Chore/maintenance 251206 (#320)

* sec(install): bash and ensure ssl
* chore(deps): bump
* refactor(various): given issues identified by SonarQube
* chore(audit): allow Zope Public License for audit

Author: helmut-hoffer-von-ankershoffen

.github/workflows/_install_dev_tools.bash

@@ -6,6 +6,7 @@ set -o pipefail  # Return value of a pipeline is the value of the last command t
 # Log function for better debugging
 log() {
     echo "[$(date +'%Y-%m-%dT%H:%M:%S%z')] $*"
+    return 0
 }
 
 log "Starting installation of development tools..."
@@ -14,13 +15,16 @@ log "Starting installation of development tools..."
 sudo rm -f /var/lib/man-db/auto-update
 
 # Install APT packages
-wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
-echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+# Use signed-by to add GPG key securely (apt-key is deprecated)
+mkdir -p /etc/apt/keyrings
+wget --secure-protocol=TLSv1_2 --max-redirect=0 -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /etc/apt/keyrings/trivy.gpg > /dev/null
+echo "deb [signed-by=/etc/apt/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list
 sudo apt-get update
 sudo apt-get install --no-install-recommends -y curl gnupg2 jq trivy xsltproc
 
 # Install further tools not project specific
-curl -sL https://sentry.io/get-cli/ | SENTRY_CLI_VERSION="2.57.0" sh
+# Download Sentry CLI securely: enforce HTTPS, disable redirects
+wget --secure-protocol=TLSv1_2 --max-redirect=0 -qO - https://sentry.io/get-cli/ | SENTRY_CLI_VERSION="2.57.0" sh
 
 # Install project specific tools
 .github/workflows/_install_dev_tools_project.bash

.license-types-allowed

@@ -21,3 +21,4 @@ UNKNOWN
 Unlicense
 
 # Additions for aignostics
+Zope Public License

ATTRIBUTIONS.md

@@ -54,7 +54,7 @@ act audit bump dist docs lint lint_fix setup test update_from_template:
 
 ## Install development dependencies and pre-commit hooks
 install:
-	sh install.sh
+	bash install.bash
 	uv run pre-commit install
 
 ## Run default tests, i.e. unit, then integration, then e2e tests, no (very_)long_running tests, single Python version

Makefile

@@ -6,7 +6,7 @@ ENV="local"
 
 # Parse command line arguments
 i=0
-while [ $i -lt $# ]; do
+while [[ $i -lt $# ]]; do
     i=$((i + 1))
     arg="${!i}"
 
@@ -16,7 +16,7 @@ while [ $i -lt $# ]; do
             ;;
         --env)
             i=$((i + 1))
-            if [ $i -le $# ]; then
+            if [[ $i -le $# ]]; then
                 ENV="${!i}"
             fi
             ;;
@@ -76,14 +76,14 @@ should_install_in_env() {
     local environments=$1
 
     # If environments is empty, install in all environments
-    if [ -z "$environments" ]; then
+    if [[ -z "$environments" ]]; then
         return 0  # true
     fi
 
     # Check if the current environment is in the list
     IFS=',' read -ra ENV_LIST <<< "$environments"
     for e in "${ENV_LIST[@]}"; do
-        if [ "$e" = "$ENV" ]; then
+        if [[ "$e" = "$ENV" ]]; then
             return 0  # true
         fi
     done
@@ -172,13 +172,13 @@ fi
 # Install/update Homebrew itself
 if ! command -v brew &> /dev/null; then
     # Check if we should install Homebrew in this environment
-    if [ "$ENV" = "local" ]; then
+    if [[ "$ENV" = "local" ]]; then
         echo "Installing Homebrew... # https://brew.sh/"
-        /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+        /bin/bash -c "$(curl --proto "=https" -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
     else
         echo "Skipping Homebrew installation (not needed in $ENV environment)"
     fi
-elif [ "$ENV" = "local" ]; then
+elif [[ "$ENV" = "local" ]]; then
     echo "Homebrew already installed at $(command -v brew), updating..."
     brew update
 fi

