Merge branch 'main' into pathfinder_description_fix

rwgk · rwgk · commit 5175dc75466c · 2025-09-29T21:13:00.000-07:00
diff --git a/.bandit b/.bandit
diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
@@ -19,10 +19,27 @@ jobs:
     permissions:
       security-events: write
     steps:
-      - name: Perform Bandit Analysis
-        # KEEP IN SYNC WITH bandit rev in .pre-commit-config.yaml
-        # Current runner uses Python 3.8, so the action installs bandit==1.7.10
-        # via `pip install bandit[sarif]`. If runner Python moves to >=3.9,
-        # the action will resolve to 1.8.x and you'll need to bump pre-commit.
-        # (Bandit >=1.8.0 dropped Python 3.8 via Requires-Python metadata.)
-        uses: PyCQA/bandit-action@8a1b30610f61f3f792fe7556e888c9d7dffa52de  # v1.0.0
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4  # v6.7.0
+
+      - name: Get ignore codes
+        id: ignore-codes
+        # This are computed so that we can run only the `S` (bandit)
+        # checks. Passing --select to ruff overrides any config files
+        # (ruff.toml, pyproject.toml, etc), so to avoid having keep everything
+        # in sync we grab them from the TOML programmatically
+        run: |
+          set -euxo pipefail
+
+          echo "codes=$(uvx toml2json ./ruff.toml | jq -r '.lint.ignore | map(select(test("^S\\d+"))) | join(",")')" >> "$GITHUB_OUTPUT"
+      - name: Perform Bandit Analysis using Ruff
+        uses: astral-sh/ruff-action@57714a7c8a2e59f32539362ba31877a1957dded1  # v3.5.1
+        with:
+          args: "check --select S --ignore ${{ steps.ignore-codes.outputs.codes }} --output-format sarif --output-file results.sarif"
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -15,7 +15,7 @@ ci:
 # pre-commit autoupdate --freeze
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: 0b19ef1fd6ad680ed7752d6daba883ce1265a6de  # frozen: v0.12.2
+    rev: f298305809c552671cc47e0fec0ba43e96c146a2  # frozen: v0.13.2
     hooks:
       - id: ruff
         args: [--fix, --show-fixes]
@@ -40,7 +40,7 @@ repos:
 
   # Standard hooks
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: "v5.0.0"
+    rev: "3e8a8703264a2f4a69428a0aa4dcb512790b2c8c"  # frozen: v6.0.0
     hooks:
     - id: check-added-large-files
     - id: check-case-conflict
@@ -58,22 +58,14 @@ repos:
 
   # Checking for common mistakes
   - repo: https://github.com/pre-commit/pygrep-hooks
-    rev: "v1.10.0"
+    rev: "3a6eb0fadf60b3cccfd80bad9dbb6fae7e47b316"  # frozen: v1.10.0
     hooks:
     - id: rst-backticks
     - id: rst-directive-colons
     - id: rst-inline-touching-normal
 
-  - repo: https://github.com/PyCQA/bandit
-    rev: "36fd65054fc8864b4037d0918904f9331512feb5"  # frozen: 1.7.10 KEEP IN SYNC WITH .github/workflows/bandit.yml
-    hooks:
-      - id: bandit
-        args:
-          - --ini
-          - .bandit
-
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: 0f86793af5ef5f6dc63c8d04a3cabfa3ea8f9c6a  # frozen: v1.16.1
+    rev: 9f70dc58c23dfcca1b97af99eaeee3140a807c7e  # frozen: v1.18.2
     hooks:
       - id: mypy
         name: mypy-pathfinder
diff --git a/cuda_bindings/tests/test_cuda.py b/cuda_bindings/tests/test_cuda.py
@@ -653,7 +653,7 @@ def test_get_error_name_and_string():
 @pytest.mark.skipif(not callableBinary("nvidia-smi"), reason="Binary existance needed")
 def test_device_get_name():
     # TODO: Refactor this test once we have nvml bindings to avoid the use of subprocess
-    import subprocess  # nosec B404
+    import subprocess
 
