DEFAULT_NO_PROXY = False
 DEFAULT_OFFSET_EOL = -30  # days
-DEFAULT_PASSWORD = 'admin'  # nosec B105 - Keycloak install default, not a real secret
+# Keycloak's install-time default password, not a real secret.
+DEFAULT_PASSWORD = 'admin'  # nosec B105
 DEFAULT_PATH = '/opt/keycloak'
 DEFAULT_REALM = 'master'
 DEFAULT_TIMEOUT = 8
diff --git a/check-plugins/matomo-reporting/matomo-reporting b/check-plugins/matomo-reporting/matomo-reporting
@@ -30,7 +30,8 @@ DEFAULT_URL = 'https://demo.matomo.org'
 DEFAULT_IDSITE = 1
 DEFAULT_PERIOD = 'day'
 DEFAULT_DATE = 'today'
-DEFAULT_PASSWORD = 'anonymous'  # nosec B105 - Matomo anonymous API default, not a real secret
+# Matomo's "anonymous" API default user password, not a real secret.
+DEFAULT_PASSWORD = 'anonymous'  # nosec B105
 
 DEFAULT_METRIC = []
 
diff --git a/check-plugins/openstack-nova-list/openstack-nova-list b/check-plugins/openstack-nova-list/openstack-nova-list
@@ -225,7 +225,8 @@ def main():
         'ERROR': 0,
         'HARD_REBOOT': 0,
         'MIGRATING': 0,
-        'PASSWORD': 0,  # nosec B105 - OpenStack VM state name, not a secret
+        # 'PASSWORD' is an OpenStack VM state name, not a secret
+        'PASSWORD': 0,  # nosec B105
         'PAUSED': 0,
         'REBOOT': 0,
         'REBUILD': 0,
