add C4 and perflint ruff rules (#989)

even-even · vyuroshchin · web-flow · commit 8773acdca06a · 2025-12-28T13:29:01.000-05:00
Co-authored-by: vyuroshchin &lt;vyuroshchin@sberautotech.ru&gt;
diff --git a/pip_audit/_audit.py b/pip_audit/_audit.py
@@ -93,4 +93,4 @@ def audit(
                     seen_aliases.update(v.aliases | {v.id})
                     unique_vulns.append(v)
 
-                yield (dep, unique_vulns)
+                yield dep, unique_vulns
diff --git a/pip_audit/_cli.py b/pip_audit/_cli.py
@@ -584,7 +584,7 @@ def audit() -> None:  # pragma: no cover
 
         # If the `--fix` flag has been applied, find a set of suitable fix versions and upgrade the
         # dependencies at the source
-        fixes = list()
+        fixes = []
         fixed_pkg_count = 0
         fixed_vuln_count = 0
         if args.fix:
diff --git a/pip_audit/_dependency_source/pip.py b/pip_audit/_dependency_source/pip.py
@@ -112,9 +112,9 @@ def collect(self) -> Iterator[Dependency]:
         # The `pip list` call that underlies `pip_api` could fail for myriad reasons.
         # We collect them all into a single well-defined error.
         try:
-            for _, dist in pip_api.installed_distributions(
+            for dist in pip_api.installed_distributions(
                 local=self._local, paths=list(self._paths)
-            ).items():
+            ).values():
                 dep: Dependency
                 if dist.editable and self._skip_editable:
                     dep = SkippedDependency(
diff --git a/pip_audit/_dependency_source/requirement.py b/pip_audit/_dependency_source/requirement.py
@@ -195,7 +195,7 @@ def fix(self, fix_version: ResolvedFixVersion) -> None:
             tmp_files: list[IO[str]] = [
                 stack.enter_context(NamedTemporaryFile(mode="r+")) for _ in self._filenames
             ]
-            for filename, tmp_file in zip(self._filenames, tmp_files):
+            for filename, tmp_file in zip(self._filenames, tmp_files, strict=True):
                 with filename.open("r") as f:
                     shutil.copyfileobj(f, tmp_file)
 
@@ -225,7 +225,7 @@ def _fix_file(self, filename: Path, fix_version: ResolvedFixVersion) -> None:
         # Check ahead of time for anything invalid in the requirements file since we don't want to
         # encounter this while writing out the file. Check for duplicate requirements and lines that
         # failed to parse.
-        req_specifiers: dict[str, SpecifierSet] = dict()
+        req_specifiers: dict[str, SpecifierSet] = {}
 
         for req in reqs:
             if (
@@ -281,12 +281,12 @@ def _fix_file(self, filename: Path, fix_version: ResolvedFixVersion) -> None:
                 print(f"{fix_version.dep.canonical_name}=={fix_version.version}", file=f)
 
     def _recover_files(self, tmp_files: list[IO[str]]) -> None:
-        for filename, tmp_file in zip(self._filenames, tmp_files):
+        for filename, tmp_file in zip(self._filenames, tmp_files, strict=True):
             try:
                 tmp_file.seek(0)
                 with filename.open("w") as f:
                     shutil.copyfileobj(tmp_file, f)
-            except Exception as e:
+            except Exception as e:  # noqa: PERF203
                 # Not much we can do at this point since we're already handling an exception. Just
                 # log the error and try to recover the rest of the files.
                 logger.warning(f"encountered an exception during file recovery: {e}")
@@ -298,7 +298,7 @@ def _collect_preresolved_deps(
         """
         Collect pre-resolved (pinned) dependencies.
         """
-        req_specifiers: dict[str, SpecifierSet] = dict()
+        req_specifiers: dict[str, SpecifierSet] = {}
         for req in reqs:
             if not req.hash_options and require_hashes:
                 raise RequirementSourceError(f"requirement {req.dumps()} does not contain a hash")
diff --git a/pip_audit/_format/columns.py b/pip_audit/_format/columns.py
@@ -74,13 +74,19 @@ def format(
         if self.output_desc:
             header.append("Description")
         vuln_data.append(header)
-        for dep, vulns in result.items():
-            if dep.is_skipped():
-                continue
-            dep = cast(service.ResolvedDependency, dep)
-            applied_fix = next((f for f in fixes if f.dep == dep), None)
-            for vuln in vulns:
-                vuln_data.append(self._format_vuln(dep, vuln, applied_fix))
+
+        vuln_rows = [
+            self._format_vuln(
+                cast(service.ResolvedDependency, dep),
+                vuln,
+                next((f for f in fixes if f.dep == dep), None),
+            )
+            for dep, vulns in result.items()
+            if not dep.is_skipped()
+            for vuln in vulns
+        ]
+
+        vuln_data.extend(vuln_rows)
 
         columns_string = ""
 
