feat: introduce the Ruff pre-commit hook to replace a bunch of other code formatters and linter hooks

.pre-commit-config.yaml

@@ -23,52 +23,14 @@ repos:
     name: Check conventional commit message
     stages: [commit-msg]
 
-# Sort imports.
-- repo: https://github.com/pycqa/isort
-  rev: 8.0.1
+# Ruff formats and lints code.
+- repo: https://github.com/astral-sh/ruff-pre-commit
+  rev: v0.15.17
   hooks:
-  - id: isort
-    name: Sort import statements
-    args: [--settings-path, pyproject.toml]
-    exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*
-
-# Add Black code formatters.
-- repo: https://github.com/ambv/black
-  rev: 26.3.1
-  hooks:
-  - id: black
-    name: Format code
-    args: [--config, pyproject.toml, --target-version, py311]
-    exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*
-- repo: https://github.com/asottile/blacken-docs
-  rev: 1.20.0
-  hooks:
-  - id: blacken-docs
-    name: Format code in docstrings
-    args: [--line-length, '120']
-    additional_dependencies: [black==26.3.1]
-
-# Upgrade and rewrite Python idioms.
-- repo: https://github.com/asottile/pyupgrade
-  rev: v3.21.2
-  hooks:
-  - id: pyupgrade
-    name: Upgrade code idioms
-    files: ^src/macaron/|^tests/
-    args: [--py311-plus]
-
-# Similar to pylint, with a few more/different checks. For more available
-# extensions: https://github.com/DmytroLitvinov/awesome-flake8-extensions
-- repo: https://github.com/pycqa/flake8
-  rev: 7.3.0
-  hooks:
-  - id: flake8
-    name: Check flake8 issues
-    files: ^src/macaron/|^tests/
-    types: [text, python]
-    additional_dependencies: [flake8-bugbear==25.11.29, flake8-builtins==3.1.0, flake8-comprehensions==3.17.0, flake8-docstrings==1.7.0, flake8-logging==1.8.0, flake8-mutable==1.2.0, flake8-noqa==1.5.0, flake8-print==5.0.0, flake8-pytest-style==2.2.0, flake8-rst-docstrings==0.4.0, pep8-naming==0.15.1]
-    exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*
-    args: [--config, .flake8]
+  - id: ruff-format
+    args: [--config, pyproject.toml]
+  - id: ruff-check
+    args: [--config, pyproject.toml, --fix, --unsafe-fixes, --exit-non-zero-on-fix]
 
 # Check GitHub Actions workflow files.
 - repo: https://github.com/Mateusz-Grzelinski/actionlint-py
@@ -108,18 +70,6 @@ repos:
     exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*
     args: [--show-traceback, --config-file, pyproject.toml]
 
-# Check for potential security issues.
-- repo: https://github.com/PyCQA/bandit
-  rev: 1.9.4
-  hooks:
-  - id: bandit
-    name: Check for security issues
-    args: [--configfile, pyproject.toml]
-    files: ^src/macaron/|^tests/
-    types: [text, python]
-    additional_dependencies: ['bandit[toml]']
-    exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*
-
 # Enable a whole bunch of useful helper hooks, too.
 # See https://pre-commit.com/hooks.html for more hooks.
 - repo: https://github.com/pre-commit/pre-commit-hooks

Makefile

@@ -313,12 +313,10 @@ audit:
 	python -m pip_audit --skip-editable --desc on --fix --dry-run --ignore-vuln GHSA-vfmq-68hx-4jfw
 
 # Run some or all checks over the package code base.
-.PHONY: check check-code check-bandit check-flake8 check-lint check-mypy check-go check-actionlint
-check-code: check-bandit check-flake8 check-lint check-mypy check-go check-actionlint
-check-bandit:
-	pre-commit run bandit --all-files
-check-flake8:
-	pre-commit run flake8 --all-files
+.PHONY: check check-code check-ruff check-lint check-mypy check-go check-actionlint
+check-code: check-ruff check-lint check-mypy check-go check-actionlint
+check-ruff:
+	pre-commit run ruff-check --all-files
 check-lint:
 	pre-commit run pylint --all-files
 check-mypy:

pyproject.toml

@@ -122,20 +122,6 @@ Documentation = "https://oracle.github.io/macaron/index.html"
 Issues = "https://github.com/oracle/macaron/issues"
 
 
-# https://bandit.readthedocs.io/en/latest/config.html
-# Skip test B101 because of issue https://github.com/PyCQA/bandit/issues/457
-[tool.bandit]
-tests = []
-skips = ["B101"]
-exclude_dirs = ["tests/malware_analyzer/pypi/resources/sourcecode_samples"]
-
-
-# https://github.com/psf/black#configuration
-[tool.black]
-line-length = 120
-force-exclude = ["tests/malware_analyzer/pypi/resources/sourcecode_samples/"]
-
-
 # https://github.com/commitizen-tools/commitizen
 # https://commitizen-tools.github.io/commitizen/bump/
 [tool.commitizen]
@@ -181,15 +167,6 @@ exclude = [
 ]
 