install.sh install.bashinstall.sh renamed to install.bash

@@ -23,6 +23,7 @@
 CLI_MODULE = "cli"
 API_VERSIONS = ["v1"]
 UTF8 = "utf-8"
+LOG_STDERR_DISABLED = "AIGNOSTICS_LOG_STDERR_ENABLED=false"
 
 
 def _read_python_version() -> str:
@@ -420,8 +421,8 @@ def _generate_openapi_schemas(session: nox.Session) -> None:
     Path("docs/source/_static").mkdir(parents=True, exist_ok=True)
 
     formats = {
-        "yaml": {"ext": "yaml", "args": ["--output-format=yaml", "--env", "AIGNOSTICS_LOG_STDERR_ENABLED=false"]},
-        "json": {"ext": "json", "args": ["--output-format=json", "--env", "AIGNOSTICS_LOG_STDERR_ENABLED=false"]},
+        "yaml": {"ext": "yaml", "args": ["--output-format=yaml", "--env", LOG_STDERR_DISABLED]},
+        "json": {"ext": "json", "args": ["--output-format=json", "--env", LOG_STDERR_DISABLED]},
     }
 
     for version in API_VERSIONS:
@@ -455,7 +456,7 @@ def _generate_sdk_metadata_schema(session: nox.Session, schema_type: str) -> Non
             f"{schema_type}-metadata-schema",
             "--no-pretty",
             "--env",
-            "AIGNOSTICS_LOG_STDERR_ENABLED=false",
+            LOG_STDERR_DISABLED,
             stdout=f,
             external=True,
         )

noxfile.py

@@ -74,26 +74,26 @@ requires-python = ">=3.11, <3.14"
 