@@ -90,37 +96,29 @@ def format(
 
             # Create and add a separator.
             if len(vuln_data) > 0:
-                vuln_strings.insert(1, " ".join(map(lambda x: "-" * x, sizes)))
+                vuln_strings.insert(1, " ".join("-" * x for x in sizes))
 
             for row in vuln_strings:
                 if columns_string:
                     columns_string += "\n"
                 columns_string += row
 
         # Now display the skipped dependencies
-        skip_data: list[list[Any]] = []
-        skip_header = ["Name", "Skip Reason"]
-
-        skip_data.append(skip_header)
-        for dep, _ in result.items():
-            if dep.is_skipped():
-                dep = cast(service.SkippedDependency, dep)
-                skip_data.append(self._format_skipped_dep(dep))
-
-        # If we only have the header, that means that we haven't skipped any dependencies
-        # In that case, don't bother printing the header
-        if len(skip_data) <= 1:
-            return columns_string
-
-        skip_strings, sizes = tabulate(skip_data)
+        skip_data = [
+            self._format_skipped_dep(cast(service.SkippedDependency, dep))
+            for dep in result.keys()
+            if dep.is_skipped()
+        ]
 
-        # Create separator for skipped dependencies columns
-        skip_strings.insert(1, " ".join(map(lambda x: "-" * x, sizes)))
+        if skip_data:
+            skip_data.insert(0, ["Name", "Skip Reason"])
+            skip_strings, sizes = tabulate(skip_data)
+            skip_strings.insert(1, " ".join("-" * x for x in sizes))
 
-        for row in skip_strings:
-            if columns_string:
-                columns_string += "\n"
-            columns_string += row
+            for row in skip_strings:
+                if columns_string:
+                    columns_string += "\n"
+                columns_string += row
 
         return columns_string
 
diff --git a/pip_audit/_format/cyclonedx.py b/pip_audit/_format/cyclonedx.py
@@ -35,17 +35,17 @@ def _pip_audit_result_to_bom(
         dep = cast(service.ResolvedDependency, dep)
 
         c = Component(name=dep.name, version=str(dep.version))
-        for vuln in vulns:
-            vulnerabilities.append(
-                Vulnerability(
-                    id=vuln.id,
-                    description=vuln.description,
-                    recommendation="Upgrade",
-                    # BomTarget expects str in type hints, but accepts BomRef at runtime
-                    affects=[BomTarget(ref=c.bom_ref)],  # type: ignore[arg-type]
-                )
+        vuln_list = [
+            Vulnerability(
+                id=vuln.id,
+                description=vuln.description,
+                recommendation="Upgrade",
+                # BomTarget expects str in type hints, but accepts BomRef at runtime
+                affects=[BomTarget(ref=c.bom_ref)],  # type: ignore[arg-type]
             )
-
+            for vuln in vulns
+        ]
+        vulnerabilities.extend(vuln_list)
         components.append(c)
 
     return Bom(components=components, vulnerabilities=vulnerabilities)
diff --git a/pip_audit/_format/json.py b/pip_audit/_format/json.py
@@ -50,15 +50,10 @@ def format(
 
         See `VulnerabilityFormat.format`.
         """
-        output_json = {}
-        dep_json = []
-        for dep, vulns in result.items():
-            dep_json.append(self._format_dep(dep, vulns))
-        output_json["dependencies"] = dep_json
-        fix_json = []
-        for f in fixes:
-            fix_json.append(self._format_fix(f))
-        output_json["fixes"] = fix_json
+        output_json = {
+            "dependencies": [self._format_dep(dep, vulns) for dep, vulns in result.items()],
+            "fixes": [self._format_fix(f) for f in fixes],
+        }
         return json.dumps(output_json)
 
     def _format_dep(
diff --git a/pip_audit/_format/markdown.py b/pip_audit/_format/markdown.py
@@ -77,14 +77,16 @@ def _format_vuln_results(
             header += " | Description"
             border += " | ---"
 