 
-# https://pycqa.github.io/isort/
-[tool.isort]
-profile = "black"
-multi_line_output = 3
-line_length = 120
-skip_gitignore = true
-filter_files = true
-
-
 # https://mypy.readthedocs.io/en/stable/config_file.html#using-a-pyproject-toml
 [tool.mypy]
 show_error_codes = true
@@ -304,3 +281,56 @@ filterwarnings = [
     "ignore::DeprecationWarning:cyclonedx.model.tool",
     "error::DeprecationWarning:pkg_resources",
 ]
+
+
+# https://docs.astral.sh/ruff/formatter/
+# https://docs.astral.sh/ruff/linter/
+[tool.ruff]
+line-length = 120
+
+[tool.ruff.format]
+exclude = [
+    "tests/malware_analyzer/pypi/resources/sourcecode_samples/**/*.py",
+]
+docstring-code-format = true
+docstring-code-line-length = 88
+
+# https://docs.astral.sh/ruff/configuration/
+# https://docs.astral.sh/ruff/rules/
+[tool.ruff.lint]
+exclude = ["docs/*"]
+select = [
+    "A",  # flake8-builtins
+    "B",  # flake8-bugbear
+    "C4",  # flake8-comprehensions
+    "E",  # pycodestyle
+    "F",  # pyflakes
+    "I",  # isort
+    "LOG",  # flake8-logging
+    "N",  # pep8-naming
+    "PT",  # flake8-pytest-style
+    "PYI",  # flake8-pyi
+    "S",  # flake8-bandit
+    "T20",  # flake8-print
+    "UP",  # pyupgrade
+]
+ignore = [
+    "E203",  # E203: whitespace before ‘,’, ‘;’, or ‘:’ (not Black compliant)
+    "E501",  # E501: line too long (managed better by Bugbear's B950)
+]
+
+[tool.ruff.lint.flake8-pytest-style]
+fixture-parentheses = true
+
+[tool.ruff.lint.per-file-ignores]
+"tests/*" = [
+    "S101",  # S101 Use of `assert` detected
+    "T201",  # T201 `print` found
+]
+"tests/malware_analyzer/pypi/resources/sourcecode_samples/**/*" = [
+    "A",  # flake8-builtins
+    "E",  # pycodestyle
+    "F",  # pyflakes
+    "N",  # pep8-naming
+    "S",  # flake8-bandit
+]

scripts/actions/write_job_summary.py

@@ -90,7 +90,7 @@ def _write_header(
         vsa_path = _env("VSA_PATH", f"{output_dir}/vsa.intoto.jsonl")
         policy_succeeded = bool(vsa_path) and Path(vsa_path).is_file()
 
-    _append_line(summary_path, "<h2 id=\"macaron-analysis-summary\">Macaron Analysis Results</h2>")
+    _append_line(summary_path, '<h2 id="macaron-analysis-summary">Macaron Analysis Results</h2>')
     _append_line(summary_path)
     if upload_reports:
         _append_line(summary_path, "Download reports from this artifact link:")
@@ -157,7 +157,7 @@ def _query_selected_columns(
     if not selected:
         return [], []
 
-    sql = f"SELECT {', '.join(selected)} FROM {table_name}"
+    sql = f"SELECT {', '.join(selected)} FROM {table_name}"  # noqa: S608
     if where_clause:
         sql = f"{sql} WHERE {where_clause}"
     sql = f"{sql} ORDER BY 1"
@@ -373,7 +373,7 @@ def write_compact_gha_vuln_diagnostics(summary_path: Path, columns: list[str], r
     _append_line(summary_path)
     _append_line(
         summary_path,
-        "<h2 id=\"macaron-full-findings-remediation-details\">Full Findings and Remediation Details</h2>",
+        '<h2 id="macaron-full-findings-remediation-details">Full Findings and Remediation Details</h2>',
     )
     _append_line(summary_path)
     _append_line(summary_path, "<details>")
@@ -498,7 +498,7 @@ def _write_existing_policy_failure_diagnostics(
             cols, rows = _query_sql(conn, sql_query)
         if cols and rows:
             _append_line(summary_path)
-            _append_line(summary_path, f"#### Results")
+            _append_line(summary_path, "#### Results")
             if policy_name == "check-github-actions":
                 rendered = write_compact_gha_vuln_diagnostics(summary_path, cols, rows)
             else:

src/macaron/build_spec_generator/build_spec_generator.py

@@ -1,12 +1,12 @@
-# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2025 - 2026, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the functions used for generating build specs from the Macaron database."""
 
 import json
 import logging
 import os
-from enum import Enum
+from enum import StrEnum
 
 from packageurl import PackageURL
 from sqlalchemy import create_engine
@@ -23,7 +23,7 @@
 logger: logging.Logger = logging.getLogger(__name__)
 
 
-class BuildSpecFormat(str, Enum):
+class BuildSpecFormat(StrEnum):
     """The build spec formats that we support."""
 