     (err,) = cuda.cuInit(0)
     assert err == cuda.CUresult.CUDA_SUCCESS
@@ -663,8 +663,10 @@ def test_device_get_name():
     assert err == cuda.CUresult.CUDA_SUCCESS
 
     p = subprocess.check_output(
-        ["nvidia-smi", "--query-gpu=name", "--format=csv,noheader"], shell=False, stderr=subprocess.PIPE
-    )  # nosec B603, B607
+        ["nvidia-smi", "--query-gpu=name", "--format=csv,noheader"],  # noqa: S607
+        shell=False,
+        stderr=subprocess.PIPE,
+    )
 
     delimiter = b"\r\n" if platform.system() == "Windows" else b"\n"
     expect = p.split(delimiter)
diff --git a/cuda_bindings/tests/test_nvvm.py b/cuda_bindings/tests/test_nvvm.py
@@ -4,21 +4,12 @@
 
 import binascii
 import re
-import textwrap
 from contextlib import contextmanager
 
 import pytest
 from cuda.bindings import nvvm
 
-MINIMAL_NVVMIR_FIXTURE_PARAMS = ["txt", "bitcode_static"]
-try:
-    import llvmlite.binding as llvmlite_binding  # Optional test dependency.
-except ImportError:
-    llvmlite_binding = None
-else:
-    MINIMAL_NVVMIR_FIXTURE_PARAMS.append("bitcode_dynamic")
-
-MINIMAL_NVVMIR_TXT = b"""\
+MINIMAL_NVVMIR_TXT_TEMPLATE = b"""\
 target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-i128:128:128-f32:32:32-f64:64:64-v16:16:16-v32:32:32-v64:64:64-v128:128:128-n16:32:64"
 
 target triple = "nvptx64-nvidia-cuda"
@@ -130,43 +121,24 @@
     "6e673e0000000000",
 }
 
-MINIMAL_NVVMIR_CACHE = {}
-
 
-@pytest.fixture(params=MINIMAL_NVVMIR_FIXTURE_PARAMS)
+@pytest.fixture(params=("txt", "bitcode_static"))
 def minimal_nvvmir(request):
-    for pass_counter in range(2):
-        nvvmir = MINIMAL_NVVMIR_CACHE.get(request.param, -1)
-        if nvvmir != -1:
-            if nvvmir is None:
-                pytest.skip(f"UNAVAILABLE: {request.param}")
-            return nvvmir
-        if pass_counter:
-            raise AssertionError("This code path is meant to be unreachable.")
-        # Build cache entries, then try again (above).
-        major, minor, debug_major, debug_minor = nvvm.ir_version()
-        txt = MINIMAL_NVVMIR_TXT % (major, debug_major)
-        if llvmlite_binding is None:
-            bitcode_dynamic = None
-        else:
-            bitcode_dynamic = llvmlite_binding.parse_assembly(txt.decode()).as_bitcode()
-        bitcode_static = MINIMAL_NVVMIR_BITCODE_STATIC.get((major, debug_major))
-        if bitcode_static is not None:
-            bitcode_static = binascii.unhexlify(bitcode_static)
-        MINIMAL_NVVMIR_CACHE["txt"] = txt
-        MINIMAL_NVVMIR_CACHE["bitcode_dynamic"] = bitcode_dynamic
-        MINIMAL_NVVMIR_CACHE["bitcode_static"] = bitcode_static
-        if bitcode_static is None:
-            if bitcode_dynamic is None:
-                raise RuntimeError("Please `pip install llvmlite` to generate `bitcode_static` (see PR #443)")
-            bitcode_hex = binascii.hexlify(bitcode_dynamic).decode("ascii")
-            print("\n\nMINIMAL_NVVMIR_BITCODE_STATIC = { # PLEASE ADD TO test_nvvm.py")
-            print(f"    ({major}, {debug_major}):  # (major, debug_major)")
-            lines = textwrap.wrap(bitcode_hex, width=80)
-            for line in lines[:-1]:
-                print(f'    "{line}"')
-            print(f'    "{lines[-1]}",')
-            print("}\n", flush=True)
+    major, minor, debug_major, debug_minor = nvvm.ir_version()
+
+    if request.param == "txt":
+        return MINIMAL_NVVMIR_TXT_TEMPLATE % (major, debug_major)
+
+    bitcode_static_binascii = MINIMAL_NVVMIR_BITCODE_STATIC.get((major, debug_major))
+    if bitcode_static_binascii:
+        return binascii.unhexlify(bitcode_static_binascii)
+    raise RuntimeError(
+        "Static bitcode for NVVM IR version "
+        f"{major}.{debug_major} is not available in this test.\n"
+        "Maintainers: Please run the helper script to generate it and add the "
+        "output to the MINIMAL_NVVMIR_BITCODE_STATIC dict:\n"
+        "  ../../toolshed/build_static_bitcode_input.py"
+    )
 
