fix(ports): silence bandit B104 false-positive on parser wildcard match

imanimanyara · imanimanyara · commit b43450c0f26e · 2026-05-14T21:33:39.000-04:00
`ss -tulnpH` reports wildcard-bind addresses as either "*" or
"0.0.0.0"; the parser checks for those strings and normalises them
to None so PortOwner.address stays informational-only. We're matching
parser output, not binding a socket — but bandit's B104 check fires
on the string literal and CI's `bandit -r src/shimkit -ll` is
fail-on-medium+. # nosec with a reason at the site.
diff --git a/src/shimkit/tools/ports/owners.py b/src/shimkit/tools/ports/owners.py
@@ -174,7 +174,9 @@ def _split_addr_port(local: str) -> tuple[str | None, int | None]:
     if idx < 0:
         return None, None
     addr = local[:idx] or None
-    if addr in ("*", "0.0.0.0"):
+    # Normalise wildcard-bind addresses from `ss` output to None so the
+    # PortOwner.address is informational only. We're parsing, not binding.
+    if addr in ("*", "0.0.0.0"):  # nosec B104 — string match on parser output, not a bind
         addr = None
     try:
         port = int(local[idx + 1 :])