 dependencies = [
     # From Template
-    "fastapi[all,standard]>=0.123.8",
+    "fastapi[all,standard]>=0.123.10",
     "humanize>=4.14.0,<5",
     "nicegui[native]>=3.1.0,<3.2.0", # Regression in 3.2.0
     "packaging>=25.0,<26",
-    "platformdirs>=4.5.0,<5",
+    "platformdirs>=4.5.1,<5",
     "psutil>=7.1.3,<8",
     "pydantic-settings>=2.12.0,<3",
     "pywin32>=310,<311 ; sys_platform == 'win32'",
     "pyyaml>=6.0.3,<7",
-    "sentry-sdk>=2.45.0,<3",
+    "sentry-sdk>=2.47.0,<3",
     "typer>=0.20.0,<1",
     "uptime>=3.0.1,<4",
     # Custom
     "boto3>=1.42.4,<2",
-    "certifi>=2025.11.12,<2026",
+    "certifi>=2025.11.12",
     "defusedxml>=0.7.1",
     "dicom-validator>=0.7.3,<1",
     "dicomweb-client[gcp]>=0.59.3,<1",
     "duckdb>=0.10.0,<=1.4.1",
-    "fastparquet>=2024.11.0,<2025",
+    "fastparquet>=2024.11.0",
     "google-cloud-storage>=3.6.0,<4",
     "google-crc32c>=1.7.1,<2",
     "highdicom>=0.26.1,<1",
@@ -103,11 +103,11 @@ dependencies = [
     "ijson>=3.4.0.post0,<4",
     "jsf>=0.11.2,<1",
     "jsonschema[format-nongpl]>=4.25.1,<5",
-    "loguru>=0.7.3",
-    "openslide-bin>=4.0.0.8,<5",
-    "openslide-python>=1.4.2,<2",
+    "loguru>=0.7.3,<1",
+    "openslide-bin>=4.0.0.10,<5",
+    "openslide-python>=1.4.3,<2",
     "pandas>=2.3.3,<3",
-    "platformdirs>=4.3.8,<5",
+    "platformdirs>=4.3.2,<5",
     "procrastinate>=3.5.3",
     "pyjwt[crypto]>=2.10.1,<3",
     "python-dateutil>=2.9.0.post0,<3",
@@ -129,8 +129,8 @@ pyinstaller = ["pyinstaller>=6.14.0,<7"]
 jupyter = ["jupyter>=1.1.1,<2"]
 marimo = [
     "cloudpathlib>=0.23.0,<1",
-    "ipython>=9.7.0,<10",
-    "marimo>=0.17.8,<1",
+    "ipython>=9.8.0,<10",
+    "marimo>=0.18.3,<1",
     "matplotlib>=3.10.7,<4",
     "shapely>=2.1.0,<3",
 ]
@@ -142,15 +142,15 @@ dev = [
     "cyclonedx-py>=1.0.1,<2",
     "detect-secrets>=1.5.0,<2",
     "enum-tools>=0.13.0,<1",
-    "furo>=2025.9.25,<2026",
+    "furo>=2025.9.25",
     "git-cliff>=2.10.1,<3",
-    "mypy>=1.18.2,<2",
-    "nox[uv]>=2025.11.12,<2026",
-    "pip-audit>=2.9.0,<3",
+    "mypy>=1.19.0,<2",
+    "nox[uv]>=2025.11.12",
+    "pip-audit>=2.10.0,<3",
     "pip-licenses @ git+https://github.com/neXenio/pip-licenses.git@master", # https://github.com/raimon49/pip-licenses/pull/224
-    "pre-commit>=4.4.0,<5",
+    "pre-commit>=4.5.0,<5",
     "pyright>=1.1.406,<1.1.407", # Regression in 1.1.407, see https://github.com/microsoft/pyright/issues/11060
-    "pytest>=8.4.2,<9",
+    "pytest>=9.0.1,<10",
     "pytest-asyncio>=1.3.0,<2",
     "pytest-cov>=7.0.0,<8",
     "pytest-docker>=3.2.5,<4",
@@ -164,19 +164,19 @@ dev = [
     "pytest-timeout>=2.4.0,<3",
     "pytest-watcher>=0.4.3,<1",
     "pytest-xdist[psutil]>=3.8.0,<4",
-    "ruff>=0.14.5,<1",
+    "ruff>=0.14.8,<1",
     "scalene>=1.5.55,<2",
     "sphinx>=8.2.3,<9",
     "sphinx-autobuild>=2025.8.25,<2026",
-    "sphinx-click>=6.1.0,<7",
+    "sphinx-click>=6.2.0,<7",
     "sphinx-copybutton>=0.5.2,<1",
     "sphinx-inline-tabs>=2023.4.21,<2024",
     "sphinx-mdinclude>=0.6.2,<1",
     "sphinx-rtd-theme>=3.0.2,<4",
     "sphinx_selective_exclude>=1.0.3,<2",
-    "sphinx-toolbox>=4.0.0,<5",
+    "sphinx-toolbox>=4.1.0,<5",
     "sphinxext.opengraph>=0.9.1,<1",
-    "swagger-plugin-for-sphinx>=6.0.0,<7",
+    "swagger-plugin-for-sphinx>=6.1.0,<7",
     "tomli>=2.3.0,<3",
     "types-pyyaml>=6.0.12.20250915,<7",
     "types-requests>=2.32.4.20250913,<3",
@@ -201,6 +201,7 @@ override-dependencies = [ # https://github.com/astral-sh/uv/issues/4422
     "fonttools>=4.60.2",                # CVE-2025-66034 (GHSA-768j-98cg-p3fv), dep of matplotlib
     "pyjpegls; sys_platform == 'never'", # Python 3.14
     "urllib3>=2.6.0",                   # CVE-2025-66471 (GHSA-2xpw-w6gg-jr37), dep of boto3, dicomweb-client and others
+    "pytest>=9.0.1",                    # pytest-md-report depends on pytest<9 unnecessarily
 ]
 
 [tool.uv.sources]

pyproject.toml

@@ -37,6 +37,7 @@
 )
 
 MESSAGE_NOT_YET_IMPLEMENTED = "NOT YET IMPLEMENTED"
+PROGRESS_TASK_DESCRIPTION = "[progress.description]{task.description}"
 
