chore(pre_commit): convert bandit into Ruff's S rule & add TODOs for security improvements (#2039)

Author: Borda

.pre-commit-config.yaml

@@ -1,4 +1,3 @@
-
 ci:
   autofix_prs: true
   autoupdate_schedule: weekly
@@ -24,13 +23,6 @@ repos:
       - id: end-of-file-fixer
       - id: mixed-line-ending
 
-  -   repo: https://github.com/PyCQA/bandit
-      rev: '1.9.2'
-      hooks:
-      -   id: bandit
-          args: ["-c", "pyproject.toml"]
-          additional_dependencies: ["bandit[toml]"]
-
   -   repo: https://github.com/astral-sh/ruff-pre-commit
       rev: v0.14.10
       hooks:

examples/time_in_zone/scripts/stream_from_file.py

@@ -77,7 +77,7 @@ def run_command_in_thread(command: list) -> Thread:
 
 
 def run_command(command: list) -> int:
-    process = subprocess.run(command)
+    process = subprocess.run(command)  # noqa: S603 # TODO: Validate command input to prevent execution of untrusted input
     return process.returncode
 
 

pyproject.toml

@@ -85,10 +85,6 @@ build = [
     "build>=0.10,<1.4"
 ]
 
-[tool.bandit]
-target = ["test", "supervision"]
-tests = ["B201", "B301", "B318", "B314", "B303", "B413", "B412"]
-
 [tool.autoflake]
 check = true
 imports = ["cv2", "supervision"]
@@ -129,7 +125,7 @@ indent-width = 4
 
 [tool.ruff.lint]
 # Enable pycodestyle (`E`) and Pyflakes (`F`) codes by default.
-select = ["E", "F", "I", "A", "Q", "W", "RUF", "UP"]
+select = ["E", "F", "I", "A", "Q", "W", "RUF", "UP", "S"]
 ignore = []
 # Allow autofix for all enabled rules (when `--fix`) is provided.
 fixable = [
@@ -193,6 +189,12 @@ convention = "google"
 
 [tool.ruff.lint.per-file-ignores]
 "__init__.py" = ["E402", "F401"]
+"test/**" = [
+    "S101"  # Use of `assert` detected
+]
+"supervision/**" = [
+    "S101"  # TODO: Replace asserts with proper error handling
+]
 
 [tool.ruff.lint.mccabe]
 # Flag errors (`C901`) whenever the complexity level exceeds 5.

supervision/assets/downloader.py

@@ -27,7 +27,7 @@ def is_md5_hash_matching(filename: str, original_md5_hash: str) -> bool:
 
     with open(filename, "rb") as file:
         file_contents = file.read()
-        computed_md5_hash = hash_new(name="MD5")
+        computed_md5_hash = hash_new(name="MD5")  # noqa: S324 # TODO: Replace MD5 with a secure hash function like SHA-256
         computed_md5_hash.update(file_contents)
 
     return computed_md5_hash.hexdigest() == original_md5_hash
@@ -57,7 +57,7 @@ def download_assets(asset_name: VideoAssets | str) -> str:
 
     if not Path(filename).exists() and filename in VIDEO_ASSETS:
         print(f"Downloading {filename} assets \n")
-        response = get(VIDEO_ASSETS[filename][0], stream=True, allow_redirects=True)
+        response = get(VIDEO_ASSETS[filename][0], stream=True, allow_redirects=True)  # noqa: S113 # TODO: Add timeout to requests call
         response.raise_for_status()
 
         file_size = int(response.headers.get("Content-Length", 0))

test/test_utils.py

@@ -84,11 +84,11 @@ def random_boxes(
     out = np.zeros((count, 4), dtype=np.float32)
 
     for i in range(count):
-        w = random.uniform(min_box_size, max_box_size)
-        h = random.uniform(min_box_size, max_box_size)
+        w = random.uniform(min_box_size, max_box_size)  # noqa: S311 # TODO: Use secrets module if cryptographic security is needed
+        h = random.uniform(min_box_size, max_box_size)  # noqa: S311 # TODO: Use secrets module if cryptographic security is needed
 
-        x_min = random.uniform(0, img_w - w)
-        y_min = random.uniform(0, img_h - h)
+        x_min = random.uniform(0, img_w - w)  # noqa: S311 # TODO: Use secrets module if cryptographic security is needed
+        y_min = random.uniform(0, img_h - h)  # noqa: S311 # TODO: Use secrets module if cryptographic security is needed
         x_max = x_min + w
         y_max = y_min + h