-        vuln_rows: list[str] = []
-        for dep, vulns in result.items():
-            if dep.is_skipped():
-                continue
-            dep = cast(service.ResolvedDependency, dep)
-            applied_fix = next((f for f in fixes if f.dep == dep), None)
-            for vuln in vulns:
-                vuln_rows.append(self._format_vuln(dep, vuln, applied_fix))
+        vuln_rows = [
+            self._format_vuln(
+                cast(service.ResolvedDependency, dep),
+                vuln,
+                next((f for f in fixes if f.dep == dep), None),
+            )
+            for dep, vulns in result.items()
+            if not dep.is_skipped()
+            for vuln in vulns
+        ]
 
         if not vuln_rows:
             return ""
@@ -137,7 +139,7 @@ def _format_skipped_deps(
         border = "--- | ---"
 
         skipped_dep_rows: list[str] = []
-        for dep, _ in result.items():
+        for dep in result.keys():
             if dep.is_skipped():
                 dep = cast(service.SkippedDependency, dep)
                 skipped_dep_rows.append(self._format_skipped_dep(dep))
diff --git a/pip_audit/_util.py b/pip_audit/_util.py
@@ -12,7 +12,7 @@ def assert_never(x: NoReturn) -> NoReturn:  # pragma: no cover
     """
     A hint to the typechecker that a branch can never occur.
     """
-    assert False, f"unhandled type: {type(x).__name__}"
+    raise AssertionError(f"unhandled type: {type(x).__name__}")
 
 
 def python_version() -> Version:
diff --git a/pyproject.toml b/pyproject.toml
@@ -109,6 +109,15 @@ reset = true
 line-length = 100
 
 [tool.ruff.lint]
+select = [
+    "E",        # pycodestyle (errors)
+    "W",        # pycodestyle (warnings)
+    "F",        # pyflakes
+    "I",        # isort (imports ordering)
+    "UP",       # pyupgrade
+    "C4",       # comprehensions
+    "PERF",     # perflint
+]
+
 # Never enforce `E501` (line length violations).
 ignore = ["E501"]
-select = ["E", "F", "I", "W", "UP"]
diff --git a/test/dependency_source/test_requirement.py b/test/dependency_source/test_requirement.py
@@ -170,7 +170,7 @@ def _check_fixes(
     fixes: list[ResolvedFixVersion],
 ) -> None:
     # Populate the requirements files
-    for input_req, req_path in zip(input_reqs, req_paths):
+    for input_req, req_path in zip(input_reqs, req_paths, strict=True):
         with open(req_path, "w") as f:
             print(input_req, file=f)
 
@@ -179,7 +179,7 @@ def _check_fixes(
         source.fix(fix)
 
     # Check the requirements files
-    for expected_req, req_path in zip(expected_reqs, req_paths):
+    for expected_req, req_path in zip(expected_reqs, req_paths, strict=True):
         with open(req_path) as f:
             # NOTE: We don't make any guarantees about non-semantic whitespace
             # preservation, hence the strip.
@@ -340,7 +340,7 @@ def test_requirement_source_fix_parse_failure(monkeypatch, req_file):
     req_paths = [req_file(), req_file()]
 
     # Populate the requirements files
-    for input_req, req_path in zip(input_reqs, req_paths):
+    for input_req, req_path in zip(input_reqs, req_paths, strict=True):
         with open(req_path, "w") as f:
             f.write(input_req)
 
@@ -356,7 +356,7 @@ def test_requirement_source_fix_parse_failure(monkeypatch, req_file):
 
     # Check that the requirements files remain unchanged
     # If we encounter a failure while applying a fix, the fix should be rolled back from all files
-    for expected_req, req_path in zip(input_reqs, req_paths):
+    for expected_req, req_path in zip(input_reqs, req_paths, strict=True):
         with open(req_path) as f:
             assert expected_req == f.read().strip()
 
@@ -371,7 +371,7 @@ def test_requirement_source_fix_rollback_failure(monkeypatch, req_file):
     req_paths = [req_file(), req_file()]
 
     # Populate the requirements files
-    for input_req, req_path in zip(input_reqs, req_paths):
+    for input_req, req_path in zip(input_reqs, req_paths, strict=True):
         with open(req_path, "w") as f:
             f.write(input_req)
 
@@ -398,7 +398,7 @@ def mock_seek(*_args, **_kwargs):
     # fix. The first requirements file contains the fix, while the second one doesn't since we were
     # in the process of writing it out and didn't flush.
     expected_reqs = ["flask==1.0", "flask==0.5\nrequests==2.0\nflask==0.3"]
-    for expected_req, req_path in zip(expected_reqs, req_paths):
+    for expected_req, req_path in zip(expected_reqs, req_paths, strict=True):
         with open(req_path) as f:
             assert expected_req == f.read().strip()
 