     REPRODUCIBLE_CENTRAL = "rc-buildspec"

src/macaron/build_spec_generator/cli_command_parser/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2025 - 2026, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contain the base classes cli command parsers related."""
@@ -7,7 +7,7 @@
 from abc import abstractmethod
 from collections.abc import Mapping
 from dataclasses import dataclass
-from enum import Enum
+from enum import StrEnum
 from typing import Any, Generic, Protocol, TypeGuard, TypeVar
 
 
@@ -93,7 +93,7 @@ def get_patch_type_str(self) -> str:
         raise NotImplementedError()
 
 
-class PatchCommandBuildTool(str, Enum):
+class PatchCommandBuildTool(StrEnum):
     """Build tool supported for CLICommand patching."""
 
     MAVEN = "maven"

src/macaron/build_spec_generator/common_spec/core.py

@@ -7,7 +7,7 @@
 import pprint
 import shlex
 from collections.abc import Sequence
-from enum import Enum
+from enum import Enum, StrEnum
 from importlib import metadata as importlib_metadata
 
 import sqlalchemy.orm
@@ -47,7 +47,7 @@ class LANGUAGES(Enum):
     PYPI = "python"
 
 
-class MacaronBuildToolName(str, Enum):
+class MacaronBuildToolName(StrEnum):
     """Represent the name of a build tool that Macaron stores in the database.
 
     This doesn't cover all build tools that Macaron supports, and ONLY includes the ones that we

src/macaron/build_spec_generator/common_spec/jdk_finder.py

@@ -8,7 +8,7 @@
 import tempfile
 import urllib.parse
 import zipfile
-from enum import Enum
+from enum import Enum, StrEnum
 
 import requests
 
@@ -19,7 +19,7 @@
 logger: logging.Logger = logging.getLogger(__name__)
 
 
-class JavaArtifactExt(str, Enum):
+class JavaArtifactExt(StrEnum):
     """The extensions for Java artifacts."""
 
     JAR = ".jar"
@@ -87,10 +87,14 @@ def join_remote_maven_repo_url(
     Examples
     --------
     >>> remote_maven_repo = "https://repo1.maven.org/maven2"
-    >>> artifact_path = "io/liftwizard/liftwizard-checkstyle/2.1.22/liftwizard-checkstyle-2.1.22.jar"
+    >>> artifact_path = (
+    ...     "io/liftwizard/liftwizard-checkstyle/2.1.22/liftwizard-checkstyle-2.1.22.jar"
+    ... )
     >>> join_remote_maven_repo_url(remote_maven_repo, artifact_path)
     'https://repo1.maven.org/maven2/io/liftwizard/liftwizard-checkstyle/2.1.22/liftwizard-checkstyle-2.1.22.jar'
-    >>> join_remote_maven_repo_url(remote_maven_repo, "io/liftwizard/liftwizard-checkstyle/2.1.22/")
+    >>> join_remote_maven_repo_url(
+    ...     remote_maven_repo, "io/liftwizard/liftwizard-checkstyle/2.1.22/"
+    ... )
     'https://repo1.maven.org/maven2/io/liftwizard/liftwizard-checkstyle/2.1.22/'
     >>> join_remote_maven_repo_url(f"{remote_maven_repo}/", artifact_path)
     'https://repo1.maven.org/maven2/io/liftwizard/liftwizard-checkstyle/2.1.22/liftwizard-checkstyle-2.1.22.jar'

src/macaron/build_spec_generator/common_spec/pypi_spec.py

@@ -106,7 +106,6 @@ def resolve_fields(self, purl: PackageURL) -> None:
 
         if pypi_package_json is not None:
             if pypi_package_json.package_json or pypi_package_json.download(dest=""):
-
                 # Get the Python constraints from the PyPI JSON response.
                 json_releases = pypi_package_json.get_releases()
                 if json_releases:

src/macaron/build_spec_generator/dockerfile/pypi_dockerfile_output.py

@@ -124,9 +124,9 @@ def gen_dockerfile(buildspec: BaseBuildSpecDict) -> str:
     EOF
 
     # Run the build
-    RUN source /deps/bin/activate && /deps/bin/pip install wheel && {modern_build_command
-                                                                     if version in SpecifierSet(">=3.6")
-                                                                     else legacy_build_command}
+    RUN source /deps/bin/activate && /deps/bin/pip install wheel && {
+        modern_build_command if version in SpecifierSet(">=3.6") else legacy_build_command
+    }
 
     # Validate script
     RUN cat <<'EOF' >/validate

src/macaron/build_spec_generator/reproducible_central/reproducible_central.py

@@ -4,7 +4,7 @@
 """This module contains the logic to generate a build spec in the Reproducible Central format."""
 
 import logging
-from enum import Enum
+from enum import StrEnum
 
 import importlib_metadata
 
@@ -46,7 +46,7 @@
 """
 
 
-class ReproducibleCentralBuildTool(str, Enum):
+class ReproducibleCentralBuildTool(StrEnum):
     """Represent the name of the build tool used in the Reproducible Central's Buildspec.
 
     https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/doc/BUILDSPEC.md