Drop Python 2 Support

[lukehinds]

Python 2 is well beyond EOL now and will soon be removed from
github's workflows

This PR seeks to remove all calls / references and tests that
rely on Python 2.

• Remove six imports and six.Py2 conditionals
• Remove Py2 calls from github workflows
• Merged example files (e.g exec-py2.py|exec-py3.py > exec.py)
• Removed py2 env from setuptools
• Removed py2 env from tox

Resolves: #584

[lukehinds]

hi @ericwb / @sigmavirus24

A six.Py2 section I was not sure how to handle and wanted your input:

arg_name = name.id if six.PY2 else name.arg from bandit/plugins/django_xss.py

def evaluate_var(xss_var, parent, until, ignore_nodes=None):
   secure = False
   if isinstance(xss_var, ast.Name):
       if isinstance(parent, ast.FunctionDef):
           for name in parent.args.args:
               arg_name = name.id if six.PY2 else name.arg
               if arg_name == xss_var.id:
                   return False  # Params are not secure

I have never seen a conditional following a declaration like that, but figured it might be a six way of doing things.

Looks like we can just remove if six.PY2 else name.arg:

 for name in parent.args.args:
    arg_name = name.id

[sigmavirus24]

You return .id if it's python 2 otherwise use .arg so we should replace everything after the = up to, and including, the else.

This is a Python ternary, I agree they can be disorienting at times

[lukehinds]

How's this @sigmavirus24

5262e9b

[sigmavirus24]

See also https://book.pythontips.com/en/latest/ternary_operators.html#ternary-operators

[ericwb]

Thanks for working on this.

[ericwb]

Can you also add python_requires='>=3.5' to strict enforcing versions where it can be installed.

https://packaging.python.org/guides/dropping-older-python-versions/#specify-the-version-ranges-for-supported-python-distributions

[lukehinds]

Should I squash and merge @ericwb , do we need an ack from @sigmavirus24 ?

[ericwb]

@lukehinds Looks like there are still some things to fix up in the build.

[lukehinds]

@ericwb removed B322 inline with #596

Was not sure if I should leave B322 as a gap or I should count -1 on the other remain tests. So for example B323 becomes B322, B324 becomes B323 etc. I was thinking around folks who are cherry picking tests to run and if we increment down, they may end up having an incorrect mapping.

[ericwb]

Yes, we have to keep legacy numbers for historical reasons as to not break users including/excluding certain numbers. We have other examples where we leave the documentation for the ID, but indicate to the users that the test has been removed.

[lukehinds]

@sigmavirus24 / @ericwb

Seeing this failure a lot, any ideas, have you come across it before:

 Captured traceback:
~~~~~~~~~~~~~~~~~~~
    Traceback (most recent call last):

      File "/home/runner/work/bandit/bandit/tests/functional/test_baseline.py", line 248, in test_new_candidates_include_nosec_only_nosecs
    self.assertIn(new_candidates_some_total_lines, return_value)

      File "/home/runner/work/bandit/bandit/.tox/py35/lib/python3.5/site-packages/testtools/testcase.py", line 421, in assertIn
    self.assertThat(haystack, Contains(needle), message)

      File "/home/runner/work/bandit/bandit/.tox/py35/lib/python3.5/site-packages/testtools/testcase.py", line 502, in assertThat
    raise mismatch_error

    testtools.matchers._impl.MismatchError: 'Total lines of code: 9' not in ''

[sigmavirus24]

I haven't come across it before but I'm unsurprised that checking the output seems to be causing us grief here.

I wonder if we can change our helper function to give us more detail here. I wonder if we could use check_output instead of subprocess.Popen.

[ericwb]

Rather than trying to drop all of Py2 references in one PR, might be better to do incremental changes starting with the dropping of build of 2.7 and installability of 2.7.

[ericwb]

@lukehinds I pushed a commit to do the bare minimum to remove Py2.7. Please rebase and resolve conflicts.

[lukehinds]

thanks @ericwb , I am still working through this, but its a huge list of stuff breaking - quite surprised at how much this has broken.

[ericwb]

Think this can be closed, as changes were made in various other PRs, namely: #674, #662, #615, etc