diff --git a/test/format/test_columns.py b/test/format/test_columns.py
@@ -16,7 +16,7 @@ def test_columns(vuln_data):
 foo  1.0     VULN-0 1.1,1.4      CVE-0000-00000 The first vulnerability
 foo  1.0     VULN-1 1.0          CVE-0000-00001 The second vulnerability
 bar  0.1     VULN-2              CVE-0000-00002 The third vulnerability"""
-    assert columns_format.format(vuln_data, list()) == expected_columns
+    assert columns_format.format(vuln_data, []) == expected_columns
 
 
 def test_columns_no_desc(vuln_data):
@@ -26,7 +26,7 @@ def test_columns_no_desc(vuln_data):
 foo  1.0     VULN-0 1.1,1.4      CVE-0000-00000
 foo  1.0     VULN-1 1.0          CVE-0000-00001
 bar  0.1     VULN-2              CVE-0000-00002"""
-    assert columns_format.format(vuln_data, list()) == expected_columns
+    assert columns_format.format(vuln_data, []) == expected_columns
 
 
 def test_columns_no_desc_no_aliases(vuln_data):
@@ -36,7 +36,7 @@ def test_columns_no_desc_no_aliases(vuln_data):
 foo  1.0     VULN-0 1.1,1.4
 foo  1.0     VULN-1 1.0
 bar  0.1     VULN-2"""
-    assert columns_format.format(vuln_data, list()) == expected_columns
+    assert columns_format.format(vuln_data, []) == expected_columns
 
 
 def test_columns_skipped_dep(vuln_data_skipped_dep):
@@ -47,21 +47,21 @@ def test_columns_skipped_dep(vuln_data_skipped_dep):
 Name Skip Reason
 ---- -----------
 bar  skip-reason"""
-    assert columns_format.format(vuln_data_skipped_dep, list()) == expected_columns
+    assert columns_format.format(vuln_data_skipped_dep, []) == expected_columns
 
 
 def test_columns_no_vuln_data(no_vuln_data):
     columns_format = format.ColumnsFormat(False, True)
     expected_columns = ""
-    assert columns_format.format(no_vuln_data, list()) == expected_columns
+    assert columns_format.format(no_vuln_data, []) == expected_columns
 
 
 def test_column_no_vuln_data_skipped_dep(no_vuln_data_skipped_dep):
     columns_format = format.ColumnsFormat(False, True)
     expected_columns = """Name Skip Reason
 ---- -----------
 bar  skip-reason"""
-    assert columns_format.format(no_vuln_data_skipped_dep, list()) == expected_columns
+    assert columns_format.format(no_vuln_data_skipped_dep, []) == expected_columns
 
 
 def test_columns_fix(vuln_data, fix_data):
diff --git a/test/format/test_cyclonedx.py b/test/format/test_cyclonedx.py
@@ -20,22 +20,22 @@ def test_cyclonedx_inner_json(vuln_data):
 
     # We don't test CycloneDX's formatting/layout decisions, only that
     # the formatter emits correct JSON when initialized in JSON mode.
-    assert json.loads(formatter.format(vuln_data, list())) is not None
+    assert json.loads(formatter.format(vuln_data, [])) is not None
 
 
 def test_cyclonedx_inner_xml(vuln_data):
     formatter = CycloneDxFormat(inner_format=CycloneDxFormat.InnerFormat.Xml)
 
     # We don't test CycloneDX's formatting/layout decisions, only that
     # the formatter emits correct XML when initialized in XML mode.
-    assert ET.fromstring(formatter.format(vuln_data, list())) is not None
+    assert ET.fromstring(formatter.format(vuln_data, [])) is not None
 
 
 def test_cyclonedx_skipped_dep(vuln_data_skipped_dep):
     formatter = CycloneDxFormat(inner_format=CycloneDxFormat.InnerFormat.Json)
 
     # Just test that a skipped dependency doesn't cause the formatter to blow up
-    assert json.loads(formatter.format(vuln_data_skipped_dep, list())) is not None
+    assert json.loads(formatter.format(vuln_data_skipped_dep, [])) is not None
 
 
 def test_cyclonedx_fix(monkeypatch, vuln_data, fix_data):
@@ -61,7 +61,7 @@ def test_cyclonedx_vulnerabilities_linked_to_components(vuln_data):
     warning of breaking changes.
     """
     formatter = CycloneDxFormat(inner_format=CycloneDxFormat.InnerFormat.Json)
-    output = formatter.format(vuln_data, list())
+    output = formatter.format(vuln_data, [])
     data = json.loads(output)
 
     # Build a mapping of component names to their bom-refs
diff --git a/test/format/test_json.py b/test/format/test_json.py
diff --git a/test/format/test_markdown.py b/test/format/test_markdown.py
diff --git a/test/test_fix.py b/test/test_fix.py
diff --git a/test/test_virtual_env.py b/test/test_virtual_env.py
