Enable flake8-bandit rules and comply with them (#658)

nathanjmcdougall · web-flow · commit 86e907b5e3cc · 2025-05-20T12:56:37.000+12:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -108,12 +108,13 @@ lint.select = [
   "PLR",
   "PT",
   "RUF",
+  "S",
   "SIM",
   "TC",
   "UP",
 ]
-lint.ignore = [ "PLR2004", "SIM108" ]
-lint.per-file-ignores."tests/**/*.py" = [ "D", "INP", "S101" ]
+lint.ignore = [ "PLR2004", "S101", "SIM108" ]
+lint.per-file-ignores."tests/**/*.py" = [ "D", "INP", "S603" ]
 lint.flake8-type-checking.runtime-evaluated-base-classes = [ "pydantic.BaseModel" ]
 lint.pydocstyle.convention = "google"
 
diff --git a/src/usethis/_subprocess.py b/src/usethis/_subprocess.py
@@ -9,7 +9,7 @@ class SubprocessFailedError(Exception):
 
 def call_subprocess(args: list[str]) -> str:
     try:
-        process = subprocess.run(
+        process = subprocess.run(  # noqa: S603
             args,
             check=True,
             capture_output=True,
diff --git a/src/usethis/_tool/impl/pytest.py b/src/usethis/_tool/impl/pytest.py
@@ -151,7 +151,9 @@ def get_rule_config(self) -> RuleConfig:
     def get_active_config_file_managers(self) -> set[KeyValueFileManager]:
         # This is a variant of the "first" method
         config_spec = self.get_config_spec()
-        assert config_spec.resolution == "bespoke"
+        if config_spec.resolution != "bespoke":
+            # Something has gone badly wrong, perhaps in a subclass of PytestTool.
+            raise NotImplementedError
         # As per https://docs.pytest.org/en/stable/reference/customize.html#finding-the-rootdir
         # Files will only be matched for configuration if:
         # - pytest.ini: will always match and take precedence, even if empty.
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -114,3 +114,25 @@ def _vary_network_conn(_online_status: NetworkConn) -> Generator[None, None, Non
 @pytest.fixture
 def usethis_dev_dir() -> Path:
     return Path(__file__).parent.parent
+
+
+@pytest.fixture
+def git_path() -> Path:
+    """Fixture to get the path to the git executable."""
+    git_path = shutil.which("git")
+
+    if not git_path:
+        pytest.skip("Git executable not found")
+
+    return Path(git_path)
+
+
+@pytest.fixture
+def uv_path() -> Path:
+    """Fixture to get the path to the uv executable."""
+    uv_path = shutil.which("uv")
+
+    if not uv_path:
+        pytest.skip("uv executable not found")
+
+    return Path(uv_path)
diff --git a/tests/usethis/_core/test_core_tool.py b/tests/usethis/_core/test_core_tool.py
@@ -548,7 +548,7 @@ def test_stdout_unfrozen(
             )
 
         @pytest.mark.usefixtures("_vary_network_conn")
-        def test_run_deptry_fail(self, uv_init_dir: Path):
+        def test_run_deptry_fail(self, uv_init_dir: Path, uv_path: Path):
             # Arrange
             f = uv_init_dir / "bad.py"
             f.write_text("import broken_dependency")
@@ -560,7 +560,9 @@ def test_run_deptry_fail(self, uv_init_dir: Path):
             # Assert
             with pytest.raises(subprocess.CalledProcessError):
                 subprocess.run(
-                    ["uv", "run", "deptry", "."], cwd=uv_init_dir, check=True
+                    [uv_path.as_posix(), "run", "deptry", "."],
+                    cwd=uv_init_dir,
+                    check=True,
                 )
 
         @pytest.mark.usefixtures("_vary_network_conn")
@@ -1467,7 +1469,7 @@ def test_config_file_already_exists(self, uv_init_repo_dir: Path):
             )
 
         @pytest.mark.usefixtures("_vary_network_conn")
-        def test_bad_commit(self, uv_env_dir: Path):
+        def test_bad_commit(self, uv_env_dir: Path, git_path: Path):
             # This needs a venv so that we can actually run pre-commit via git
 
             # Arrange
@@ -1476,9 +1478,11 @@ def test_bad_commit(self, uv_env_dir: Path):
             # Act
             with change_cwd(uv_env_dir), files_manager():
                 use_pre_commit()
-            subprocess.run(["git", "add", "."], cwd=uv_env_dir, check=True)
+            subprocess.run(
+                [git_path.as_posix(), "add", "."], cwd=uv_env_dir, check=True
+            )
             result = subprocess.run(
-                ["git", "commit", "-m", "Good commit"], cwd=uv_env_dir
+                [git_path.as_posix(), "commit", "-m", "Good commit"], cwd=uv_env_dir
             )
             assert not result.stderr
             assert result.returncode == 0, (
@@ -1487,9 +1491,11 @@ def test_bad_commit(self, uv_env_dir: Path):
 
             # Assert
             (uv_env_dir / ".pre-commit-config.yaml").write_text("[")
-            subprocess.run(["git", "add", "."], cwd=uv_env_dir, check=True)
+            subprocess.run(
+                [git_path.as_posix(), "add", "."], cwd=uv_env_dir, check=True
+            )
             result = subprocess.run(
-                ["git", "commit", "-m", "Bad commit"],
+                [git_path.as_posix(), "commit", "-m", "Bad commit"],
                 cwd=uv_env_dir,
                 capture_output=True,
             )
diff --git a/tests/usethis/_integrations/ci/bitbucket/test_bitbucket_schema.py b/tests/usethis/_integrations/ci/bitbucket/test_bitbucket_schema.py
@@ -25,7 +25,7 @@ def test_matches_schema_store(self):
         local_schema_json = (Path(__file__).parent / "schema.json").read_text()
         try:
             online_schema_json = requests.get(
-                "https://api.bitbucket.org/schemas/pipelines-configuration"
+                "https://api.bitbucket.org/schemas/pipelines-configuration", timeout=5
             ).text
         except requests.exceptions.ConnectionError as err:
             if os.getenv("CI"):
diff --git a/tests/usethis/_integrations/pre_commit/test_pre_commit_schema.py b/tests/usethis/_integrations/pre_commit/test_pre_commit_schema.py
@@ -27,7 +27,7 @@ def test_matches_schema_store(self):
         local_schema_json = (Path(__file__).parent / "schema.json").read_text()
         try:
             online_schema_json = requests.get(
-                "https://json.schemastore.org/pre-commit-config.json"
+                "https://json.schemastore.org/pre-commit-config.json", timeout=5
             ).text
         except requests.exceptions.ConnectionError as err:
             if os.getenv("CI"):
diff --git a/tests/usethis/_tool/impl/test_pyproject_toml.py b/tests/usethis/_tool/impl/test_pyproject_toml.py
@@ -67,7 +67,7 @@ def test_link_isnt_dead(self):
 
             if not usethis_config.offline:
                 # Act
-                result = requests.head(url)
+                result = requests.head(url, timeout=5)
 
                 # Assert
                 assert result.status_code == 200