 
 @pytest.fixture(params=[nvvm.compile_program, nvvm.verify_program])
diff --git a/cuda_bindings/tests/test_utils.py b/cuda_bindings/tests/test_utils.py
@@ -3,7 +3,7 @@
 
 import platform
 import random
-import subprocess  # nosec B404
+import subprocess
 import sys
 from pathlib import Path
 
@@ -72,7 +72,7 @@ def test_ptx_utils(kernel, actual_ptx_ver, min_cuda_ver):
     ),
 )
 def test_get_handle(target):
-    ptr = random.randint(1, 1024)
+    ptr = random.randint(1, 1024)  # noqa: S311
     obj = target(ptr)
     handle = get_cuda_native_handle(obj)
     assert handle == ptr
@@ -105,6 +105,6 @@ def test_get_handle_error(target):
     ],
 )
 def test_cyclical_imports(module):
-    subprocess.check_call(  # nosec B603
+    subprocess.check_call(  # noqa: S603
         [sys.executable, Path(__file__).parent / "utils" / "check_cyclical_import.py", f"cuda.bindings.{module}"],
     )
diff --git a/cuda_core/tests/example_tests/utils.py b/cuda_core/tests/example_tests/utils.py
@@ -29,7 +29,7 @@ def run_example(samples_path, filename, env=None):
         old_sys_path = sys.path.copy()
         sys.path.append(samples_path)
         # TODO: Refactor the examples to give them a common callable `main()` to avoid needing to use exec here?
-        exec(script, env if env else {})  # nosec B102
+        exec(script, env if env else {})  # noqa: S102
     except ImportError as e:
         # for samples requiring any of optional dependencies
         for m in ("cupy", "torch"):
diff --git a/cuda_core/tests/test_module.py b/cuda_core/tests/test_module.py
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 import ctypes
-import pickle  # nosec B403, B301
+import pickle
 import warnings
 
 import cuda.core.experimental
@@ -372,7 +372,7 @@ def test_occupancy_max_potential_cluster_size(get_saxpy_kernel):
 
 def test_module_serialization_roundtrip(get_saxpy_kernel):
     _, objcode = get_saxpy_kernel
-    result = pickle.loads(pickle.dumps(objcode))  # nosec B403, B301
+    result = pickle.loads(pickle.dumps(objcode))  # noqa: S403, S301
 
     assert isinstance(result, ObjectCode)
     assert objcode.code == result.code
diff --git a/cuda_pathfinder/cuda/pathfinder/_utils/platform_aware.py b/cuda_pathfinder/cuda/pathfinder/_utils/platform_aware.py
@@ -8,8 +8,8 @@
 
 def quote_for_shell(s: str) -> str:
     if IS_WINDOWS:
-        # This is a relatively heavy import; keep pathfinder if possible.
-        from subprocess import list2cmdline  # nosec B404
+        # This is a relatively heavy import; keep pathfinder lean if possible.
+        from subprocess import list2cmdline
 
         return list2cmdline([s])
     else:
diff --git a/cuda_pathfinder/pyproject.toml b/cuda_pathfinder/pyproject.toml
@@ -73,9 +73,16 @@ select = [
     "RUF",   # Ruff-specific rules
     "PT",    # flake8-pytest-style
     "DTZ",   # flake8-datetimez
+    "S",
 ]
 extend-select = ["B9"]
 
+ignore = [
+  "S101",   # asserts
+  "S311",   # allow use of the random.* even though many are not cryptographically secure
+  "S404",   # allow importing the subprocess module
+]
+
 [tool.ruff.lint.flake8-quotes]
 inline-quotes = "double"
 
diff --git a/cuda_pathfinder/tests/spawned_process_runner.py b/cuda_pathfinder/tests/spawned_process_runner.py
@@ -53,7 +53,7 @@ def __call__(self):
             sys.stderr = old_stderr
             try:  # noqa: SIM105
                 self.result_queue.put((returncode, stdout, stderr))
-            except Exception:  # nosec B110
+            except Exception:  # noqa: S110
                 # If the queue is broken (e.g., parent gone), best effort logging
                 pass
 
@@ -120,7 +120,7 @@ def run_in_spawned_child_process(
         try:
             result_queue.close()
             result_queue.join_thread()
-        except Exception:  # nosec B110
+        except Exception:  # noqa: S110
             pass
         if process.is_alive():
             process.kill()
diff --git a/ruff.toml b/ruff.toml
@@ -26,6 +26,8 @@ select = [
   "SIM",
   # isort
   "I",
+  # flake8 bandit
+  "S",
 ]
 
 ignore = [
@@ -35,6 +37,9 @@ ignore = [
   "UP035",  # UP006, UP007, UP035 complain about deprecated Typing.<type> use, but disregard backward compatibility of python version
   "UP006",  # leave old-style typing as-is, e.g., Dict is allowed instead of requiring dict
   "SIM108", # ternary if/else
+  "S101",   # asserts
+  "S311",   # allow use of the random.* even though many are not cryptographically secure
+  "S404",   # allow importing the subprocess module
 ]
 
 exclude = ["**/_version.py"]
diff --git a/toolshed/build_static_bitcode_input.py b/toolshed/build_static_bitcode_input.py
@@ -0,0 +1,53 @@
+#!/usr/bin/env python3
+
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES.
+# SPDX-License-Identifier: LicenseRef-NVIDIA-SOFTWARE-LICENSE
+
+"""
+Helper to produce static bitcode input for test_nvvm.py.
+
+Usage:
+    python toolshed/build_static_bitcode_input.py
+
+It will print a ready-to-paste MINIMAL_NVVMIR_BITCODE_STATIC entry for the
+current NVVM IR version detected at runtime.
+"""
+
+import binascii
+import os
+import sys
+import textwrap
+
+import llvmlite.binding  # HINT: pip install llvmlite
+from cuda.bindings import nvvm
+
+
+def get_minimal_nvvmir_txt_template():
+    cuda_bindings_tests_dir = os.path.normpath("cuda_bindings/tests")
+    assert os.path.isdir(cuda_bindings_tests_dir), (
+        "Please run this helper script from the cuda-python top-level directory."
+    )
+    sys.path.insert(0, os.path.abspath(cuda_bindings_tests_dir))
+    import test_nvvm
+
+    return test_nvvm.MINIMAL_NVVMIR_TXT_TEMPLATE
+
+
+def main():
+    major, _minor, debug_major, _debug_minor = nvvm.ir_version()
+    txt = get_minimal_nvvmir_txt_template() % (major, debug_major)
+    bitcode_dynamic = llvmlite.binding.parse_assembly(txt.decode()).as_bitcode()
+    bitcode_hex = binascii.hexlify(bitcode_dynamic).decode("ascii")
+    print("\n\nMINIMAL_NVVMIR_BITCODE_STATIC = { # PLEASE ADD TO test_nvvm.py")
+    print(f"    ({major}, {debug_major}):  # (major, debug_major)")
+    lines = textwrap.wrap(bitcode_hex, width=80)
+    for line in lines[:-1]:
+        print(f'    "{line}"')
+    print(f'    "{lines[-1]}",')
+    print("}\n", flush=True)
+    print()
+
+
+if __name__ == "__main__":
+    assert len(sys.argv) == 1, "This helper script does not take any arguments."
+    main()
