ruff

0d47334f - [`flake8-bandit`] Support new PySNMP API paths (`S508`, `S509`) (#21374)

[`flake8-bandit`] Support new PySNMP API paths (`S508`, `S509`) (#21374) ## Summary Updated `S508` (snmp-insecure-version) and `S509` (snmp-weak-cryptography) rules to support both old and new PySNMP API module paths. Previously, these rules only detected the old API path `pysnmp.hlapi.*`, but now they correctly detect all PySNMP API variants including `pysnmp.hlapi.asyncio.*`, `pysnmp.hlapi.v1arch.*`, `pysnmp.hlapi.v3arch.*`, and `pysnmp.hlapi.auth.*`. Fixes #21364 ## Problem Analysis The `S508` and `S509` rules used exact pattern matching on qualified names: - `S509` only matched `["pysnmp", "hlapi", "UsmUserData"]` - `S508` only matched `["pysnmp", "hlapi", "CommunityData"]` This meant that newer PySNMP API paths were not detected, such as: - `pysnmp.hlapi.asyncio.UsmUserData` - `pysnmp.hlapi.v3arch.asyncio.UsmUserData` - `pysnmp.hlapi.v3arch.asyncio.auth.UsmUserData` - `pysnmp.hlapi.auth.UsmUserData` - Similar variants for `CommunityData` in `S508` Additionally, the old API path `pysnmp.hlapi.auth.*` was also missing from both rules. ## Approach Instead of exact pattern matching, both rules now check if: 1. The qualified name starts with `["pysnmp", "hlapi"]` 2. The qualified name ends with the target class name (`"UsmUserData"` for `S509`, `"CommunityData"` for `S508`) This flexible approach matches all PySNMP API paths without hardcoding each variant, making the rules more maintainable and future-proof. ## Test Plan Added comprehensive test cases to both `S508.py` and `S509.py` test files covering: - New API paths: `pysnmp.hlapi.asyncio.*`, `pysnmp.hlapi.v1arch.*`, `pysnmp.hlapi.v3arch.*` - Old API path: `pysnmp.hlapi.auth.*` - Both insecure and secure usage patterns All existing tests pass, and new snapshot tests were added and accepted. Manual verification confirms both rules correctly detect all PySNMP API variants. --------- Co-authored-by: Brent Westbrook <brentrwestbrook@gmail.com>