 
 ApplicationVersionOption = Annotated[
@@ -219,7 +220,7 @@ def application_dump_schemata(  # noqa: C901
             resolve_path=True,
             show_default="<current-working-directory>",
         ),
-    ] = Path().cwd(),  # noqa: B008,
+    ] = Path().cwd(),  # noqa: B008
     zip: Annotated[  # noqa: A002
         bool,
         typer.Option(
@@ -236,7 +237,7 @@ def application_dump_schemata(  # noqa: C901
         logger.warning(message)
         console.print(f"[warning]Warning:[/warning] {message}")
         sys.exit(2)
-    except (Exception, RuntimeError) as e:
+    except Exception as e:
         message = f"Failed to load application version with ID '{id}': {e!s}."
         logger.exception(message)
         console.print(f"[warning]Error:[/warning] {message}")
@@ -670,7 +671,7 @@ def run_upload(
         FileSizeColumn(),
         TotalFileSizeColumn(),
         TransferSpeedColumn(),
-        TextColumn("[progress.description]{task.description}"),
+        TextColumn(PROGRESS_TASK_DESCRIPTION),
     ) as progress:
         task = progress.add_task(f"Uploading to {upload_prefix}/...", total=total_bytes)
 
@@ -761,7 +762,7 @@ def run_submit(  # noqa: PLR0913, PLR0917
             f"(version: {application_version})': {e}"
         )
         sys.exit(2)
-    except (Exception, RuntimeError) as e:
+    except Exception as e:
         message = (
             f"Failed to load application version '{application_version}' for application '{application_id}': {e!s}."
         )
@@ -1308,15 +1309,15 @@ def result_download(  # noqa: C901, PLR0913, PLR0915, PLR0917
         main_download_progress_ui = Progress(
             BarColumn(),
             TaskProgressColumn(),
-            TextColumn("[progress.description]{task.description}"),
+            TextColumn(PROGRESS_TASK_DESCRIPTION),
             TimeElapsedColumn(),
             TimeRemainingColumn(),
             TextColumn("{task.fields[extra_description]}"),
         )
         artifact_download_progress_ui = Progress(
             BarColumn(),
             TaskProgressColumn(),
-            TextColumn("[progress.description]{task.description}"),
+            TextColumn(PROGRESS_TASK_DESCRIPTION),
             TimeElapsedColumn(),
             TimeRemainingColumn(),
             FileSizeColumn(),

setup.sh

@@ -39,6 +39,7 @@
 CLASS_SUBSECTION_HEADER = "text-h6 mb-0 pb-0"
 CLASS_WIDTH_ONE_THIRD = "w-1/3"
 CLASS_WIDTH_ONE_HALF = "w-1/2"
+DATETIME_MASK = "YYYY-MM-DD HH:mm"
 
 
 @binding.bindable_dataclass
@@ -645,13 +646,13 @@ class ThumbnailRenderer {
                 with ui.row().classes("full-width"):
                     ui.label("")
                     due_date_date_picker = (
-                        ui.date(mask="YYYY-MM-DD HH:mm")
+                        ui.date(mask=DATETIME_MASK)
                         .bind_value(submit_form, "due_date")
                         .props(f":options=\"(date) => date >= '{today}'\"")
                         .mark("DATE_DUE_DATE")
                     )
                     due_date_time_picker = (
-                        ui.time(mask="YYYY-MM-DD HH:mm")
+                        ui.time(mask=DATETIME_MASK)
                         .bind_value(submit_form, "due_date")
                         .props("format24h now-btn")
                         .mark("TIME_DUE_DATE")
@@ -695,12 +696,12 @@ class ThumbnailRenderer {
                     "text-sm mt-0 pt-0"
                 )
                 with ui.row().classes("full-width"):
-                    ui.date(mask="YYYY-MM-DD HH:mm").bind_value(submit_form, "deadline").props(
+                    ui.date(mask=DATETIME_MASK).bind_value(submit_form, "deadline").props(
                         f":options=\"(date) => date >= '{today}'\""
                     ).mark("DATE_DEADLINE")
-                    ui.time(mask="YYYY-MM-DD HH:mm").bind_value(submit_form, "deadline").props(
-                        "format24h now-btn"
-                    ).mark("TIME_DEADLINE")
+                    ui.time(mask=DATETIME_MASK).bind_value(submit_form, "deadline").props("format24h now-btn").mark(
+                        "TIME_DEADLINE"
+                    )
 
             def _scheduling_next() -> None:
                 if submit_form.upload_and_submit_button is None: