Store current TokenKind on Parser

## Summary

This PR removes the `allow_trailing_comma` parameter from list parsing
because it can be inferred using the recovery context kind.

.gitattributes

@@ -2,6 +2,8 @@
 
 crates/ruff_linter/resources/test/fixtures/isort/line_ending_crlf.py text eol=crlf
 crates/ruff_linter/resources/test/fixtures/pycodestyle/W605_1.py text eol=crlf
+crates/ruff_linter/resources/test/fixtures/pycodestyle/W391_2.py text eol=crlf
+crates/ruff_linter/resources/test/fixtures/pycodestyle/W391_3.py text eol=crlf
 
 crates/ruff_python_formatter/resources/test/fixtures/ruff/docstring_code_examples_crlf.py text eol=crlf
 crates/ruff_python_formatter/tests/snapshots/format@docstring_code_examples_crlf.py.snap text eol=crlf

.github/ISSUE_TEMPLATE.md

@@ -3,6 +3,8 @@ Thank you for taking the time to report an issue! We're glad to have you involve
 
 If you're filing a bug report, please consider including the following information:
 
+* List of keywords you searched for before creating this issue. Write them down here so that others can find this issue more easily and help provide feedback.
+  e.g. "RUF001", "unused variable", "Jupyter notebook"
 * A minimal code snippet that reproduces the bug.
 * The command you invoked (e.g., `ruff /path/to/file.py --fix`), ideally including the `--isolated` flag.
 * The current Ruff settings (any relevant sections from your `pyproject.toml`).

.github/workflows/release.yaml

@@ -28,7 +28,6 @@ env:
   CARGO_NET_RETRY: 10
   CARGO_TERM_COLOR: always
   RUSTUP_MAX_RETRIES: 10
-  MATURIN_VERSION: "1.4.0"
 
 jobs:
   sdist:
@@ -45,7 +44,6 @@ jobs:
       - name: "Build sdist"
         uses: PyO3/maturin-action@v1
         with:
-          maturin-version: ${{ env.MATURIN_VERSION }}
           command: sdist
           args: --out dist
       - name: "Test sdist"
@@ -74,7 +72,6 @@ jobs:
       - name: "Build wheels - x86_64"
         uses: PyO3/maturin-action@v1
         with:
-          maturin-version: ${{ env.MATURIN_VERSION }}
           target: x86_64
           args: --release --locked --out dist
       - name: "Test wheel - x86_64"
@@ -115,7 +112,6 @@ jobs:
       - name: "Build wheels - universal2"
         uses: PyO3/maturin-action@v1
         with:
-          maturin-version: ${{ env.MATURIN_VERSION }}
           args: --release --locked --target universal2-apple-darwin --out dist
       - name: "Test wheel - universal2"
         run: |
@@ -164,7 +160,6 @@ jobs:
       - name: "Build wheels"
         uses: PyO3/maturin-action@v1
         with:
-          maturin-version: ${{ env.MATURIN_VERSION }}
           target: ${{ matrix.platform.target }}
           args: --release --locked --out dist
       - name: "Test wheel"
@@ -213,7 +208,6 @@ jobs:
       - name: "Build wheels"
         uses: PyO3/maturin-action@v1
         with:
-          maturin-version: ${{ env.MATURIN_VERSION }}
           target: ${{ matrix.target }}
           manylinux: auto
           args: --release --locked --out dist
@@ -276,7 +270,6 @@ jobs:
       - name: "Build wheels"
         uses: PyO3/maturin-action@v1
         with:
-          maturin-version: ${{ env.MATURIN_VERSION }}
           target: ${{ matrix.platform.target }}
           manylinux: auto
           docker-options: ${{ matrix.platform.maturin_docker_options }}
@@ -333,7 +326,6 @@ jobs:
       - name: "Build wheels"
         uses: PyO3/maturin-action@v1
         with:
-          maturin-version: ${{ env.MATURIN_VERSION }}
           target: ${{ matrix.target }}
           manylinux: musllinux_1_2
           args: --release --locked --out dist
@@ -389,7 +381,6 @@ jobs:
       - name: "Build wheels"
         uses: PyO3/maturin-action@v1
         with:
-          maturin-version: ${{ env.MATURIN_VERSION }}
           target: ${{ matrix.platform.target }}
           manylinux: musllinux_1_2
           args: --release --locked --out dist
@@ -526,7 +517,7 @@ jobs:
           path: binaries
           merge-multiple: true
       - name: "Publish to GitHub"
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           draft: true
           files: binaries/*

CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## 0.3.2
+
+### Preview features
+
+- Improve single-`with` item formatting for Python 3.8 or older ([#10276](https://github.com/astral-sh/ruff/pull/10276))
+
+### Rule changes
+
+- \[`pyupgrade`\] Allow fixes for f-string rule regardless of line length (`UP032`) ([#10263](https://github.com/astral-sh/ruff/pull/10263))
+- \[`pycodestyle`\] Include actual conditions in E712 diagnostics ([#10254](https://github.com/astral-sh/ruff/pull/10254))
+
+### Bug fixes
+
+- Fix trailing kwargs end of line comment after slash ([#10297](https://github.com/astral-sh/ruff/pull/10297))
+- Fix unstable `with` items formatting ([#10274](https://github.com/astral-sh/ruff/pull/10274))
+- Avoid repeating function calls in f-string conversions ([#10265](https://github.com/astral-sh/ruff/pull/10265))
+- Fix E203 false positive for slices in format strings ([#10280](https://github.com/astral-sh/ruff/pull/10280))
+- Fix incorrect `Parameter` range  for `*args` and `**kwargs`  ([#10283](https://github.com/astral-sh/ruff/pull/10283))
+- Treat `typing.Annotated` subscripts as type definitions ([#10285](https://github.com/astral-sh/ruff/pull/10285))
+
 ## 0.3.1
 
 ### Preview features

CONTRIBUTING.md

@@ -329,13 +329,13 @@ even patch releases may contain [non-backwards-compatible changes](https://semve
 
 ### Creating a new release
 
-We use an experimental in-house tool for managing releases.
-
-1. Install `rooster`: `pip install git+https://github.com/zanieb/rooster@main`
-1. Run `rooster release`; this command will:
+1. Install `uv`: `curl -LsSf https://astral.sh/uv/install.sh | sh`
+1. Run `./scripts/release/bump.sh`; this command will:
+    - Generate a temporary virtual environment with `rooster`
     - Generate a changelog entry in `CHANGELOG.md`
     - Update versions in `pyproject.toml` and `Cargo.toml`
     - Update references to versions in the `README.md` and documentation
+    - Display contributors for the release
 1. The changelog should then be editorialized for consistency
     - Often labels will be missing from pull requests they will need to be manually organized into the proper section
     - Changes should be edited to be user-facing descriptions, avoiding internal details
@@ -359,7 +359,7 @@ We use an experimental in-house tool for managing releases.
     1. Open the draft release in the GitHub release section
     1. Copy the changelog for the release into the GitHub release
         - See previous releases for formatting of section headers
-    1. Generate the contributor list with `rooster contributors` and add to the release notes
+    1. Append the contributors from the `bump.sh` script
 1. If needed, [update the schemastore](https://github.com/astral-sh/ruff/blob/main/scripts/update_schemastore.py).
     1. One can determine if an update is needed when
         `git diff old-version-tag new-version-tag -- ruff.schema.json` returns a non-empty diff.

Cargo.lock

@@ -270,9 +270,9 @@ dependencies = [
 
 [[package]]
 name = "chrono"
-version = "0.4.34"
+version = "0.4.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5bc015644b92d5890fab7489e49d21f879d5c990186827d42ec511919404f38b"
+checksum = "8eaf5903dcbc0a39312feb77df2ff4c76387d591b9fc7b04a238dcf8bb62639a"
 dependencies = [
  "android-tzdata",
  "iana-time-zone",
@@ -309,9 +309,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "4.5.1"
+version = "4.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c918d541ef2913577a0f9566e9ce27cb35b6df072075769e0b26cb5a554520da"
+checksum = "b230ab84b0ffdf890d5a10abdbc8b83ae1c4918275daea1ab8801f71536b2651"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -319,9 +319,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.1"
+version = "4.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9f3e7391dad68afb0c2ede1bf619f579a3dc9c2ec67f089baa397123a2f3d1eb"
+checksum = "ae129e2e766ae0ec03484e609954119f123cc1fe650337e155d03b022f24f7b4"
 dependencies = [
  "anstream",
  "anstyle",
@@ -528,6 +528,19 @@ dependencies = [
  "itertools 0.10.5",
 ]
 
+[[package]]
+name = "crossbeam"
+version = "0.8.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1137cd7e7fc0fb5d3c5a8678be38ec56e819125d8d7907411fe24ccb943faca8"
+dependencies = [
+ "crossbeam-channel",
+ "crossbeam-deque",
+ "crossbeam-epoch",
+ "crossbeam-queue",
+ "crossbeam-utils",
+]
+
 [[package]]
 name = "crossbeam-channel"
 version = "0.5.12"
@@ -556,6 +569,15 @@ dependencies = [
  "crossbeam-utils",
 ]
 
+[[package]]
+name = "crossbeam-queue"
+version = "0.3.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df0346b5d5e76ac2fe4e327c5fd1118d6be7c51dfb18f9b7922923f287471e35"
+dependencies = [
+ "crossbeam-utils",
+]
+
 [[package]]
 name = "crossbeam-utils"
 version = "0.8.19"
@@ -1156,10 +1178,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c"
 
 [[package]]
-name = "js-sys"
-version = "0.3.68"
+name = "jod-thread"
+version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "406cda4b368d531c842222cf9d2600a9a4acce8d29423695379c6868a143a9ee"
+checksum = "8b23360e99b8717f20aaa4598f5a6541efbe30630039fbc7706cf954a87947ae"
+
+[[package]]
+name = "js-sys"
+version = "0.3.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29c15563dc2726973df627357ce0c9ddddbea194836909d655df6a75d2cf296d"
 dependencies = [
  "wasm-bindgen",
 ]
@@ -1327,6 +1355,31 @@ version = "0.4.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "90ed8c1e510134f979dbc4f070f87d4313098b704861a105fe34231c70a3901c"
 
+[[package]]
+name = "lsp-server"
+version = "0.7.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "248f65b78f6db5d8e1b1604b4098a28b43d21a8eb1deeca22b1c421b276c7095"
+dependencies = [
+ "crossbeam-channel",
+ "log",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "lsp-types"
+version = "0.95.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "158c1911354ef73e8fe42da6b10c0484cb65c7f1007f28022e847706c1ab6984"
+dependencies = [
+ "bitflags 1.3.2",
+ "serde",
+ "serde_json",
+ "serde_repr",
+ "url",
+]
+
 [[package]]
 name = "matchers"
 version = "0.1.0"
@@ -1950,7 +2003,7 @@ dependencies = [
 
 [[package]]
 name = "ruff"
-version = "0.3.1"
+version = "0.3.2"
 dependencies = [
  "anyhow",
  "argfile",
@@ -1982,6 +2035,7 @@ dependencies = [
  "ruff_notebook",
  "ruff_python_ast",
  "ruff_python_formatter",
+ "ruff_server",
  "ruff_source_file",
  "ruff_text_size",
  "ruff_workspace",
@@ -1996,6 +2050,8 @@ dependencies = [
  "tikv-jemallocator",
  "toml",
  "tracing",
+ "tracing-subscriber",
+ "tracing-tree",
  "walkdir",
  "wild",
 ]
@@ -2111,7 +2167,7 @@ dependencies = [
 
 [[package]]
 name = "ruff_linter"
-version = "0.3.1"
+version = "0.3.2"
 dependencies = [
  "aho-corasick",
  "annotate-snippets 0.9.2",
@@ -2289,6 +2345,7 @@ dependencies = [
  "itertools 0.12.1",
  "lexical-parse-float",
  "rand",
+ "ruff_python_ast",
  "unic-ucd-category",
 ]
 
@@ -2296,9 +2353,11 @@ dependencies = [
 name = "ruff_python_parser"
 version = "0.0.0"
 dependencies = [
+ "annotate-snippets 0.9.2",
  "anyhow",
  "bitflags 2.4.2",
  "bstr",
+ "drop_bomb",
  "insta",
  "is-macro",
  "itertools 0.12.1",
@@ -2306,6 +2365,7 @@ dependencies = [
  "lalrpop-util",
  "memchr",
  "ruff_python_ast",
+ "ruff_source_file",
  "ruff_text_size",
  "rustc-hash",
  "static_assertions",
@@ -2360,9 +2420,38 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "ruff_server"
+version = "0.2.2"
+dependencies = [
+ "anyhow",
+ "crossbeam",
+ "insta",
+ "jod-thread",
+ "libc",
+ "lsp-server",
+ "lsp-types",
+ "ruff_diagnostics",
+ "ruff_formatter",
+ "ruff_linter",
+ "ruff_python_ast",
+ "ruff_python_codegen",
+ "ruff_python_formatter",
+ "ruff_python_index",
+ "ruff_python_parser",
+ "ruff_source_file",
+ "ruff_text_size",
+ "ruff_workspace",
+ "rustc-hash",
+ "serde",
+ "serde_json",
+ "similar",
+ "tracing",
+]
+
 [[package]]
 name = "ruff_shrinking"
-version = "0.3.1"
+version = "0.3.2"
 dependencies = [
  "anyhow",
  "clap",
@@ -2631,6 +2720,17 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "serde_repr"
+version = "0.1.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b2e6b945e9d3df726b65d6ee24060aff8e3533d431f677a9695db04eff9dfdb"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.52",
+]
+
 [[package]]
 name = "serde_spanned"
 version = "0.6.5"
@@ -2954,22 +3054,6 @@ dependencies = [
  "tikv-jemalloc-sys",
 ]
 
-[[package]]
-name = "time"
-version = "0.3.20"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd0cbfecb4d19b5ea75bb31ad904eb5b9fa13f21079c3b92017ebdf4999a5890"
-dependencies = [
- "serde",
- "time-core",
-]
-
-[[package]]
-name = "time-core"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2e153e1f1acaef8acc537e68b44906d2db6436e2b35ac2c6b42640fff91f00fd"
-
 [[package]]
 name = "tiny-keccak"
 version = "2.0.2"
@@ -3083,6 +3167,17 @@ dependencies = [
  "tracing-subscriber",
 ]
 
+[[package]]
+name = "tracing-log"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f751112709b4e791d8ce53e32c4ed2d353565a795ce84da2285393f41557bdf2"
+dependencies = [
+ "log",
+ "once_cell",
+ "tracing-core",
+]
+
 [[package]]
 name = "tracing-log"
 version = "0.2.0"
@@ -3109,7 +3204,19 @@ dependencies = [
  "thread_local",
  "tracing",
  "tracing-core",
- "tracing-log",
+ "tracing-log 0.2.0",
+]
+
+[[package]]
+name = "tracing-tree"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2ec6adcab41b1391b08a308cc6302b79f8095d1673f6947c2dc65ffb028b0b2d"
+dependencies = [
+ "nu-ansi-term",
+ "tracing-core",
+ "tracing-log 0.1.4",
+ "tracing-subscriber",
 ]
 
 [[package]]
@@ -3195,9 +3302,9 @@ checksum = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c"
 
 [[package]]
 name = "unicode_names2"
-version = "1.2.1"
+version = "1.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac64ef2f016dc69dfa8283394a70b057066eb054d5fcb6b9eb17bd2ec5097211"
+checksum = "addeebf294df7922a1164f729fb27ebbbcea99cc32b3bf08afab62757f707677"
 dependencies = [
  "phf",
  "unicode_names2_generator",
@@ -3205,15 +3312,14 @@ dependencies = [
 
 [[package]]
 name = "unicode_names2_generator"
-version = "1.2.1"
+version = "1.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "013f6a731e80f3930de580e55ba41dfa846de4e0fdee4a701f97989cb1597d6a"
+checksum = "f444b8bba042fe3c1251ffaca35c603f2dc2ccc08d595c65a8c4f76f3e8426c0"
 dependencies = [
  "getopts",
  "log",
  "phf_codegen",
  "rand",
- "time",
 ]
 
 [[package]]
@@ -3352,9 +3458,9 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.91"
+version = "0.2.92"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c1e124130aee3fb58c5bdd6b639a0509486b0338acaaae0c84a5124b0f588b7f"
+checksum = "4be2531df63900aeb2bca0daaaddec08491ee64ceecbee5076636a3b026795a8"
 dependencies = [
  "cfg-if",
  "wasm-bindgen-macro",
@@ -3362,9 +3468,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-backend"
-version = "0.2.91"
+version = "0.2.92"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c9e7e1900c352b609c8488ad12639a311045f40a35491fb69ba8c12f758af70b"
+checksum = "614d787b966d3989fa7bb98a654e369c762374fd3213d212cfc0251257e747da"
 dependencies = [
  "bumpalo",
  "log",
@@ -3389,9 +3495,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.91"
+version = "0.2.92"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b30af9e2d358182b5c7449424f017eba305ed32a7010509ede96cdc4696c46ed"
+checksum = "a1f8823de937b71b9460c0c34e25f3da88250760bec0ebac694b49997550d726"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -3399,9 +3505,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.91"
+version = "0.2.92"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "642f325be6301eb8107a83d12a8ac6c1e1c54345a7ef1a9261962dfefda09e66"
+checksum = "e94f17b526d0a461a191c78ea52bbce64071ed5c04c9ffe424dcb38f74171bb7"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -3412,9 +3518,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.91"
+version = "0.2.92"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4f186bd2dcf04330886ce82d6f33dd75a7bfcf69ecf5763b89fcde53b6ac9838"
+checksum = "af190c94f2773fdb3729c55b007a722abb5384da03bc0986df4c289bf5567e96"
 
 [[package]]
 name = "wasm-bindgen-test"

Cargo.toml

@@ -21,8 +21,8 @@ bincode = { version = "1.3.3" }
 bitflags = { version = "2.4.1" }
 bstr = { version = "1.9.1" }
 cachedir = { version = "0.3.1" }
-chrono = { version = "0.4.34", default-features = false, features = ["clock"] }
-clap = { version = "4.5.1", features = ["derive"] }
+chrono = { version = "0.4.35", default-features = false, features = ["clock"] }
+clap = { version = "4.5.2", features = ["derive"] }
 clap_complete_command = { version = "0.5.1" }
 clearscreen = { version = "2.0.0" }
 codspeed-criterion-compat = { version = "2.4.0", default-features = false }
@@ -32,6 +32,7 @@ console_error_panic_hook = { version = "0.1.7" }
 console_log = { version = "1.0.0" }
 countme = { version = "3.0.1" }
 criterion = { version = "0.5.1", default-features = false }
+crossbeam = { version = "0.8.4" }
 dirs = { version = "5.0.0" }
 drop_bomb = { version = "0.1.5" }
 env_logger = { version = "0.10.1" }
@@ -51,11 +52,15 @@ insta-cmd = { version = "0.4.0" }
 is-macro = { version = "0.3.5" }
 is-wsl = { version = "0.4.0" }
 itertools = { version = "0.12.1" }
-js-sys = { version = "0.3.67" }
+js-sys = { version = "0.3.69" }
+jod-thread = { version = "0.1.2" }
 lalrpop-util = { version = "0.20.0", default-features = false }
 lexical-parse-float = { version = "0.8.0", features = ["format"] }
+libc = { version = "0.2.153" }
 libcst = { version = "1.1.0", default-features = false }
 log = { version = "0.4.17" }
+lsp-server = { version = "0.7.6" }
+lsp-types = { version = "0.95.0", features = ["proposed"] }
 memchr = { version = "2.7.1" }
 mimalloc = { version = "0.1.39" }
 natord = { version = "1.0.9" }
@@ -97,16 +102,17 @@ toml = { version = "0.8.9" }
 tracing = { version = "0.1.40" }
 tracing-indicatif = { version = "0.3.6" }
 tracing-subscriber = { version = "0.3.18", features = ["env-filter"] }
+tracing-tree = { version = "0.2.4" }
 typed-arena = { version = "2.0.2" }
 unic-ucd-category = { version = "0.9" }
 unicode-ident = { version = "1.0.12" }
 unicode-width = { version = "0.1.11" }
-unicode_names2 = { version = "1.2.1" }
+unicode_names2 = { version = "1.2.2" }
 ureq = { version = "2.9.6" }
 url = { version = "2.5.0" }
 uuid = { version = "1.6.1", features = ["v4", "fast-rng", "macro-diagnostics", "js"] }
 walkdir = { version = "2.3.2" }
-wasm-bindgen = { version = "0.2.84" }
+wasm-bindgen = { version = "0.2.92" }
 wasm-bindgen-test = { version = "0.3.40" }
 wild = { version = "2" }
 

README.md

@@ -129,7 +129,7 @@ and with [a variety of other package managers](https://docs.astral.sh/ruff/insta
 To run Ruff as a linter, try any of the following:
 
 ```shell
-ruff check .                        # Lint all files in the current directory (and any subdirectories).
+ruff check                          # Lint all files in the current directory (and any subdirectories).
 ruff check path/to/code/            # Lint all files in `/path/to/code` (and any subdirectories).
 ruff check path/to/code/*.py        # Lint all `.py` files in `/path/to/code`.
 ruff check path/to/code/to/file.py  # Lint `file.py`.
@@ -139,7 +139,7 @@ ruff check @arguments.txt           # Lint using an input file, treating its con
 Or, to run Ruff as a formatter:
 
 ```shell
-ruff format .                        # Format all files in the current directory (and any subdirectories).
+ruff format                          # Format all files in the current directory (and any subdirectories).
 ruff format path/to/code/            # Format all files in `/path/to/code` (and any subdirectories).
 ruff format path/to/code/*.py        # Format all `.py` files in `/path/to/code`.
 ruff format path/to/code/to/file.py  # Format `file.py`.
@@ -151,7 +151,7 @@ Ruff can also be used as a [pre-commit](https://pre-commit.com/) hook via [`ruff
 ```yaml
 - repo: https://github.com/astral-sh/ruff-pre-commit
   # Ruff version.
-  rev: v0.3.1
+  rev: v0.3.2
   hooks:
     # Run the linter.
     - id: ruff
@@ -183,10 +183,9 @@ Ruff can be configured through a `pyproject.toml`, `ruff.toml`, or `.ruff.toml`
 [_Configuration_](https://docs.astral.sh/ruff/configuration/), or [_Settings_](https://docs.astral.sh/ruff/settings/)
 for a complete list of all configuration options).
 
-If left unspecified, Ruff's default configuration is equivalent to:
+If left unspecified, Ruff's default configuration is equivalent to the following `ruff.toml` file:
 
 ```toml
-[tool.ruff]
 # Exclude a variety of commonly ignored directories.
 exclude = [
     ".bzr",
@@ -224,7 +223,7 @@ indent-width = 4
 # Assume Python 3.8
 target-version = "py38"
 
-[tool.ruff.lint]
+[lint]
 # Enable Pyflakes (`F`) and a subset of the pycodestyle (`E`)  codes by default.
 select = ["E4", "E7", "E9", "F"]
 ignore = []
@@ -236,7 +235,7 @@ unfixable = []
 # Allow unused variables when underscore-prefixed.
 dummy-variable-rgx = "^(_+|(_+[a-zA-Z0-9_]*[a-zA-Z0-9]+?))$"
 
-[tool.ruff.format]
+[format]
 # Like Black, use double quotes for strings.
 quote-style = "double"
 
@@ -250,11 +249,20 @@ skip-magic-trailing-comma = false
 line-ending = "auto"
 ```
 
-Some configuration options can be provided via the command-line, such as those related to
-rule enablement and disablement, file discovery, and logging level:
+Note that, in a `pyproject.toml`, each section header should be prefixed with `tool.ruff`. For
+example, `[lint]` should be replaced with `[tool.ruff.lint]`.
+
+Some configuration options can be provided via dedicated command-line arguments, such as those
+related to rule enablement and disablement, file discovery, and logging level:
 
 ```shell
-ruff check path/to/code/ --select F401 --select F403 --quiet
+ruff check --select F401 --select F403 --quiet
+```
+
+The remaining configuration options can be provided through a catch-all `--config` argument:
+
+```shell
+ruff check --config "lint.per-file-ignores = {'some_file.py' = ['F841']}"
 ```
 
 See `ruff help` for more on Ruff's top-level commands, or `ruff help check` and `ruff help format`

crates/ruff/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "ruff"
-version = "0.3.1"
+version = "0.3.2"
 publish = false
 authors = { workspace = true }
 edition = { workspace = true }
@@ -20,6 +20,7 @@ ruff_macros = { path = "../ruff_macros" }
 ruff_notebook = { path = "../ruff_notebook" }
 ruff_python_ast = { path = "../ruff_python_ast" }
 ruff_python_formatter = { path = "../ruff_python_formatter" }
+ruff_server = { path = "../ruff_server" }
 ruff_source_file = { path = "../ruff_source_file" }
 ruff_text_size = { path = "../ruff_text_size" }
 ruff_workspace = { path = "../ruff_workspace" }
@@ -52,6 +53,8 @@ tempfile = { workspace = true }
 thiserror = { workspace = true }
 toml = { workspace = true }
 tracing = { workspace = true, features = ["log"] }
+tracing-subscriber = { workspace = true, features = ["registry"]}
+tracing-tree = { workspace = true }
 walkdir = { workspace = true }
 wild = { workspace = true }
 

crates/ruff/src/args.rs

@@ -126,6 +126,8 @@ pub enum Command {
     GenerateShellCompletion { shell: clap_complete_command::Shell },
     /// Run the Ruff formatter on the given files or directories.
     Format(FormatCommand),
+    /// Run the language server.
+    Server(ServerCommand),
     /// Display Ruff's version
     Version {
         #[arg(long, value_enum, default_value = "text")]
@@ -494,6 +496,13 @@ pub struct FormatCommand {
     pub range: Option<FormatRange>,
 }
 
+#[derive(Clone, Debug, clap::Parser)]
+pub struct ServerCommand {
+    /// Enable preview mode; required for regular operation
+    #[arg(long)]
+    pub(crate) preview: bool,
+}
+
 #[derive(Debug, Clone, Copy, clap::ValueEnum)]
 pub enum HelpFormat {
     Text,

crates/ruff/src/commands/mod.rs

@@ -7,6 +7,7 @@ pub(crate) mod format;
 pub(crate) mod format_stdin;
 pub(crate) mod linter;
 pub(crate) mod rule;
+pub(crate) mod server;
 pub(crate) mod show_files;
 pub(crate) mod show_settings;
 pub(crate) mod version;

crates/ruff/src/commands/server.rs

@@ -0,0 +1,73 @@
+use crate::ExitStatus;
+use anyhow::Result;
+use ruff_linter::logging::LogLevel;
+use ruff_server::Server;
+use tracing::{level_filters::LevelFilter, metadata::Level, subscriber::Interest, Metadata};
+use tracing_subscriber::{
+    layer::{Context, Filter, SubscriberExt},
+    Layer, Registry,
+};
+use tracing_tree::time::Uptime;
+
+pub(crate) fn run_server(preview: bool, log_level: LogLevel) -> Result<ExitStatus> {
+    if !preview {
+        tracing::error!("--preview needs to be provided as a command line argument while the server is still unstable.\nFor example: `ruff server --preview`");
+        return Ok(ExitStatus::Error);
+    }
+    let trace_level = if log_level == LogLevel::Verbose {
+        Level::TRACE
+    } else {
+        Level::DEBUG
+    };
+
+    let subscriber = Registry::default().with(
+        tracing_tree::HierarchicalLayer::default()
+            .with_indent_lines(true)
+            .with_indent_amount(2)
+            .with_bracketed_fields(true)
+            .with_targets(true)
+            .with_writer(|| Box::new(std::io::stderr()))
+            .with_timer(Uptime::default())
+            .with_filter(LoggingFilter { trace_level }),
+    );
+
+    tracing::subscriber::set_global_default(subscriber)?;
+
+    let server = Server::new()?;
+
+    server.run().map(|()| ExitStatus::Success)
+}
+
+struct LoggingFilter {
+    trace_level: Level,
+}
+
+impl LoggingFilter {
+    fn is_enabled(&self, meta: &Metadata<'_>) -> bool {
+        let filter = if meta.target().starts_with("ruff") {
+            self.trace_level
+        } else {
+            Level::INFO
+        };
+
+        meta.level() <= &filter
+    }
+}
+
+impl<S> Filter<S> for LoggingFilter {
+    fn enabled(&self, meta: &Metadata<'_>, _cx: &Context<'_, S>) -> bool {
+        self.is_enabled(meta)
+    }
+
+    fn callsite_enabled(&self, meta: &'static Metadata<'static>) -> Interest {
+        if self.is_enabled(meta) {
+            Interest::always()
+        } else {
+            Interest::never()
+        }
+    }
+
+    fn max_level_hint(&self) -> Option<LevelFilter> {
+        Some(LevelFilter::from_level(self.trace_level))
+    }
+}

crates/ruff/src/lib.rs

@@ -7,7 +7,7 @@ use std::process::ExitCode;
 use std::sync::mpsc::channel;
 
 use anyhow::Result;
-use args::GlobalConfigArgs;
+use args::{GlobalConfigArgs, ServerCommand};
 use clap::CommandFactory;
 use colored::Colorize;
 use log::warn;
@@ -190,6 +190,7 @@ pub fn run(
         }
         Command::Check(args) => check(args, global_options),
         Command::Format(args) => format(args, global_options),
+        Command::Server(args) => server(args, global_options.log_level()),
     }
 }
 
@@ -203,6 +204,12 @@ fn format(args: FormatCommand, global_options: GlobalConfigArgs) -> Result<ExitS
     }
 }
 
+#[allow(clippy::needless_pass_by_value)] // TODO: remove once we start taking arguments from here
+fn server(args: ServerCommand, log_level: LogLevel) -> Result<ExitStatus> {
+    let ServerCommand { preview } = args;
+    commands::server::run_server(preview, log_level)
+}
+
 pub fn check(args: CheckCommand, global_options: GlobalConfigArgs) -> Result<ExitStatus> {
     let (cli, config_arguments) = args.partition(global_options)?;
 

crates/ruff/src/printer.rs

@@ -118,6 +118,8 @@ impl Printer {
                 } else if remaining > 0 {
                     let s = if remaining == 1 { "" } else { "s" };
                     writeln!(writer, "Found {remaining} error{s}.")?;
+                } else if remaining == 0 {
+                    writeln!(writer, "All checks passed!")?;
                 }
 
                 if let Some(fixables) = fixables {

crates/ruff/tests/format.rs

@@ -23,7 +23,7 @@ fn default_options() {
         .arg("-")
         .pass_stdin(r#"
 def foo(arg1, arg2,):
-    print('Should\'t change quotes')
+    print('Shouldn\'t change quotes')
 
 
 if condition:
@@ -38,7 +38,7 @@ if condition:
         arg1,
         arg2,
     ):
-        print("Should't change quotes")
+        print("Shouldn't change quotes")
 
 
     if condition:
@@ -523,7 +523,7 @@ from module import =
     ----- stdout -----
 
     ----- stderr -----
-    error: Failed to parse main.py:2:20: Unexpected token '='
+    error: Failed to parse main.py:2:20: Unexpected token =
     "###);
 
     Ok(())

crates/ruff/tests/integration_test.rs

@@ -101,6 +101,7 @@ fn stdin_success() {
     success: true
     exit_code: 0
     ----- stdout -----
+    All checks passed!
 
     ----- stderr -----
     "###);
@@ -222,6 +223,7 @@ fn stdin_source_type_pyi() {
     success: true
     exit_code: 0
     ----- stdout -----
+    All checks passed!
 
     ----- stderr -----
     "###);
@@ -590,6 +592,7 @@ fn stdin_fix_when_no_issues_should_still_print_contents() {
     print(sys.version)
 
     ----- stderr -----
+    All checks passed!
     "###);
 }
 
@@ -728,11 +731,11 @@ fn stdin_parse_error() {
     success: false
     exit_code: 1
     ----- stdout -----
-    -:1:17: E999 SyntaxError: Unexpected token '='
+    -:1:17: E999 SyntaxError: Unexpected token =
     Found 1 error.
 
     ----- stderr -----
-    error: Failed to parse at 1:17: Unexpected token '='
+    error: Failed to parse at 1:17: Unexpected token =
     "###);
 }
 
@@ -1023,6 +1026,7 @@ fn preview_disabled_direct() {
     success: true
     exit_code: 0
     ----- stdout -----
+    All checks passed!
 
     ----- stderr -----
     warning: Selection `RUF911` has no effect because preview is not enabled.
@@ -1039,6 +1043,7 @@ fn preview_disabled_prefix_empty() {
     success: true
     exit_code: 0
     ----- stdout -----
+    All checks passed!
 
     ----- stderr -----
     warning: Selection `RUF91` has no effect because preview is not enabled.
@@ -1055,6 +1060,7 @@ fn preview_disabled_does_not_warn_for_empty_ignore_selections() {
     success: true
     exit_code: 0
     ----- stdout -----
+    All checks passed!
 
     ----- stderr -----
     "###);
@@ -1070,6 +1076,7 @@ fn preview_disabled_does_not_warn_for_empty_fixable_selections() {
     success: true
     exit_code: 0
     ----- stdout -----
+    All checks passed!
 
     ----- stderr -----
     "###);
@@ -1175,6 +1182,7 @@ fn removed_indirect() {
     success: true
     exit_code: 0
     ----- stdout -----
+    All checks passed!
 
     ----- stderr -----
     "###);
@@ -1205,6 +1213,7 @@ fn redirect_indirect() {
     success: true
     exit_code: 0
     ----- stdout -----
+    All checks passed!
 
     ----- stderr -----
     "###);
@@ -1307,6 +1316,7 @@ fn deprecated_indirect_preview_enabled() {
     success: true
     exit_code: 0
     ----- stdout -----
+    All checks passed!
 
     ----- stderr -----
     "###);
@@ -1383,6 +1393,7 @@ fn unreadable_dir() -> Result<()> {
     success: true
     exit_code: 0
     ----- stdout -----
+    All checks passed!
 
     ----- stderr -----
     warning: Encountered error: Permission denied (os error 13)
@@ -1897,6 +1908,7 @@ def log(x, base) -> float:
     success: true
     exit_code: 0
     ----- stdout -----
+    All checks passed!
 
     ----- stderr -----
     "###

crates/ruff/tests/lint.rs

@@ -496,6 +496,7 @@ ignore = ["D203", "D212"]
     success: true
     exit_code: 0
     ----- stdout -----
+    All checks passed!
 
     ----- stderr -----
     warning: No Python files found under the given path(s)
@@ -833,6 +834,7 @@ fn complex_config_setting_overridden_via_cli() -> Result<()> {
     success: true
     exit_code: 0
     ----- stdout -----
+    All checks passed!
 
     ----- stderr -----
     "###);

crates/ruff/tests/snapshots/integration_test__rule_f401.snap

@@ -34,6 +34,11 @@ marking it as unused, as in:
 from module import member as member
 ```
 
+## Fix safety
+
+When `ignore_init_module_imports` is disabled, fixes can remove for unused imports in `__init__` files.
+These fixes are considered unsafe because they can change the public interface.
+
 ## Example
 ```python
 import numpy as np  # unused import

crates/ruff/tests/snapshots/show_settings__display_default_settings.snap

@@ -52,6 +52,7 @@ file_resolver.exclude = [
 file_resolver.extend_exclude = [
 	"crates/ruff_linter/resources/",
 	"crates/ruff_python_formatter/resources/",
+	"crates/ruff_python_parser/resources/",
 ]
 file_resolver.force_exclude = false
 file_resolver.include = [
@@ -201,7 +202,7 @@ linter.allowed_confusables = []
 linter.builtins = []
 linter.dummy_variable_rgx = ^(_+|(_+[a-zA-Z0-9_]*[a-zA-Z0-9]+?))$
 linter.external = []
-linter.ignore_init_module_imports = false
+linter.ignore_init_module_imports = true
 linter.logger_objects = []
 linter.namespace_packages = []
 linter.src = [
@@ -241,7 +242,22 @@ linter.flake8_gettext.functions_names = [
 	ngettext,
 ]
 linter.flake8_implicit_str_concat.allow_multiline = true
-linter.flake8_import_conventions.aliases = {"matplotlib": "mpl", "matplotlib.pyplot": "plt", "pandas": "pd", "seaborn": "sns", "tensorflow": "tf", "networkx": "nx", "plotly.express": "px", "polars": "pl", "numpy": "np", "panel": "pn", "pyarrow": "pa", "altair": "alt", "tkinter": "tk", "holoviews": "hv"}
+linter.flake8_import_conventions.aliases = {
+	altair = alt,
+	holoviews = hv,
+	matplotlib = mpl,
+	matplotlib.pyplot = plt,
+	networkx = nx,
+	numpy = np,
+	pandas = pd,
+	panel = pn,
+	plotly.express = px,
+	polars = pl,
+	pyarrow = pa,
+	seaborn = sns,
+	tensorflow = tf,
+	tkinter = tk,
+}
 linter.flake8_import_conventions.banned_aliases = {}
 linter.flake8_import_conventions.banned_from = []
 linter.flake8_pytest_style.fixture_parentheses = true

crates/ruff_benchmark/benches/formatter.rs

@@ -7,7 +7,7 @@ use ruff_benchmark::{TestCase, TestFile, TestFileDownloadError};
 use ruff_python_formatter::{format_module_ast, PreviewMode, PyFormatOptions};
 use ruff_python_index::CommentRangesBuilder;
 use ruff_python_parser::lexer::lex;
-use ruff_python_parser::{allocate_tokens_vec, parse_tokens, Mode};
+use ruff_python_parser::{allocate_tokens_vec, parse_tokens, set_new_parser, Mode};
 
 #[cfg(target_os = "windows")]
 #[global_allocator]
@@ -42,6 +42,8 @@ fn create_test_cases() -> Result<Vec<TestCase>, TestFileDownloadError> {
 }
 
 fn benchmark_formatter(criterion: &mut Criterion) {
+    set_new_parser(true);
+
     let mut group = criterion.benchmark_group("formatter");
     let test_cases = create_test_cases().unwrap();
 

crates/ruff_benchmark/benches/lexer.rs

@@ -2,7 +2,7 @@ use ruff_benchmark::criterion::{
     criterion_group, criterion_main, measurement::WallTime, BenchmarkId, Criterion, Throughput,
 };
 use ruff_benchmark::{TestCase, TestFile, TestFileDownloadError};
-use ruff_python_parser::{lexer, Mode};
+use ruff_python_parser::{lexer, set_new_parser, Mode};
 
 #[cfg(target_os = "windows")]
 #[global_allocator]
@@ -37,6 +37,8 @@ fn create_test_cases() -> Result<Vec<TestCase>, TestFileDownloadError> {
 }
 
 fn benchmark_lexer(criterion: &mut Criterion<WallTime>) {
+    set_new_parser(true);
+
     let test_cases = create_test_cases().unwrap();
     let mut group = criterion.benchmark_group("lexer");
 

crates/ruff_benchmark/benches/linter.rs

@@ -10,7 +10,7 @@ use ruff_linter::settings::{flags, LinterSettings};
 use ruff_linter::source_kind::SourceKind;
 use ruff_linter::{registry::Rule, RuleSelector};
 use ruff_python_ast::PySourceType;
-use ruff_python_parser::{lexer, parse_program_tokens, Mode};
+use ruff_python_parser::{lexer, parse_program_tokens, set_new_parser, Mode};
 
 #[cfg(target_os = "windows")]
 #[global_allocator]
@@ -45,6 +45,8 @@ fn create_test_cases() -> Result<Vec<TestCase>, TestFileDownloadError> {
 }
 
 fn benchmark_linter(mut group: BenchmarkGroup, settings: &LinterSettings) {
+    set_new_parser(true);
+
     let test_cases = create_test_cases().unwrap();
 
     for case in test_cases {

crates/ruff_benchmark/benches/parser.rs

@@ -4,7 +4,7 @@ use ruff_benchmark::criterion::{
 use ruff_benchmark::{TestCase, TestFile, TestFileDownloadError};
 use ruff_python_ast::statement_visitor::{walk_stmt, StatementVisitor};
 use ruff_python_ast::Stmt;
-use ruff_python_parser::parse_suite;
+use ruff_python_parser::{parse_suite, set_new_parser};
 
 #[cfg(target_os = "windows")]
 #[global_allocator]
@@ -50,6 +50,8 @@ impl<'a> StatementVisitor<'a> for CountVisitor {
 }
 
 fn benchmark_parser(criterion: &mut Criterion<WallTime>) {
+    set_new_parser(true);
+
     let test_cases = create_test_cases().unwrap();
     let mut group = criterion.benchmark_group("parser");
 

crates/ruff_formatter/src/buffer.rs

@@ -37,7 +37,7 @@ pub trait Buffer {
     #[doc(hidden)]
     fn elements(&self) -> &[FormatElement];
 
-    /// Glue for usage of the [`write!`] macro with implementors of this trait.
+    /// Glue for usage of the [`write!`] macro with implementers of this trait.
     ///
     /// This method should generally not be invoked manually, but rather through the [`write!`] macro itself.
     ///

crates/ruff_formatter/src/lib.rs

@@ -545,6 +545,10 @@ impl PrintedRange {
         &self.code
     }
 
+    pub fn into_code(self) -> String {
+        self.code
+    }
+
     /// The range the formatted code corresponds to in the source document.
     pub fn source_range(&self) -> TextRange {
         self.source_range

crates/ruff_linter/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "ruff_linter"
-version = "0.3.1"
+version = "0.3.2"
 publish = false
 authors = { workspace = true }
 edition = { workspace = true }

crates/ruff_linter/resources/test/fixtures/flake8_bandit/S104.py

@@ -18,3 +18,7 @@ func("0.0.0.0")
 def my_func():
     x = "0.0.0.0"
     print(x)
+
+
+# Implicit string concatenation
+"0.0.0.0" f"0.0.0.0{expr}0.0.0.0"

crates/ruff_linter/resources/test/fixtures/flake8_bandit/S108.py

@@ -18,6 +18,13 @@ with open("/dev/shm/unit/test", "w") as f:
 with open("/foo/bar", "w") as f:
     f.write("def")
 
+# Implicit string concatenation
+with open("/tmp/" "abc", "w") as f:
+    f.write("def")
+
+with open("/tmp/abc" f"/tmp/abc", "w") as f:
+    f.write("def")
+
 # Using `tempfile` module should be ok
 import tempfile
 from tempfile import TemporaryDirectory

crates/ruff_linter/resources/test/fixtures/flake8_bandit/S311.py

@@ -0,0 +1,22 @@
+import os
+import random
+
+import a_lib
+
+# OK
+random.SystemRandom()
+
+# Errors
+random.Random()
+random.random()
+random.randrange()
+random.randint()
+random.choice()
+random.choices()
+random.uniform()
+random.triangular()
+random.randbytes()
+
+# Unrelated
+os.urandom()
+a_lib.random()

crates/ruff_linter/resources/test/fixtures/flake8_bandit/S324.py

@@ -1,52 +1,47 @@
+import crypt
 import hashlib
 from hashlib import new as hashlib_new
 from hashlib import sha1 as hashlib_sha1
 
-# Invalid
-
+# Errors
 hashlib.new('md5')
-
 hashlib.new('md4', b'test')
-
 hashlib.new(name='md5', data=b'test')
-
 hashlib.new('MD4', data=b'test')
-
 hashlib.new('sha1')
-
 hashlib.new('sha1', data=b'test')
-
 hashlib.new('sha', data=b'test')
-
 hashlib.new(name='SHA', data=b'test')
-
 hashlib.sha(data=b'test')
-
 hashlib.md5()
-
 hashlib_new('sha1')
-
 hashlib_sha1('sha1')
-
 # usedforsecurity arg only available in Python 3.9+
 hashlib.new('sha1', usedforsecurity=True)
 
-# Valid
+crypt.crypt("test", salt=crypt.METHOD_CRYPT)
+crypt.crypt("test", salt=crypt.METHOD_MD5)
+crypt.crypt("test", salt=crypt.METHOD_BLOWFISH)
+crypt.crypt("test", crypt.METHOD_BLOWFISH)
 
+crypt.mksalt(crypt.METHOD_CRYPT)
+crypt.mksalt(crypt.METHOD_MD5)
+crypt.mksalt(crypt.METHOD_BLOWFISH)
+
+# OK
 hashlib.new('sha256')
-
 hashlib.new('SHA512')
-
 hashlib.sha256(data=b'test')
-
 # usedforsecurity arg only available in Python 3.9+
 hashlib_new(name='sha1', usedforsecurity=False)
-
-# usedforsecurity arg only available in Python 3.9+
 hashlib_sha1(name='sha1', usedforsecurity=False)
-
-# usedforsecurity arg only available in Python 3.9+
 hashlib.md4(usedforsecurity=False)
-
-# usedforsecurity arg only available in Python 3.9+
 hashlib.new(name='sha256', usedforsecurity=False)
+
+crypt.crypt("test")
+crypt.crypt("test", salt=crypt.METHOD_SHA256)
+crypt.crypt("test", salt=crypt.METHOD_SHA512)
+
+crypt.mksalt()
+crypt.mksalt(crypt.METHOD_SHA256)
+crypt.mksalt(crypt.METHOD_SHA512)

crates/ruff_linter/resources/test/fixtures/flake8_bandit/S605.py

@@ -1,4 +1,5 @@
 import os
+import subprocess
 
 import commands
 import popen2
@@ -16,6 +17,8 @@ popen2.Popen3("true")
 popen2.Popen4("true")
 commands.getoutput("true")
 commands.getstatusoutput("true")
+subprocess.getoutput("true")
+subprocess.getstatusoutput("true")
 
 
 # Check command argument looks unsafe.

crates/ruff_linter/resources/test/fixtures/flake8_bandit/S610.py

@@ -0,0 +1,34 @@
+from django.contrib.auth.models import User
+
+# Errors
+User.objects.filter(username='admin').extra(dict(could_be='insecure'))
+User.objects.filter(username='admin').extra(select=dict(could_be='insecure'))
+User.objects.filter(username='admin').extra(select={'test': '%secure' % 'nos'})
+User.objects.filter(username='admin').extra(select={'test': '{}secure'.format('nos')})
+User.objects.filter(username='admin').extra(where=['%secure' % 'nos'])
+User.objects.filter(username='admin').extra(where=['{}secure'.format('no')])
+
+query = '"username") AS "username", * FROM "auth_user" WHERE 1=1 OR "username"=? --'
+User.objects.filter(username='admin').extra(select={'test': query})
+
+where_var = ['1=1) OR 1=1 AND (1=1']
+User.objects.filter(username='admin').extra(where=where_var)
+
+where_str = '1=1) OR 1=1 AND (1=1'
+User.objects.filter(username='admin').extra(where=[where_str])
+
+tables_var = ['django_content_type" WHERE "auth_user"."username"="admin']
+User.objects.all().extra(tables=tables_var).distinct()
+
+tables_str = 'django_content_type" WHERE "auth_user"."username"="admin'
+User.objects.all().extra(tables=[tables_str]).distinct()
+
+# OK
+User.objects.filter(username='admin').extra(
+    select={'test': 'secure'},
+    where=['secure'],
+    tables=['secure']
+)
+User.objects.filter(username='admin').extra({'test': 'secure'})
+User.objects.filter(username='admin').extra(select={'test': 'secure'})
+User.objects.filter(username='admin').extra(where=['secure'])

crates/ruff_linter/resources/test/fixtures/flake8_comprehensions/C413.py

@@ -14,9 +14,6 @@ reversed(sorted(x, reverse=not x))
 reversed(sorted(i for i in range(42)))
 reversed(sorted((i for i in range(42)), reverse=True))
 
-
-def reversed(*args, **kwargs):
-    return None
-
-
-reversed(sorted(x, reverse=True))
+# Regression test for: https://github.com/astral-sh/ruff/issues/10335
+reversed(sorted([1, 2, 3], reverse=False or True))
+reversed(sorted([1, 2, 3], reverse=(False or True)))

crates/ruff_linter/resources/test/fixtures/flake8_pyi/PYI053.pyi

@@ -64,3 +64,5 @@ def not_warnings_dot_deprecated(
     "Not warnings.deprecated, so this one *should* lead to PYI053 in a stub!"  # Error: PYI053
 )
 def not_a_deprecated_function() -> None: ...
+
+fbaz: str = f"51 character {foo} stringgggggggggggggggggggggggggg"  # Error: PYI053

crates/ruff_linter/resources/test/fixtures/flake8_quotes/singles_escaped_unnecessary.py

@@ -40,4 +40,7 @@ f"\'normal\' {f"\'nested\' {"other"} 'single quotes'"} normal"  # Q004
 
 # Make sure we do not unescape quotes
 this_is_fine = "This is an \\'escaped\\' quote"
-this_should_raise_Q004 = "This is an \\\'escaped\\\' quote with an extra backslash"
+this_should_raise_Q004 = "This is an \\\'escaped\\\' quote with an extra backslash"  # Q004
+
+# Invalid escapes in bytestrings are also triggered:
+x = b"\xe7\xeb\x0c\xa1\x1b\x83tN\xce=x\xe9\xbe\x01\xb9\x13B_\xba\xe7\x0c2\xce\'rm\x0e\xcd\xe9.\xf8\xd2"  # Q004

crates/ruff_linter/resources/test/fixtures/flake8_trio/TRIO115.py

@@ -10,7 +10,7 @@ async def func():
 
     trio.sleep(0)  # TRIO115
     foo = 0
-    trio.sleep(foo)  # TRIO115
+    trio.sleep(foo)  # OK
     trio.sleep(1)  # OK
     time.sleep(0)  # OK
 
@@ -20,26 +20,26 @@ async def func():
     trio.sleep(bar)
 
     x, y = 0, 2000
-    trio.sleep(x)  # TRIO115
+    trio.sleep(x)  # OK
     trio.sleep(y)  # OK
 
     (a, b, [c, (d, e)]) = (1, 2, (0, [4, 0]))
-    trio.sleep(c)  # TRIO115
+    trio.sleep(c)  # OK
     trio.sleep(d)  # OK
-    trio.sleep(e)  # TRIO115
+    trio.sleep(e)  # OK
 
     m_x, m_y = 0
     trio.sleep(m_y)  # OK
     trio.sleep(m_x)  # OK
 
     m_a = m_b = 0
-    trio.sleep(m_a)  # TRIO115
-    trio.sleep(m_b)  # TRIO115
+    trio.sleep(m_a)  # OK
+    trio.sleep(m_b)  # OK
 
     m_c = (m_d, m_e) = (0, 0)
     trio.sleep(m_c)  # OK
-    trio.sleep(m_d)  # TRIO115
-    trio.sleep(m_e)  # TRIO115
+    trio.sleep(m_d)  # OK
+    trio.sleep(m_e)  # OK
 
 
 def func():
@@ -63,4 +63,16 @@ def func():
     import trio
 
     if (walrus := 0) == 0:
-        trio.sleep(walrus)  # TRIO115
+        trio.sleep(walrus)  # OK
+
+
+def func():
+    import trio
+
+    async def main() -> None:
+        sleep = 0
+        for _ in range(2):
+            await trio.sleep(sleep)  # OK
+            sleep = 10
+
+    trio.run(main)

crates/ruff_linter/resources/test/fixtures/pycodestyle/E20.py

@@ -153,3 +153,9 @@ ham[lower +1 :, "columnname"]
 
 #: E203:1:13
 ham[lower + 1  :, "columnname"]
+
+#: Okay
+f"{ham[lower +1 :, "columnname"]}"
+
+#: E203:1:13
+f"{ham[lower + 1  :, "columnname"]}"

crates/ruff_linter/resources/test/fixtures/pycodestyle/E2_syntax_error.py

@@ -0,0 +1 @@
+a = (1 or)

crates/ruff_linter/resources/test/fixtures/pycodestyle/E502.py

@@ -0,0 +1,88 @@
+a = 2 + 2
+
+a = (2 + 2)
+
+a = 2 + \
+    3 \
+    + 4
+
+a = (3 -\
+    2 +   \
+    7)
+
+z = 5 + \
+    (3 -\
+    2 +   \
+    7) + \
+    4
+
+b = [2 +
+    2]
+
+b = [
+    2 + 4 + 5 + \
+    44 \
+    - 5
+]
+
+c = (True and
+    False \
+    or False \
+    and True \
+)
+
+c = (True and
+    False)
+
+d = True and \
+    False or \
+    False \
+    and not True
+
+
+s = {
+    'x': 2 + \
+    2
+}
+
+
+s = {
+    'x': 2 +
+    2
+}
+
+
+x = {2 + 4 \
+  + 3}
+
+y = (
+    2 + 2  # \
+    + 3  # \
+    + 4 \
+    + 3
+)
+
+
+x = """
+    (\\
+    )
+"""
+
+
+("""hello \
+""")
+
+("hello \
+")
+
+
+x = "abc" \
+    "xyz"
+
+x = ("abc" \
+    "xyz")
+
+
+def foo():
+    x = (a + \
+        2)

crates/ruff_linter/resources/test/fixtures/pycodestyle/W391_0.py

@@ -0,0 +1,14 @@
+# Unix style
+def foo() -> None:
+    pass
+
+
+def bar() -> None:
+    pass
+
+
+
+if __name__ == '__main__':
+    foo()
+    bar()
+

crates/ruff_linter/resources/test/fixtures/pycodestyle/W391_1.py

@@ -0,0 +1,13 @@
+# Unix style
+def foo() -> None:
+    pass
+
+
+def bar() -> None:
+    pass
+
+
+
+if __name__ == '__main__':
+    foo()
+    bar()

crates/ruff_linter/resources/test/fixtures/pycodestyle/W391_2.py

@@ -0,0 +1,17 @@
+# Windows style
+def foo() -> None:
+    pass
+
+
+def bar() -> None:
+    pass
+
+
+
+if __name__ == '__main__':
+    foo()
+    bar()
+
+
+
+

crates/ruff_linter/resources/test/fixtures/pycodestyle/W391_3.py

@@ -0,0 +1,13 @@
+# Windows style
+def foo() -> None:
+    pass
+
+
+def bar() -> None:
+    pass
+
+
+
+if __name__ == '__main__':
+    foo()
+    bar()

crates/ruff_linter/resources/test/fixtures/pycodestyle/W391_4.py

@@ -0,0 +1,5 @@
+# This is fine
+def foo():
+    pass
+
+    # Some comment

crates/ruff_linter/resources/test/fixtures/pycodestyle/W505.py

@@ -10,7 +10,7 @@ def f1():
     # Here's a standalone comment that's over the limit.
 
     x = 2
-    # Another standalone that is preceded by a newline and indent toke and is over the limit.
+    # Another standalone that is preceded by a newline and indent token and is over the limit.
 
     print("Here's a string that's over the limit, but it's not a docstring.")
 

crates/ruff_linter/resources/test/fixtures/pycodestyle/W505_utf_8.py

@@ -10,7 +10,7 @@ def f1():
     # Here's a standalone comment that's over theß9💣2ℝ.
 
     x = 2
-    # Another standalone that is preceded by a newline and indent toke and is over theß9💣2ℝ.
+    # Another standalone that is preceded by a newline and indent token and is over theß9💣2ℝ.
 
     print("Here's a string that's over theß9💣2ℝ, but it's not a ß9💣2ℝing.")
 

crates/ruff_linter/resources/test/fixtures/pyflakes/F401_23.py

@@ -0,0 +1,7 @@
+"""Test: ensure that we treat strings in `typing.Annotation` as type definitions."""
+
+from pathlib import Path
+from re import RegexFlag
+from typing import Annotated
+
+p: Annotated["Path", int] = 1

crates/ruff_linter/resources/test/fixtures/pyflakes/F811_28.py

@@ -0,0 +1,6 @@
+"""Regression test for: https://github.com/astral-sh/ruff/issues/10384"""
+
+import datetime
+from datetime import datetime
+
+datetime(1, 2, 3)

crates/ruff_linter/resources/test/fixtures/pyflakes/F821_11.pyi

@@ -0,0 +1,16 @@
+"""Test case: strings used within calls within type annotations."""
+
+from typing import Callable
+
+import bpy
+from mypy_extensions import VarArg
+
+class LightShow(bpy.types.Operator):
+    label = "Create Character"
+    name = "lightshow.letter_creation"
+
+    filepath: bpy.props.StringProperty(subtype="FILE_PATH")  # OK
+
+
+def f(x: Callable[[VarArg("os")], None]):  # F821
+    pass

crates/ruff_linter/resources/test/fixtures/pyflakes/F821_26.py

@@ -0,0 +1,44 @@
+"""Tests for constructs allowed in `.pyi` stub files but not at runtime"""
+
+from typing import Optional, TypeAlias, Union
+
+__version__: str
+__author__: str
+
+# Forward references:
+MaybeCStr: TypeAlias = Optional[CStr]  # valid in a `.pyi` stub file, not in a `.py` runtime file
+MaybeCStr2: TypeAlias = Optional["CStr"]  # always okay
+CStr: TypeAlias = Union[C, str]  # valid in a `.pyi` stub file, not in a `.py` runtime file
+CStr2: TypeAlias = Union["C", str]  # always okay
+
+# References to a class from inside the class:
+class C:
+    other: C = ...  # valid in a `.pyi` stub file, not in a `.py` runtime file
+    other2: "C" = ...  # always okay
+    def from_str(self, s: str) -> C: ...  # valid in a `.pyi` stub file, not in a `.py` runtime file
+    def from_str2(self, s: str) -> "C": ...  # always okay
+
+# Circular references:
+class A:
+    foo: B  # valid in a `.pyi` stub file, not in a `.py` runtime file
+    foo2: "B"  # always okay
+    bar: dict[str, B]  # valid in a `.pyi` stub file, not in a `.py` runtime file
+    bar2: dict[str, "A"]  # always okay
+
+class B:
+    foo: A  # always okay
+    bar: dict[str, A]  # always okay
+
+class Leaf: ...
+class Tree(list[Tree | Leaf]): ...  # valid in a `.pyi` stub file, not in a `.py` runtime file
+class Tree2(list["Tree | Leaf"]): ...  # always okay
+
+# Annotations are treated as assignments in .pyi files, but not in .py files
+class MyClass:
+    foo: int
+    bar = foo  # valid in a `.pyi` stub file, not in a `.py` runtime file
+    bar = "foo"  # always okay
+
+baz: MyClass
+eggs = baz  # valid in a `.pyi` stub file, not in a `.py` runtime file
+eggs = "baz"  # always okay

crates/ruff_linter/resources/test/fixtures/pyflakes/F821_26.pyi

@@ -0,0 +1,44 @@
+"""Tests for constructs allowed in `.pyi` stub files but not at runtime"""
+
+from typing import Optional, TypeAlias, Union
+
+__version__: str
+__author__: str
+
+# Forward references:
+MaybeCStr: TypeAlias = Optional[CStr]  # valid in a `.pyi` stub file, not in a `.py` runtime file
+MaybeCStr2: TypeAlias = Optional["CStr"]  # always okay
+CStr: TypeAlias = Union[C, str]  # valid in a `.pyi` stub file, not in a `.py` runtime file
+CStr2: TypeAlias = Union["C", str]  # always okay
+
+# References to a class from inside the class:
+class C:
+    other: C = ...  # valid in a `.pyi` stub file, not in a `.py` runtime file
+    other2: "C" = ...  # always okay
+    def from_str(self, s: str) -> C: ...  # valid in a `.pyi` stub file, not in a `.py` runtime file
+    def from_str2(self, s: str) -> "C": ...  # always okay
+
+# Circular references:
+class A:
+    foo: B  # valid in a `.pyi` stub file, not in a `.py` runtime file
+    foo2: "B"  # always okay
+    bar: dict[str, B]  # valid in a `.pyi` stub file, not in a `.py` runtime file
+    bar2: dict[str, "A"]  # always okay
+
+class B:
+    foo: A  # always okay
+    bar: dict[str, A]  # always okay
+
+class Leaf: ...
+class Tree(list[Tree | Leaf]): ...  # valid in a `.pyi` stub file, not in a `.py` runtime file
+class Tree2(list["Tree | Leaf"]): ...  # always okay
+
+# Annotations are treated as assignments in .pyi files, but not in .py files
+class MyClass:
+    foo: int
+    bar = foo  # valid in a `.pyi` stub file, not in a `.py` runtime file
+    bar = "foo"  # always okay
+
+baz: MyClass
+eggs = baz  # valid in a `.pyi` stub file, not in a `.py` runtime file
+eggs = "baz"  # always okay

crates/ruff_linter/resources/test/fixtures/pyflakes/F821_27.py

@@ -0,0 +1,48 @@
+"""Tests for constructs allowed when `__future__` annotations are enabled but not otherwise"""
+from __future__ import annotations
+
+from typing import Optional, TypeAlias, Union
+
+__version__: str
+__author__: str
+
+# References to a class from inside the class:
+class C:
+    other: C = ...  # valid when `__future__.annotations are enabled
+    other2: "C" = ...  # always okay
+    def from_str(self, s: str) -> C: ...  # valid when `__future__.annotations are enabled
+    def from_str2(self, s: str) -> "C": ...  # always okay
+
+# Circular references:
+class A:
+    foo: B  # valid when `__future__.annotations are enabled
+    foo2: "B"  # always okay
+    bar: dict[str, B]  # valid when `__future__.annotations are enabled
+    bar2: dict[str, "A"]  # always okay
+
+class B:
+    foo: A  # always okay
+    bar: dict[str, A]  # always okay
+
+# Annotations are treated as assignments in .pyi files, but not in .py files
+class MyClass:
+    foo: int
+    bar = foo  # Still invalid even when `__future__.annotations` are enabled
+    bar = "foo"  # always okay
+
+baz: MyClass
+eggs = baz  # Still invalid even when `__future__.annotations` are enabled
+eggs = "baz"  # always okay
+
+# Forward references:
+MaybeDStr: TypeAlias = Optional[DStr]  # Still invalid even when `__future__.annotations` are enabled
+MaybeDStr2: TypeAlias = Optional["DStr"]  # always okay
+DStr: TypeAlias = Union[D, str]  # Still invalid even when `__future__.annotations` are enabled
+DStr2: TypeAlias = Union["D", str]  # always okay
+
+class D: ...
+
+# More circular references
+class Leaf: ...
+class Tree(list[Tree | Leaf]): ...  # Still invalid even when `__future__.annotations` are enabled
+class Tree2(list["Tree | Leaf"]): ...  # always okay

crates/ruff_linter/resources/test/fixtures/pyflakes/F821_5.pyi

@@ -0,0 +1,10 @@
+"""Test: inner class annotation."""
+
+class RandomClass:
+    def bad_func(self) -> InnerClass: ...  # F821
+    def good_func(self) -> OuterClass.InnerClass: ...  # Okay
+
+class OuterClass:
+    class InnerClass: ...
+
+    def good_func(self) -> InnerClass: ...  # Okay

crates/ruff_linter/resources/test/fixtures/pyflakes/F822_0.pyi

@@ -0,0 +1,4 @@
+a = 1
+b: int  # Considered a binding in a `.pyi` stub file, not in a `.py` runtime file
+
+__all__ = ["a", "b", "c"]  # c is flagged as missing; b is not

crates/ruff_linter/resources/test/fixtures/pylint/invalid_return_type_bool.py

@@ -0,0 +1,37 @@
+# These testcases should raise errors
+
+class Float:
+    def __bool__(self):
+        return 3.05  # [invalid-bool-return]
+
+class Int:
+    def __bool__(self):
+        return 0  # [invalid-bool-return]
+
+
+class Str:
+    def __bool__(self):
+        x = "ruff"
+        return x  # [invalid-bool-return]
+
+# TODO: Once Ruff has better type checking
+def return_int():
+    return 3
+
+class ComplexReturn:
+    def __bool__(self):
+        return return_int()  # [invalid-bool-return]
+
+
+
+# These testcases should NOT raise errors
+
+class Bool:
+    def __bool__(self):
+        return True
+
+
+class Bool2:
+    def __bool__(self):
+        x = True
+        return x

crates/ruff_linter/resources/test/fixtures/pylint/invalid_return_type_str.py

@@ -1,28 +1,36 @@
-class Str:
-    def __str__(self):
-        return 1
+# These testcases should raise errors
 
 class Float:
     def __str__(self):
         return 3.05
-    
+
 class Int:
+    def __str__(self):
+        return 1
+
+class Int2:
     def __str__(self):
         return 0
-    
+
 class Bool:
     def __str__(self):
         return False
-    
-class Str2:
-    def __str__(self):
-        x = "ruff"
-        return x
-    
-# TODO fixme once Ruff has better type checking
+
+# TODO: Once Ruff has better type checking
 def return_int():
     return 3
 
 class ComplexReturn:
     def __str__(self):
-        return return_int()
+        return return_int()
+
+# These testcases should NOT raise errors
+
+class Str:
+    def __str__(self):
+        return "ruff"
+
+class Str2:
+    def __str__(self):
+        x = "ruff"
+        return x

crates/ruff_linter/resources/test/fixtures/pylint/non_slot_assignment.py

@@ -54,3 +54,15 @@ class StudentE(StudentD):
 
     def setup(self):
         pass
+
+
+class StudentF(object):
+    __slots__ = ("name", "__dict__")
+
+    def __init__(self, name, middle_name):
+        self.name = name
+        self.middle_name = middle_name  # [assigning-non-slot]
+        self.setup()
+
+    def setup(self):
+        pass

crates/ruff_linter/resources/test/fixtures/pylint/useless_exception_statement.py

@@ -1,8 +1,8 @@
-# Test case 1: Useless exception statement
 from abc import ABC, abstractmethod
 from contextlib import suppress
 
 
+# Test case 1: Useless exception statement
 def func():
     AssertionError("This is an assertion error")  # PLW0133
 
@@ -66,6 +66,11 @@ def func():
     x = 1; (RuntimeError("This is an exception")); y = 2  # PLW0133
 
 
+# Test case 11: Useless warning statement
+def func():
+    UserWarning("This is an assertion error")  # PLW0133
+
+
 # Non-violation test cases: PLW0133
 
 

crates/ruff_linter/resources/test/fixtures/pyupgrade/UP032_0.py

@@ -252,3 +252,10 @@ raise ValueError(
 
 # The dictionary should be parenthesized.
 "{}".format({0: 1}())
+
+# The string shouldn't be converted, since it would require repeating the function call.
+"{x} {x}".format(x=foo())
+"{0} {0}".format(foo())
+
+# The string _should_ be converted, since the function call is repeated in the arguments.
+"{0} {1}".format(foo(), foo())

crates/ruff_linter/resources/test/fixtures/ruff/RUF021.py

@@ -47,7 +47,7 @@ if (
     and some_third_reasonably_long_condition
     or some_fourth_reasonably_long_condition
     and some_fifth_reasonably_long_condition
-    # a commment
+    # a comment
     and some_sixth_reasonably_long_condition
     and some_seventh_reasonably_long_condition
     # another comment

crates/ruff_linter/resources/test/fixtures/ruff/RUF022.py

@@ -48,7 +48,7 @@ __all__ = [
 # we implement an "isort-style sort":
 # SCEAMING_CASE constants first,
 # then CamelCase classes,
-# then anything thats lowercase_snake_case.
+# then anything that's lowercase_snake_case.
 # This (which is currently alphabetically sorted)
 # should get reordered accordingly:
 __all__ = [

crates/ruff_linter/resources/test/fixtures/ruff/confusables.py

@@ -53,3 +53,6 @@ class Labware:
 
 
 assert getattr(Labware(), "µL") == 1.5
+
+# Implicit string concatenation
+x = "𝐁ad" f"𝐁ad string"

crates/ruff_linter/src/checkers/ast/analyze/deferred_scopes.rs

@@ -259,23 +259,29 @@ pub(crate) fn deferred_scopes(checker: &mut Checker) {
                         diagnostic.set_parent(range.start());
                     }
 
-                    if let Some(import) = binding.as_any_import() {
-                        if let Some(source) = binding.source {
-                            diagnostic.try_set_fix(|| {
-                                let statement = checker.semantic().statement(source);
-                                let parent = checker.semantic().parent_statement(source);
-                                let edit = fix::edits::remove_unused_imports(
-                                    std::iter::once(import.member_name().as_ref()),
-                                    statement,
-                                    parent,
-                                    checker.locator(),
-                                    checker.stylist(),
-                                    checker.indexer(),
-                                )?;
-                                Ok(Fix::safe_edit(edit).isolate(Checker::isolation(
-                                    checker.semantic().parent_statement_id(source),
-                                )))
-                            });
+                    // Remove the import if the binding and the shadowed binding are both imports,
+                    // and both point to the same qualified name.
+                    if let Some(shadowed_import) = shadowed.as_any_import() {
+                        if let Some(import) = binding.as_any_import() {
+                            if shadowed_import.qualified_name() == import.qualified_name() {
+                                if let Some(source) = binding.source {
+                                    diagnostic.try_set_fix(|| {
+                                        let statement = checker.semantic().statement(source);
+                                        let parent = checker.semantic().parent_statement(source);
+                                        let edit = fix::edits::remove_unused_imports(
+                                            std::iter::once(import.member_name().as_ref()),
+                                            statement,
+                                            parent,
+                                            checker.locator(),
+                                            checker.stylist(),
+                                            checker.indexer(),
+                                        )?;
+                                        Ok(Fix::safe_edit(edit).isolate(Checker::isolation(
+                                            checker.semantic().parent_statement_id(source),
+                                        )))
+                                    });
+                                }
+                            }
                         }
                     }
 

crates/ruff_linter/src/checkers/ast/analyze/expression.rs

@@ -254,7 +254,7 @@ pub(crate) fn expression(expr: &Expr, checker: &mut Checker) {
                         }
                     }
                 }
-                ExprContext::Del => {}
+                _ => {}
             }
             if checker.enabled(Rule::SixPY3) {
                 flake8_2020::rules::name_or_attribute(checker, expr);
@@ -427,7 +427,7 @@ pub(crate) fn expression(expr: &Expr, checker: &mut Checker) {
                                         pyupgrade::rules::format_literals(checker, call, &summary);
                                     }
                                     if checker.enabled(Rule::FString) {
-                                        pyupgrade::rules::f_strings(checker, call, &summary, value);
+                                        pyupgrade::rules::f_strings(checker, call, &summary);
                                     }
                                 }
                             }
@@ -632,6 +632,9 @@ pub(crate) fn expression(expr: &Expr, checker: &mut Checker) {
             ]) {
                 flake8_bandit::rules::shell_injection(checker, call);
             }
+            if checker.enabled(Rule::DjangoExtra) {
+                flake8_bandit::rules::django_extra(checker, call);
+            }
             if checker.enabled(Rule::DjangoRawSql) {
                 flake8_bandit::rules::django_raw_sql(checker, call);
             }

crates/ruff_linter/src/checkers/ast/analyze/parameter.rs

@@ -9,7 +9,7 @@ use crate::rules::{flake8_builtins, pep8_naming, pycodestyle};
 pub(crate) fn parameter(parameter: &Parameter, checker: &mut Checker) {
     if checker.enabled(Rule::AmbiguousVariableName) {
         if let Some(diagnostic) =
-            pycodestyle::rules::ambiguous_variable_name(&parameter.name, parameter.range())
+            pycodestyle::rules::ambiguous_variable_name(&parameter.name, parameter.name.range())
         {
             checker.diagnostics.push(diagnostic);
         }

crates/ruff_linter/src/checkers/ast/analyze/statement.rs

@@ -91,6 +91,9 @@ pub(crate) fn statement(stmt: &Stmt, checker: &mut Checker) {
                     checker.diagnostics.push(diagnostic);
                 }
             }
+            if checker.enabled(Rule::InvalidBoolReturnType) {
+                pylint::rules::invalid_bool_return(checker, name, body);
+            }
             if checker.enabled(Rule::InvalidStrReturnType) {
                 pylint::rules::invalid_str_return(checker, name, body);
             }

crates/ruff_linter/src/checkers/ast/mod.rs

@@ -44,10 +44,10 @@ use ruff_python_ast::helpers::{
 };
 use ruff_python_ast::identifier::Identifier;
 use ruff_python_ast::name::QualifiedName;
-use ruff_python_ast::str::trailing_quote;
-use ruff_python_ast::visitor::{walk_except_handler, walk_f_string_element, walk_pattern, Visitor};
+use ruff_python_ast::str::Quote;
+use ruff_python_ast::visitor::{walk_except_handler, walk_pattern, Visitor};
 use ruff_python_ast::{helpers, str, visitor, PySourceType};
-use ruff_python_codegen::{Generator, Quote, Stylist};
+use ruff_python_codegen::{Generator, Stylist};
 use ruff_python_index::Indexer;
 use ruff_python_parser::typing::{parse_type_annotation, AnnotationKind};
 use ruff_python_semantic::analyze::{imports, typing, visibility};
@@ -228,16 +228,11 @@ impl<'a> Checker<'a> {
         }
 
         // Find the quote character used to start the containing f-string.
-        let expr = self.semantic.current_expression()?;
-        let string_range = self.indexer.fstring_ranges().innermost(expr.start())?;
-        let trailing_quote = trailing_quote(self.locator.slice(string_range))?;
-
-        // Invert the quote character, if it's a single quote.
-        match trailing_quote {
-            "'" => Some(Quote::Double),
-            "\"" => Some(Quote::Single),
-            _ => None,
-        }
+        let ast::ExprFString { value, .. } = self
+            .semantic
+            .current_expressions()
+            .find_map(|expr| expr.as_f_string_expr())?;
+        Some(value.iter().next()?.quote_style().opposite())
     }
 
     /// Returns the [`SourceRow`] for the given offset.
@@ -938,6 +933,7 @@ impl<'a> Visitor<'a> for Checker<'a> {
             && !self.semantic.in_deferred_type_definition()
             && self.semantic.in_type_definition()
             && self.semantic.future_annotations()
+            && (self.semantic.in_typing_only_annotation() || self.source_type.is_stub())
         {
             if let Expr::StringLiteral(ast::ExprStringLiteral { value, .. }) = expr {
                 self.visit.string_type_definitions.push((
@@ -990,6 +986,7 @@ impl<'a> Visitor<'a> for Checker<'a> {
                 ExprContext::Load => self.handle_node_load(expr),
                 ExprContext::Store => self.handle_node_store(id, expr),
                 ExprContext::Del => self.handle_node_delete(expr),
+                ExprContext::Invalid => {}
             },
             _ => {}
         }
@@ -1348,7 +1345,7 @@ impl<'a> Visitor<'a> for Checker<'a> {
                             {
                                 let mut iter = elts.iter();
                                 if let Some(expr) = iter.next() {
-                                    self.visit_expr(expr);
+                                    self.visit_type_definition(expr);
                                 }
                                 for expr in iter {
                                     self.visit_non_type_definition(expr);
@@ -1411,6 +1408,7 @@ impl<'a> Visitor<'a> for Checker<'a> {
                 analyze::string_like(string_literal.into(), self);
             }
             Expr::BytesLiteral(bytes_literal) => analyze::string_like(bytes_literal.into(), self),
+            Expr::FString(f_string) => analyze::string_like(f_string.into(), self),
             _ => {}
         }
 
@@ -1577,16 +1575,6 @@ impl<'a> Visitor<'a> for Checker<'a> {
                 .push((bound, self.semantic.snapshot()));
         }
     }
-
-    fn visit_f_string_element(&mut self, f_string_element: &'a ast::FStringElement) {
-        // Step 2: Traversal
-        walk_f_string_element(self, f_string_element);
-
-        // Step 4: Analysis
-        if let Some(literal) = f_string_element.as_literal() {
-            analyze::string_like(literal.into(), self);
-        }
-    }
 }
 
 impl<'a> Checker<'a> {
@@ -1839,11 +1827,13 @@ impl<'a> Checker<'a> {
             flags.insert(BindingFlags::UNPACKED_ASSIGNMENT);
         }
 
-        // Match the left-hand side of an annotated assignment, like `x` in `x: int`.
+        // Match the left-hand side of an annotated assignment without a value,
+        // like `x` in `x: int`. N.B. In stub files, these should be viewed
+        // as assignments on par with statements such as `x: int = 5`.
         if matches!(
             parent,
             Stmt::AnnAssign(ast::StmtAnnAssign { value: None, .. })
-        ) && !self.semantic.in_annotation()
+        ) && !(self.semantic.in_annotation() || self.source_type.is_stub())
         {
             self.add_binding(id, expr.range(), BindingKind::Annotation, flags);
             return;

crates/ruff_linter/src/checkers/logical_lines.rs

@@ -1,6 +1,7 @@
 use crate::line_width::IndentWidth;
 use ruff_diagnostics::Diagnostic;
 use ruff_python_codegen::Stylist;
+use ruff_python_index::Indexer;
 use ruff_python_parser::lexer::LexResult;
 use ruff_python_parser::TokenKind;
 use ruff_source_file::Locator;
@@ -9,8 +10,8 @@ use ruff_text_size::{Ranged, TextRange};
 use crate::registry::AsRule;
 use crate::rules::pycodestyle::rules::logical_lines::{
     extraneous_whitespace, indentation, missing_whitespace, missing_whitespace_after_keyword,
-    missing_whitespace_around_operator, space_after_comma, space_around_operator,
-    whitespace_around_keywords, whitespace_around_named_parameter_equals,
+    missing_whitespace_around_operator, redundant_backslash, space_after_comma,
+    space_around_operator, whitespace_around_keywords, whitespace_around_named_parameter_equals,
     whitespace_before_comment, whitespace_before_parameters, LogicalLines, TokenFlags,
 };
 use crate::settings::LinterSettings;
@@ -35,6 +36,7 @@ pub(crate) fn expand_indent(line: &str, indent_width: IndentWidth) -> usize {
 pub(crate) fn check_logical_lines(
     tokens: &[LexResult],
     locator: &Locator,
+    indexer: &Indexer,
     stylist: &Stylist,
     settings: &LinterSettings,
 ) -> Vec<Diagnostic> {
@@ -73,6 +75,7 @@ pub(crate) fn check_logical_lines(
 
         if line.flags().contains(TokenFlags::BRACKET) {
             whitespace_before_parameters(&line, &mut context);
+            redundant_backslash(&line, locator, indexer, &mut context);
         }
 
         // Extract the indentation level.

crates/ruff_linter/src/checkers/tokens.rs

@@ -203,6 +203,10 @@ pub(crate) fn check_tokens(
         flake8_fixme::rules::todos(&mut diagnostics, &todo_comments);
     }
 
+    if settings.rules.enabled(Rule::TooManyNewlinesAtEndOfFile) {
+        pycodestyle::rules::too_many_newlines_at_end_of_file(&mut diagnostics, tokens);
+    }
+
     diagnostics.retain(|diagnostic| settings.rules.enabled(diagnostic.kind.rule()));
 
     diagnostics

crates/ruff_linter/src/codes.rs

@@ -146,6 +146,7 @@ pub fn code_to_rule(linter: Linter, code: &str) -> Option<(RuleGroup, Rule)> {
         (Pycodestyle, "E401") => (RuleGroup::Stable, rules::pycodestyle::rules::MultipleImportsOnOneLine),
         (Pycodestyle, "E402") => (RuleGroup::Stable, rules::pycodestyle::rules::ModuleImportNotAtTopOfFile),
         (Pycodestyle, "E501") => (RuleGroup::Stable, rules::pycodestyle::rules::LineTooLong),
+        (Pycodestyle, "E502") => (RuleGroup::Preview, rules::pycodestyle::rules::logical_lines::RedundantBackslash),
         (Pycodestyle, "E701") => (RuleGroup::Stable, rules::pycodestyle::rules::MultipleStatementsOnOneLineColon),
         (Pycodestyle, "E702") => (RuleGroup::Stable, rules::pycodestyle::rules::MultipleStatementsOnOneLineSemicolon),
         (Pycodestyle, "E703") => (RuleGroup::Stable, rules::pycodestyle::rules::UselessSemicolon),
@@ -167,6 +168,7 @@ pub fn code_to_rule(linter: Linter, code: &str) -> Option<(RuleGroup, Rule)> {
         (Pycodestyle, "W291") => (RuleGroup::Stable, rules::pycodestyle::rules::TrailingWhitespace),
         (Pycodestyle, "W292") => (RuleGroup::Stable, rules::pycodestyle::rules::MissingNewlineAtEndOfFile),
         (Pycodestyle, "W293") => (RuleGroup::Stable, rules::pycodestyle::rules::BlankLineWithWhitespace),
+        (Pycodestyle, "W391") => (RuleGroup::Preview, rules::pycodestyle::rules::TooManyNewlinesAtEndOfFile),
         (Pycodestyle, "W505") => (RuleGroup::Stable, rules::pycodestyle::rules::DocLineTooLong),
         (Pycodestyle, "W605") => (RuleGroup::Stable, rules::pycodestyle::rules::InvalidEscapeSequence),
 
@@ -238,6 +240,7 @@ pub fn code_to_rule(linter: Linter, code: &str) -> Option<(RuleGroup, Rule)> {
         (Pylint, "E0237") => (RuleGroup::Stable, rules::pylint::rules::NonSlotAssignment),
         (Pylint, "E0241") => (RuleGroup::Stable, rules::pylint::rules::DuplicateBases),
         (Pylint, "E0302") => (RuleGroup::Stable, rules::pylint::rules::UnexpectedSpecialMethodSignature),
+        (Pylint, "E0304") => (RuleGroup::Preview, rules::pylint::rules::InvalidBoolReturnType),
         (Pylint, "E0307") => (RuleGroup::Stable, rules::pylint::rules::InvalidStrReturnType),
         (Pylint, "E0604") => (RuleGroup::Stable, rules::pylint::rules::InvalidAllObject),
         (Pylint, "E0605") => (RuleGroup::Stable, rules::pylint::rules::InvalidAllFormat),
@@ -680,6 +683,7 @@ pub fn code_to_rule(linter: Linter, code: &str) -> Option<(RuleGroup, Rule)> {
         (Flake8Bandit, "607") => (RuleGroup::Stable, rules::flake8_bandit::rules::StartProcessWithPartialPath),
         (Flake8Bandit, "608") => (RuleGroup::Stable, rules::flake8_bandit::rules::HardcodedSQLExpression),
         (Flake8Bandit, "609") => (RuleGroup::Stable, rules::flake8_bandit::rules::UnixCommandWildcardInjection),
+        (Flake8Bandit, "610") => (RuleGroup::Preview, rules::flake8_bandit::rules::DjangoExtra),
         (Flake8Bandit, "611") => (RuleGroup::Stable, rules::flake8_bandit::rules::DjangoRawSql),
         (Flake8Bandit, "612") => (RuleGroup::Stable, rules::flake8_bandit::rules::LoggingConfigInsecureListen),
         (Flake8Bandit, "701") => (RuleGroup::Stable, rules::flake8_bandit::rules::Jinja2AutoescapeFalse),

crates/ruff_linter/src/cst/helpers.rs

@@ -1,5 +1,6 @@
 use libcst_native::{
-    Expression, Name, ParenthesizableWhitespace, SimpleWhitespace, UnaryOperation,
+    Expression, LeftParen, Name, ParenthesizableWhitespace, ParenthesizedNode, RightParen,
+    SimpleWhitespace, UnaryOperation,
 };
 
 /// Return a [`ParenthesizableWhitespace`] containing a single space.
@@ -24,6 +25,7 @@ pub(crate) fn negate<'a>(expression: &Expression<'a>) -> Expression<'a> {
         }
     }
 
+    // If the expression is `True` or `False`, return the opposite.
     if let Expression::Name(ref expression) = expression {
         match expression.value {
             "True" => {
@@ -44,11 +46,32 @@ pub(crate) fn negate<'a>(expression: &Expression<'a>) -> Expression<'a> {
         }
     }
 
+    // If the expression is higher precedence than the unary `not`, we need to wrap it in
+    // parentheses.
+    //
+    // For example: given `a and b`, we need to return `not (a and b)`, rather than `not a and b`.
+    //
+    // See: <https://docs.python.org/3/reference/expressions.html#operator-precedence>
+    let needs_parens = matches!(
+        expression,
+        Expression::BooleanOperation(_)
+            | Expression::IfExp(_)
+            | Expression::Lambda(_)
+            | Expression::NamedExpr(_)
+    );
+    let has_parens = !expression.lpar().is_empty() && !expression.rpar().is_empty();
+    // Otherwise, wrap in a `not` operator.
     Expression::UnaryOperation(Box::new(UnaryOperation {
         operator: libcst_native::UnaryOp::Not {
             whitespace_after: space(),
         },
-        expression: Box::new(expression.clone()),
+        expression: Box::new(if needs_parens && !has_parens {
+            expression
+                .clone()
+                .with_parens(LeftParen::default(), RightParen::default())
+        } else {
+            expression.clone()
+        }),
         lpar: vec![],
         rpar: vec![],
     }))

crates/ruff_linter/src/directives.rs

@@ -131,10 +131,7 @@ fn extract_noqa_line_for(lxr: &[LexResult], locator: &Locator, indexer: &Indexer
 
             // For multi-line strings, we expect `noqa` directives on the last line of the
             // string.
-            Tok::String {
-                triple_quoted: true,
-                ..
-            } => {
+            Tok::String { kind, .. } if kind.is_triple_quoted() => {
                 if locator.contains_line_break(*range) {
                     string_mappings.push(TextRange::new(
                         locator.line_start(range.start()),

crates/ruff_linter/src/fix/edits.rs

@@ -418,29 +418,6 @@ pub(crate) fn fits(
     all_lines_fit(fix, node, locator, line_length.value() as usize, tab_size)
 }
 
-/// Returns `true` if the fix fits within the maximum configured line length, or produces lines that
-/// are shorter than the maximum length of the existing AST node.
-pub(crate) fn fits_or_shrinks(
-    fix: &str,
-    node: AnyNodeRef,
-    locator: &Locator,
-    line_length: LineLength,
-    tab_size: IndentWidth,
-) -> bool {
-    // Use the larger of the line length limit, or the longest line in the existing AST node.
-    let line_length = std::iter::once(line_length.value() as usize)
-        .chain(
-            locator
-                .slice(locator.lines_range(node.range()))
-                .universal_newlines()
-                .map(|line| LineWidthBuilder::new(tab_size).add_str(&line).get()),
-        )
-        .max()
-        .unwrap_or(line_length.value() as usize);
-
-    all_lines_fit(fix, node, locator, line_length, tab_size)
-}
-
 /// Returns `true` if all lines in the fix are shorter than the given line length.
 fn all_lines_fit(
     fix: &str,

crates/ruff_linter/src/linter.rs

@@ -132,7 +132,7 @@ pub fn check_path(
         .any(|rule_code| rule_code.lint_source().is_logical_lines())
     {
         diagnostics.extend(crate::checkers::logical_lines::check_logical_lines(
-            &tokens, locator, stylist, settings,
+            &tokens, locator, indexer, stylist, settings,
         ));
     }
 

crates/ruff_linter/src/logging.rs

@@ -194,7 +194,7 @@ impl DisplayParseError {
         // Translate the byte offset to a location in the originating source.
         let location =
             if let Some(jupyter_index) = source_kind.as_ipy_notebook().map(Notebook::index) {
-                let source_location = source_code.source_location(error.offset);
+                let source_location = source_code.source_location(error.location.start());
 
                 ErrorLocation::Cell(
                     jupyter_index
@@ -208,7 +208,7 @@ impl DisplayParseError {
                     },
                 )
             } else {
-                ErrorLocation::File(source_code.source_location(error.offset))
+                ErrorLocation::File(source_code.source_location(error.location.start()))
             };
 
         Self {
@@ -275,27 +275,7 @@ impl<'a> DisplayParseErrorType<'a> {
 
 impl Display for DisplayParseErrorType<'_> {
     fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
-        match self.0 {
-            ParseErrorType::Eof => write!(f, "Expected token but reached end of file."),
-            ParseErrorType::ExtraToken(ref tok) => write!(
-                f,
-                "Got extraneous token: {tok}",
-                tok = TruncateAtNewline(&tok)
-            ),
-            ParseErrorType::InvalidToken => write!(f, "Got invalid token"),
-            ParseErrorType::UnrecognizedToken(ref tok, ref expected) => {
-                if let Some(expected) = expected.as_ref() {
-                    write!(
-                        f,
-                        "Expected '{expected}', but got {tok}",
-                        tok = TruncateAtNewline(&tok)
-                    )
-                } else {
-                    write!(f, "Unexpected token {tok}", tok = TruncateAtNewline(&tok))
-                }
-            }
-            ParseErrorType::Lexical(ref error) => write!(f, "{error}"),
-        }
+        write!(f, "{}", TruncateAtNewline(&self.0))
     }
 }
 

crates/ruff_linter/src/registry.rs

@@ -300,6 +300,7 @@ impl Rule {
             | Rule::SingleLineImplicitStringConcatenation
             | Rule::TabIndentation
             | Rule::TooManyBlankLines
+            | Rule::TooManyNewlinesAtEndOfFile
             | Rule::TrailingCommaOnBareTuple
             | Rule::TypeCommentInStub
             | Rule::UselessSemicolon
@@ -327,6 +328,7 @@ impl Rule {
             | Rule::NoSpaceAfterBlockComment
             | Rule::NoSpaceAfterInlineComment
             | Rule::OverIndented
+            | Rule::RedundantBackslash
             | Rule::TabAfterComma
             | Rule::TabAfterKeyword
             | Rule::TabAfterOperator

crates/ruff_linter/src/rules/flake8_annotations/rules/definition.rs

@@ -294,7 +294,7 @@ impl Violation for MissingReturnTypePrivateFunction {
 ///
 /// Note that type checkers often allow you to omit the return type annotation for
 /// `__init__` methods, as long as at least one argument has a type annotation. To
-/// opt-in to this behavior, use the `mypy-init-return` setting in your `pyproject.toml`
+/// opt in to this behavior, use the `mypy-init-return` setting in your `pyproject.toml`
 /// or `ruff.toml` file:
 ///
 /// ```toml

crates/ruff_linter/src/rules/flake8_bandit/mod.rs

@@ -48,6 +48,7 @@ mod tests {
     #[test_case(Rule::SuspiciousEvalUsage, Path::new("S307.py"))]
     #[test_case(Rule::SuspiciousMarkSafeUsage, Path::new("S308.py"))]
     #[test_case(Rule::SuspiciousURLOpenUsage, Path::new("S310.py"))]
+    #[test_case(Rule::SuspiciousNonCryptographicRandomUsage, Path::new("S311.py"))]
     #[test_case(Rule::SuspiciousTelnetUsage, Path::new("S312.py"))]
     #[test_case(Rule::SuspiciousTelnetlibImport, Path::new("S401.py"))]
     #[test_case(Rule::SuspiciousFtplibImport, Path::new("S402.py"))]
@@ -68,6 +69,7 @@ mod tests {
     #[test_case(Rule::UnixCommandWildcardInjection, Path::new("S609.py"))]
     #[test_case(Rule::UnsafeYAMLLoad, Path::new("S506.py"))]
     #[test_case(Rule::WeakCryptographicKey, Path::new("S505.py"))]
+    #[test_case(Rule::DjangoExtra, Path::new("S610.py"))]
     #[test_case(Rule::DjangoRawSql, Path::new("S611.py"))]
     #[test_case(Rule::TarfileUnsafeMembers, Path::new("S202.py"))]
     fn rules(rule_code: Rule, path: &Path) -> Result<()> {

crates/ruff_linter/src/rules/flake8_bandit/rules/django_extra.rs

@@ -0,0 +1,81 @@
+use ruff_diagnostics::{Diagnostic, Violation};
+use ruff_macros::{derive_message_formats, violation};
+use ruff_python_ast::{self as ast, Expr, ExprAttribute, ExprDict, ExprList};
+use ruff_text_size::Ranged;
+
+use crate::checkers::ast::Checker;
+
+/// ## What it does
+/// Checks for uses of Django's `extra` function.
+///
+/// ## Why is this bad?
+/// Django's `extra` function can be used to execute arbitrary SQL queries,
+/// which can in turn lead to SQL injection vulnerabilities.
+///
+/// ## Example
+/// ```python
+/// from django.contrib.auth.models import User
+///
+/// User.objects.all().extra(select={"test": "%secure" % "nos"})
+/// ```
+///
+/// ## References
+/// - [Django documentation: SQL injection protection](https://docs.djangoproject.com/en/dev/topics/security/#sql-injection-protection)
+/// - [Common Weakness Enumeration: CWE-89](https://cwe.mitre.org/data/definitions/89.html)
+#[violation]
+pub struct DjangoExtra;
+
+impl Violation for DjangoExtra {
+    #[derive_message_formats]
+    fn message(&self) -> String {
+        format!("Use of Django `extra` can lead to SQL injection vulnerabilities")
+    }
+}
+
+/// S610
+pub(crate) fn django_extra(checker: &mut Checker, call: &ast::ExprCall) {
+    let Expr::Attribute(ExprAttribute { attr, .. }) = call.func.as_ref() else {
+        return;
+    };
+
+    if attr.as_str() != "extra" {
+        return;
+    }
+
+    if is_call_insecure(call) {
+        checker
+            .diagnostics
+            .push(Diagnostic::new(DjangoExtra, call.arguments.range()));
+    }
+}
+
+fn is_call_insecure(call: &ast::ExprCall) -> bool {
+    for (argument_name, position) in [("select", 0), ("where", 1), ("tables", 3)] {
+        if let Some(argument) = call.arguments.find_argument(argument_name, position) {
+            match argument_name {
+                "select" => match argument {
+                    Expr::Dict(ExprDict { keys, values, .. }) => {
+                        if !keys.iter().flatten().all(Expr::is_string_literal_expr) {
+                            return true;
+                        }
+                        if !values.iter().all(Expr::is_string_literal_expr) {
+                            return true;
+                        }
+                    }
+                    _ => return true,
+                },
+                "where" | "tables" => match argument {
+                    Expr::List(ExprList { elts, .. }) => {
+                        if !elts.iter().all(Expr::is_string_literal_expr) {
+                            return true;
+                        }
+                    }
+                    _ => return true,
+                },
+                _ => (),
+            }
+        }
+    }
+
+    false
+}

crates/ruff_linter/src/rules/flake8_bandit/rules/hardcoded_bind_all_interfaces.rs

@@ -38,17 +38,37 @@ impl Violation for HardcodedBindAllInterfaces {
 
 /// S104
 pub(crate) fn hardcoded_bind_all_interfaces(checker: &mut Checker, string: StringLike) {
-    let is_bind_all_interface = match string {
-        StringLike::StringLiteral(ast::ExprStringLiteral { value, .. }) => value == "0.0.0.0",
-        StringLike::FStringLiteral(ast::FStringLiteralElement { value, .. }) => {
-            &**value == "0.0.0.0"
+    match string {
+        StringLike::String(ast::ExprStringLiteral { value, .. }) => {
+            if value == "0.0.0.0" {
+                checker
+                    .diagnostics
+                    .push(Diagnostic::new(HardcodedBindAllInterfaces, string.range()));
+            }
         }
-        StringLike::BytesLiteral(_) => return,
+        StringLike::FString(ast::ExprFString { value, .. }) => {
+            for part in value {
+                match part {
+                    ast::FStringPart::Literal(literal) => {
+                        if &**literal == "0.0.0.0" {
+                            checker
+                                .diagnostics
+                                .push(Diagnostic::new(HardcodedBindAllInterfaces, literal.range()));
+                        }
+                    }
+                    ast::FStringPart::FString(f_string) => {
+                        for literal in f_string.literals() {
+                            if &**literal == "0.0.0.0" {
+                                checker.diagnostics.push(Diagnostic::new(
+                                    HardcodedBindAllInterfaces,
+                                    literal.range(),
+                                ));
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        StringLike::Bytes(_) => (),
     };
-
-    if is_bind_all_interface {
-        checker
-            .diagnostics
-            .push(Diagnostic::new(HardcodedBindAllInterfaces, string.range()));
-    }
 }

crates/ruff_linter/src/rules/flake8_bandit/rules/hardcoded_tmp_directory.rs

@@ -1,5 +1,5 @@
 use ruff_python_ast::{self as ast, Expr, StringLike};
-use ruff_text_size::Ranged;
+use ruff_text_size::{Ranged, TextRange};
 
 use ruff_diagnostics::{Diagnostic, Violation};
 use ruff_macros::{derive_message_formats, violation};
@@ -53,12 +53,29 @@ impl Violation for HardcodedTempFile {
 
 /// S108
 pub(crate) fn hardcoded_tmp_directory(checker: &mut Checker, string: StringLike) {
-    let value = match string {
-        StringLike::StringLiteral(ast::ExprStringLiteral { value, .. }) => value.to_str(),
-        StringLike::FStringLiteral(ast::FStringLiteralElement { value, .. }) => value,
-        StringLike::BytesLiteral(_) => return,
-    };
+    match string {
+        StringLike::String(ast::ExprStringLiteral { value, .. }) => {
+            check(checker, value.to_str(), string.range());
+        }
+        StringLike::FString(ast::ExprFString { value, .. }) => {
+            for part in value {
+                match part {
+                    ast::FStringPart::Literal(literal) => {
+                        check(checker, literal, literal.range());
+                    }
+                    ast::FStringPart::FString(f_string) => {
+                        for literal in f_string.literals() {
+                            check(checker, literal, literal.range());
+                        }
+                    }
+                }
+            }
+        }
+        StringLike::Bytes(_) => (),
+    }
+}
 
+fn check(checker: &mut Checker, value: &str, range: TextRange) {
     if !checker
         .settings
         .flake8_bandit
@@ -85,6 +102,6 @@ pub(crate) fn hardcoded_tmp_directory(checker: &mut Checker, string: StringLike)
         HardcodedTempFile {
             string: value.to_string(),
         },
-        string.range(),
+        range,
     ));
 }

crates/ruff_linter/src/rules/flake8_bandit/rules/hashlib_insecure_hash_functions.rs

@@ -9,7 +9,8 @@ use crate::checkers::ast::Checker;
 use super::super::helpers::string_literal;
 
 /// ## What it does
-/// Checks for uses of weak or broken cryptographic hash functions.
+/// Checks for uses of weak or broken cryptographic hash functions in
+/// `hashlib` and `crypt` libraries.
 ///
 /// ## Why is this bad?
 /// Weak or broken cryptographic hash functions may be susceptible to
@@ -43,68 +44,134 @@ use super::super::helpers::string_literal;
 ///
 /// ## References
 /// - [Python documentation: `hashlib` — Secure hashes and message digests](https://docs.python.org/3/library/hashlib.html)
+/// - [Python documentation: `crypt` — Function to check Unix passwords](https://docs.python.org/3/library/crypt.html)
 /// - [Common Weakness Enumeration: CWE-327](https://cwe.mitre.org/data/definitions/327.html)
 /// - [Common Weakness Enumeration: CWE-328](https://cwe.mitre.org/data/definitions/328.html)
 /// - [Common Weakness Enumeration: CWE-916](https://cwe.mitre.org/data/definitions/916.html)
 #[violation]
 pub struct HashlibInsecureHashFunction {
+    library: String,
     string: String,
 }
 
 impl Violation for HashlibInsecureHashFunction {
     #[derive_message_formats]
     fn message(&self) -> String {
-        let HashlibInsecureHashFunction { string } = self;
-        format!("Probable use of insecure hash functions in `hashlib`: `{string}`")
+        let HashlibInsecureHashFunction { library, string } = self;
+        format!("Probable use of insecure hash functions in `{library}`: `{string}`")
     }
 }
 
 /// S324
 pub(crate) fn hashlib_insecure_hash_functions(checker: &mut Checker, call: &ast::ExprCall) {
-    if let Some(hashlib_call) = checker
+    if let Some(weak_hash_call) = checker
         .semantic()
         .resolve_qualified_name(&call.func)
         .and_then(|qualified_name| match qualified_name.segments() {
-            ["hashlib", "new"] => Some(HashlibCall::New),
-            ["hashlib", "md4"] => Some(HashlibCall::WeakHash("md4")),
-            ["hashlib", "md5"] => Some(HashlibCall::WeakHash("md5")),
-            ["hashlib", "sha"] => Some(HashlibCall::WeakHash("sha")),
-            ["hashlib", "sha1"] => Some(HashlibCall::WeakHash("sha1")),
+            ["hashlib", "new"] => Some(WeakHashCall::Hashlib {
+                call: HashlibCall::New,
+            }),
+            ["hashlib", "md4"] => Some(WeakHashCall::Hashlib {
+                call: HashlibCall::WeakHash("md4"),
+            }),
+            ["hashlib", "md5"] => Some(WeakHashCall::Hashlib {
+                call: HashlibCall::WeakHash("md5"),
+            }),
+            ["hashlib", "sha"] => Some(WeakHashCall::Hashlib {
+                call: HashlibCall::WeakHash("sha"),
+            }),
+            ["hashlib", "sha1"] => Some(WeakHashCall::Hashlib {
+                call: HashlibCall::WeakHash("sha1"),
+            }),
+            ["crypt", "crypt" | "mksalt"] => Some(WeakHashCall::Crypt),
             _ => None,
         })
     {
-        if !is_used_for_security(&call.arguments) {
-            return;
-        }
-        match hashlib_call {
-            HashlibCall::New => {
-                if let Some(name_arg) = call.arguments.find_argument("name", 0) {
-                    if let Some(hash_func_name) = string_literal(name_arg) {
-                        // `hashlib.new` accepts both lowercase and uppercase names for hash
-                        // functions.
-                        if matches!(
-                            hash_func_name,
-                            "md4" | "md5" | "sha" | "sha1" | "MD4" | "MD5" | "SHA" | "SHA1"
-                        ) {
-                            checker.diagnostics.push(Diagnostic::new(
-                                HashlibInsecureHashFunction {
-                                    string: hash_func_name.to_string(),
-                                },
-                                name_arg.range(),
-                            ));
-                        }
-                    }
-                }
+        match weak_hash_call {
+            WeakHashCall::Hashlib { call: hashlib_call } => {
+                detect_insecure_hashlib_calls(checker, call, hashlib_call);
             }
-            HashlibCall::WeakHash(func_name) => {
+            WeakHashCall::Crypt => detect_insecure_crypt_calls(checker, call),
+        }
+    }
+}
+
+fn detect_insecure_hashlib_calls(
+    checker: &mut Checker,
+    call: &ast::ExprCall,
+    hashlib_call: HashlibCall,
+) {
+    if !is_used_for_security(&call.arguments) {
+        return;
+    }
+
+    match hashlib_call {
+        HashlibCall::New => {
+            let Some(name_arg) = call.arguments.find_argument("name", 0) else {
+                return;
+            };
+            let Some(hash_func_name) = string_literal(name_arg) else {
+                return;
+            };
+
+            // `hashlib.new` accepts both lowercase and uppercase names for hash
+            // functions.
+            if matches!(
+                hash_func_name,
+                "md4" | "md5" | "sha" | "sha1" | "MD4" | "MD5" | "SHA" | "SHA1"
+            ) {
                 checker.diagnostics.push(Diagnostic::new(
                     HashlibInsecureHashFunction {
-                        string: (*func_name).to_string(),
+                        library: "hashlib".to_string(),
+                        string: hash_func_name.to_string(),
                     },
-                    call.func.range(),
+                    name_arg.range(),
                 ));
             }
         }
+        HashlibCall::WeakHash(func_name) => {
+            checker.diagnostics.push(Diagnostic::new(
+                HashlibInsecureHashFunction {
+                    library: "hashlib".to_string(),
+                    string: (*func_name).to_string(),
+                },
+                call.func.range(),
+            ));
+        }
+    }
+}
+
+fn detect_insecure_crypt_calls(checker: &mut Checker, call: &ast::ExprCall) {
+    let Some(method) = checker
+        .semantic()
+        .resolve_qualified_name(&call.func)
+        .and_then(|qualified_name| match qualified_name.segments() {
+            ["crypt", "crypt"] => Some(("salt", 1)),
+            ["crypt", "mksalt"] => Some(("method", 0)),
+            _ => None,
+        })
+        .and_then(|(argument_name, position)| {
+            call.arguments.find_argument(argument_name, position)
+        })
+    else {
+        return;
+    };
+
+    let Some(qualified_name) = checker.semantic().resolve_qualified_name(method) else {
+        return;
+    };
+
+    if matches!(
+        qualified_name.segments(),
+        ["crypt", "METHOD_CRYPT" | "METHOD_MD5" | "METHOD_BLOWFISH"]
+    ) {
+        checker.diagnostics.push(Diagnostic::new(
+            HashlibInsecureHashFunction {
+                library: "crypt".to_string(),
+                string: qualified_name.to_string(),
+            },
+            method.range(),
+        ));
     }
 }
 
@@ -114,7 +181,13 @@ fn is_used_for_security(arguments: &Arguments) -> bool {
         .map_or(true, |keyword| !is_const_false(&keyword.value))
 }
 
-#[derive(Debug)]
+#[derive(Debug, Copy, Clone)]
+enum WeakHashCall {
+    Hashlib { call: HashlibCall },
+    Crypt,
+}
+
+#[derive(Debug, Copy, Clone)]
 enum HashlibCall {
     New,
     WeakHash(&'static str),

crates/ruff_linter/src/rules/flake8_bandit/rules/logging_config_insecure_listen.rs

@@ -11,7 +11,7 @@ use crate::checkers::ast::Checker;
 ///
 /// ## Why is this bad?
 /// `logging.config.listen` starts a server that listens for logging
-/// configuration requests. This is insecure as parts of the configuration are
+/// configuration requests. This is insecure, as parts of the configuration are
 /// passed to the built-in `eval` function, which can be used to execute
 /// arbitrary code.
 ///

crates/ruff_linter/src/rules/flake8_bandit/rules/mod.rs

@@ -1,5 +1,6 @@
 pub(crate) use assert_used::*;
 pub(crate) use bad_file_permissions::*;
+pub(crate) use django_extra::*;
 pub(crate) use django_raw_sql::*;
 pub(crate) use exec_used::*;
 pub(crate) use flask_debug_true::*;
@@ -33,6 +34,7 @@ pub(crate) use weak_cryptographic_key::*;
 
 mod assert_used;
 mod bad_file_permissions;
+mod django_extra;
 mod django_raw_sql;
 mod exec_used;
 mod flask_debug_true;

crates/ruff_linter/src/rules/flake8_bandit/rules/shell_injection.rs

@@ -222,7 +222,7 @@ impl Violation for StartProcessWithNoShell {
 ///
 /// ## Why is this bad?
 /// Starting a process with a partial executable path can allow attackers to
-/// execute arbitrary executable by adjusting the `PATH` environment variable.
+/// execute an arbitrary executable by adjusting the `PATH` environment variable.
 /// Consider using a full path to the executable instead.
 ///
 /// ## Example
@@ -433,6 +433,7 @@ fn get_call_kind(func: &Expr, semantic: &SemanticModel) -> Option<CallKind> {
                     "Popen" | "call" | "check_call" | "check_output" | "run" => {
                         Some(CallKind::Subprocess)
                     }
+                    "getoutput" | "getstatusoutput" => Some(CallKind::Shell),
                     _ => None,
                 },
                 "popen2" => match submodule {

crates/ruff_linter/src/rules/flake8_bandit/rules/ssh_no_host_key_verification.rs

@@ -11,7 +11,7 @@ use crate::checkers::ast::Checker;
 /// Checks for uses of policies disabling SSH verification in Paramiko.
 ///
 /// ## Why is this bad?
-/// By default, Paramiko checks the identity of remote host when establishing
+/// By default, Paramiko checks the identity of the remote host when establishing
 /// an SSH connection. Disabling the verification might lead to the client
 /// connecting to a malicious host, without the client knowing.
 ///

crates/ruff_linter/src/rules/flake8_bandit/rules/suspicious_function_call.rs

@@ -59,7 +59,7 @@ impl Violation for SuspiciousPickleUsage {
 /// Checks for calls to `marshal` functions.
 ///
 /// ## Why is this bad?
-/// Deserializing untrusted data with `marshal` is insecure as it can allow for
+/// Deserializing untrusted data with `marshal` is insecure, as it can allow for
 /// the creation of arbitrary objects, which can then be used to achieve
 /// arbitrary code execution and otherwise unexpected behavior.
 ///
@@ -68,7 +68,7 @@ impl Violation for SuspiciousPickleUsage {
 ///
 /// If you must deserialize untrusted data with `marshal`, consider signing the
 /// data with a secret key and verifying the signature before deserializing the
-/// payload, This will prevent an attacker from injecting arbitrary objects
+/// payload. This will prevent an attacker from injecting arbitrary objects
 /// into the serialized data.
 ///
 /// ## Example
@@ -353,7 +353,7 @@ impl Violation for SuspiciousMarkSafeUsage {
 /// behavior.
 ///
 /// To mitigate this risk, audit all uses of URL open functions and ensure that
-/// only permitted schemes are used (e.g., allowing `http:` and `https:` and
+/// only permitted schemes are used (e.g., allowing `http:` and `https:`, and
 /// disallowing `file:` and `ftp:`).
 ///
 /// ## Example
@@ -395,7 +395,7 @@ impl Violation for SuspiciousURLOpenUsage {
 /// Checks for uses of cryptographically weak pseudo-random number generators.
 ///
 /// ## Why is this bad?
-/// Cryptographically weak pseudo-random number generators are insecure as they
+/// Cryptographically weak pseudo-random number generators are insecure, as they
 /// are easily predictable. This can allow an attacker to guess the generated
 /// numbers and compromise the security of the system.
 ///
@@ -867,7 +867,7 @@ pub(crate) fn suspicious_function_call(checker: &mut Checker, call: &ExprCall) {
             ["urllib", "request", "URLopener" | "FancyURLopener"] |
             ["six", "moves", "urllib", "request", "URLopener" | "FancyURLopener"] => Some(SuspiciousURLOpenUsage.into()),
             // NonCryptographicRandom
-            ["random", "random" | "randrange" | "randint" | "choice" | "choices" | "uniform" | "triangular"] => Some(SuspiciousNonCryptographicRandomUsage.into()),
+            ["random", "Random" | "random" | "randrange" | "randint" | "choice" | "choices" | "uniform" | "triangular" | "randbytes"] => Some(SuspiciousNonCryptographicRandomUsage.into()),
             // UnverifiedContext
             ["ssl", "_create_unverified_context"] => Some(SuspiciousUnverifiedContextUsage.into()),
             // XMLCElementTree

crates/ruff_linter/src/rules/flake8_bandit/rules/suspicious_imports.rs

@@ -245,7 +245,7 @@ impl Violation for SuspiciousLxmlImport {
 /// Checks for imports of the `xmlrpc` module.
 ///
 /// ## Why is this bad?
-/// XMLRPC is a particularly dangerous XML module as it is also concerned with
+/// XMLRPC is a particularly dangerous XML module, as it is also concerned with
 /// communicating data over a network. Use the `defused.xmlrpc.monkey_patch()`
 /// function to monkey-patch the `xmlrpclib` module and mitigate remote XML
 /// attacks.

crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S104_S104.py.snap

@@ -42,4 +42,23 @@ S104.py:19:9: S104 Possible binding to all interfaces
 20 |     print(x)
    |
 
+S104.py:24:1: S104 Possible binding to all interfaces
+   |
+23 | # Implicit string concatenation
+24 | "0.0.0.0" f"0.0.0.0{expr}0.0.0.0"
+   | ^^^^^^^^^ S104
+   |
 
+S104.py:24:13: S104 Possible binding to all interfaces
+   |
+23 | # Implicit string concatenation
+24 | "0.0.0.0" f"0.0.0.0{expr}0.0.0.0"
+   |             ^^^^^^^ S104
+   |
+
+S104.py:24:26: S104 Possible binding to all interfaces
+   |
+23 | # Implicit string concatenation
+24 | "0.0.0.0" f"0.0.0.0{expr}0.0.0.0"
+   |                          ^^^^^^^ S104
+   |

crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S108_S108.py.snap

@@ -37,4 +37,28 @@ S108.py:14:11: S108 Probable insecure usage of temporary file or directory: "/de
 15 |     f.write("def")
    |
 
+S108.py:22:11: S108 Probable insecure usage of temporary file or directory: "/tmp/abc"
+   |
+21 | # Implicit string concatenation
+22 | with open("/tmp/" "abc", "w") as f:
+   |           ^^^^^^^^^^^^^ S108
+23 |     f.write("def")
+   |
 
+S108.py:25:11: S108 Probable insecure usage of temporary file or directory: "/tmp/abc"
+   |
+23 |     f.write("def")
+24 | 
+25 | with open("/tmp/abc" f"/tmp/abc", "w") as f:
+   |           ^^^^^^^^^^ S108
+26 |     f.write("def")
+   |
+
+S108.py:25:24: S108 Probable insecure usage of temporary file or directory: "/tmp/abc"
+   |
+23 |     f.write("def")
+24 | 
+25 | with open("/tmp/abc" f"/tmp/abc", "w") as f:
+   |                        ^^^^^^^^ S108
+26 |     f.write("def")
+   |

crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S108_extend.snap

@@ -45,4 +45,28 @@ S108.py:18:11: S108 Probable insecure usage of temporary file or directory: "/fo
 19 |     f.write("def")
    |
 
+S108.py:22:11: S108 Probable insecure usage of temporary file or directory: "/tmp/abc"
+   |
+21 | # Implicit string concatenation
+22 | with open("/tmp/" "abc", "w") as f:
+   |           ^^^^^^^^^^^^^ S108
+23 |     f.write("def")
+   |
 
+S108.py:25:11: S108 Probable insecure usage of temporary file or directory: "/tmp/abc"
+   |
+23 |     f.write("def")
+24 | 
+25 | with open("/tmp/abc" f"/tmp/abc", "w") as f:
+   |           ^^^^^^^^^^ S108
+26 |     f.write("def")
+   |
+
+S108.py:25:24: S108 Probable insecure usage of temporary file or directory: "/tmp/abc"
+   |
+23 |     f.write("def")
+24 | 
+25 | with open("/tmp/abc" f"/tmp/abc", "w") as f:
+   |                        ^^^^^^^^ S108
+26 |     f.write("def")
+   |

crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S311_S311.py.snap

@@ -0,0 +1,90 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+---
+S311.py:10:1: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
+   |
+ 9 | # Errors
+10 | random.Random()
+   | ^^^^^^^^^^^^^^^ S311
+11 | random.random()
+12 | random.randrange()
+   |
+
+S311.py:11:1: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
+   |
+ 9 | # Errors
+10 | random.Random()
+11 | random.random()
+   | ^^^^^^^^^^^^^^^ S311
+12 | random.randrange()
+13 | random.randint()
+   |
+
+S311.py:12:1: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
+   |
+10 | random.Random()
+11 | random.random()
+12 | random.randrange()
+   | ^^^^^^^^^^^^^^^^^^ S311
+13 | random.randint()
+14 | random.choice()
+   |
+
+S311.py:13:1: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
+   |
+11 | random.random()
+12 | random.randrange()
+13 | random.randint()
+   | ^^^^^^^^^^^^^^^^ S311
+14 | random.choice()
+15 | random.choices()
+   |
+
+S311.py:14:1: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
+   |
+12 | random.randrange()
+13 | random.randint()
+14 | random.choice()
+   | ^^^^^^^^^^^^^^^ S311
+15 | random.choices()
+16 | random.uniform()
+   |
+
+S311.py:15:1: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
+   |
+13 | random.randint()
+14 | random.choice()
+15 | random.choices()
+   | ^^^^^^^^^^^^^^^^ S311
+16 | random.uniform()
+17 | random.triangular()
+   |
+
+S311.py:16:1: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
+   |
+14 | random.choice()
+15 | random.choices()
+16 | random.uniform()
+   | ^^^^^^^^^^^^^^^^ S311
+17 | random.triangular()
+18 | random.randbytes()
+   |
+
+S311.py:17:1: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
+   |
+15 | random.choices()
+16 | random.uniform()
+17 | random.triangular()
+   | ^^^^^^^^^^^^^^^^^^^ S311
+18 | random.randbytes()
+   |
+
+S311.py:18:1: S311 Standard pseudo-random generators are not suitable for cryptographic purposes
+   |
+16 | random.uniform()
+17 | random.triangular()
+18 | random.randbytes()
+   | ^^^^^^^^^^^^^^^^^^ S311
+19 | 
+20 | # Unrelated
+   |

crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S324_S324.py.snap

@@ -3,131 +3,195 @@ source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
 ---
 S324.py:7:13: S324 Probable use of insecure hash functions in `hashlib`: `md5`
   |
-5 | # Invalid
-6 | 
+6 | # Errors
 7 | hashlib.new('md5')
   |             ^^^^^ S324
-8 | 
-9 | hashlib.new('md4', b'test')
+8 | hashlib.new('md4', b'test')
+9 | hashlib.new(name='md5', data=b'test')
   |
 
-S324.py:9:13: S324 Probable use of insecure hash functions in `hashlib`: `md4`
+S324.py:8:13: S324 Probable use of insecure hash functions in `hashlib`: `md4`
+   |
+ 6 | # Errors
+ 7 | hashlib.new('md5')
+ 8 | hashlib.new('md4', b'test')
+   |             ^^^^^ S324
+ 9 | hashlib.new(name='md5', data=b'test')
+10 | hashlib.new('MD4', data=b'test')
+   |
+
+S324.py:9:18: S324 Probable use of insecure hash functions in `hashlib`: `md5`
    |
  7 | hashlib.new('md5')
- 8 | 
- 9 | hashlib.new('md4', b'test')
-   |             ^^^^^ S324
-10 | 
-11 | hashlib.new(name='md5', data=b'test')
-   |
-
-S324.py:11:18: S324 Probable use of insecure hash functions in `hashlib`: `md5`
-   |
- 9 | hashlib.new('md4', b'test')
-10 | 
-11 | hashlib.new(name='md5', data=b'test')
+ 8 | hashlib.new('md4', b'test')
+ 9 | hashlib.new(name='md5', data=b'test')
    |                  ^^^^^ S324
-12 | 
-13 | hashlib.new('MD4', data=b'test')
+10 | hashlib.new('MD4', data=b'test')
+11 | hashlib.new('sha1')
    |
 
-S324.py:13:13: S324 Probable use of insecure hash functions in `hashlib`: `MD4`
+S324.py:10:13: S324 Probable use of insecure hash functions in `hashlib`: `MD4`
    |
-11 | hashlib.new(name='md5', data=b'test')
-12 | 
-13 | hashlib.new('MD4', data=b'test')
+ 8 | hashlib.new('md4', b'test')
+ 9 | hashlib.new(name='md5', data=b'test')
+10 | hashlib.new('MD4', data=b'test')
    |             ^^^^^ S324
-14 | 
-15 | hashlib.new('sha1')
+11 | hashlib.new('sha1')
+12 | hashlib.new('sha1', data=b'test')
    |
 
-S324.py:15:13: S324 Probable use of insecure hash functions in `hashlib`: `sha1`
+S324.py:11:13: S324 Probable use of insecure hash functions in `hashlib`: `sha1`
    |
-13 | hashlib.new('MD4', data=b'test')
-14 | 
-15 | hashlib.new('sha1')
+ 9 | hashlib.new(name='md5', data=b'test')
+10 | hashlib.new('MD4', data=b'test')
+11 | hashlib.new('sha1')
    |             ^^^^^^ S324
-16 | 
-17 | hashlib.new('sha1', data=b'test')
+12 | hashlib.new('sha1', data=b'test')
+13 | hashlib.new('sha', data=b'test')
+   |
+
+S324.py:12:13: S324 Probable use of insecure hash functions in `hashlib`: `sha1`
+   |
+10 | hashlib.new('MD4', data=b'test')
+11 | hashlib.new('sha1')
+12 | hashlib.new('sha1', data=b'test')
+   |             ^^^^^^ S324
+13 | hashlib.new('sha', data=b'test')
+14 | hashlib.new(name='SHA', data=b'test')
+   |
+
+S324.py:13:13: S324 Probable use of insecure hash functions in `hashlib`: `sha`
+   |
+11 | hashlib.new('sha1')
+12 | hashlib.new('sha1', data=b'test')
+13 | hashlib.new('sha', data=b'test')
+   |             ^^^^^ S324
+14 | hashlib.new(name='SHA', data=b'test')
+15 | hashlib.sha(data=b'test')
+   |
+
+S324.py:14:18: S324 Probable use of insecure hash functions in `hashlib`: `SHA`
+   |
+12 | hashlib.new('sha1', data=b'test')
+13 | hashlib.new('sha', data=b'test')
+14 | hashlib.new(name='SHA', data=b'test')
+   |                  ^^^^^ S324
+15 | hashlib.sha(data=b'test')
+16 | hashlib.md5()
+   |
+
+S324.py:15:1: S324 Probable use of insecure hash functions in `hashlib`: `sha`
+   |
+13 | hashlib.new('sha', data=b'test')
+14 | hashlib.new(name='SHA', data=b'test')
+15 | hashlib.sha(data=b'test')
+   | ^^^^^^^^^^^ S324
+16 | hashlib.md5()
+17 | hashlib_new('sha1')
+   |
+
+S324.py:16:1: S324 Probable use of insecure hash functions in `hashlib`: `md5`
+   |
+14 | hashlib.new(name='SHA', data=b'test')
+15 | hashlib.sha(data=b'test')
+16 | hashlib.md5()
+   | ^^^^^^^^^^^ S324
+17 | hashlib_new('sha1')
+18 | hashlib_sha1('sha1')
    |
 
 S324.py:17:13: S324 Probable use of insecure hash functions in `hashlib`: `sha1`
    |
-15 | hashlib.new('sha1')
-16 | 
-17 | hashlib.new('sha1', data=b'test')
+15 | hashlib.sha(data=b'test')
+16 | hashlib.md5()
+17 | hashlib_new('sha1')
    |             ^^^^^^ S324
-18 | 
-19 | hashlib.new('sha', data=b'test')
+18 | hashlib_sha1('sha1')
+19 | # usedforsecurity arg only available in Python 3.9+
    |
 
-S324.py:19:13: S324 Probable use of insecure hash functions in `hashlib`: `sha`
+S324.py:18:1: S324 Probable use of insecure hash functions in `hashlib`: `sha1`
    |
-17 | hashlib.new('sha1', data=b'test')
-18 | 
-19 | hashlib.new('sha', data=b'test')
-   |             ^^^^^ S324
-20 | 
-21 | hashlib.new(name='SHA', data=b'test')
-   |
-
-S324.py:21:18: S324 Probable use of insecure hash functions in `hashlib`: `SHA`
-   |
-19 | hashlib.new('sha', data=b'test')
-20 | 
-21 | hashlib.new(name='SHA', data=b'test')
-   |                  ^^^^^ S324
-22 | 
-23 | hashlib.sha(data=b'test')
-   |
-
-S324.py:23:1: S324 Probable use of insecure hash functions in `hashlib`: `sha`
-   |
-21 | hashlib.new(name='SHA', data=b'test')
-22 | 
-23 | hashlib.sha(data=b'test')
-   | ^^^^^^^^^^^ S324
-24 | 
-25 | hashlib.md5()
-   |
-
-S324.py:25:1: S324 Probable use of insecure hash functions in `hashlib`: `md5`
-   |
-23 | hashlib.sha(data=b'test')
-24 | 
-25 | hashlib.md5()
-   | ^^^^^^^^^^^ S324
-26 | 
-27 | hashlib_new('sha1')
-   |
-
-S324.py:27:13: S324 Probable use of insecure hash functions in `hashlib`: `sha1`
-   |
-25 | hashlib.md5()
-26 | 
-27 | hashlib_new('sha1')
-   |             ^^^^^^ S324
-28 | 
-29 | hashlib_sha1('sha1')
-   |
-
-S324.py:29:1: S324 Probable use of insecure hash functions in `hashlib`: `sha1`
-   |
-27 | hashlib_new('sha1')
-28 | 
-29 | hashlib_sha1('sha1')
+16 | hashlib.md5()
+17 | hashlib_new('sha1')
+18 | hashlib_sha1('sha1')
    | ^^^^^^^^^^^^ S324
-30 | 
-31 | # usedforsecurity arg only available in Python 3.9+
+19 | # usedforsecurity arg only available in Python 3.9+
+20 | hashlib.new('sha1', usedforsecurity=True)
    |
 
-S324.py:32:13: S324 Probable use of insecure hash functions in `hashlib`: `sha1`
+S324.py:20:13: S324 Probable use of insecure hash functions in `hashlib`: `sha1`
    |
-31 | # usedforsecurity arg only available in Python 3.9+
-32 | hashlib.new('sha1', usedforsecurity=True)
+18 | hashlib_sha1('sha1')
+19 | # usedforsecurity arg only available in Python 3.9+
+20 | hashlib.new('sha1', usedforsecurity=True)
    |             ^^^^^^ S324
-33 | 
-34 | # Valid
+21 | 
+22 | crypt.crypt("test", salt=crypt.METHOD_CRYPT)
    |
 
+S324.py:22:26: S324 Probable use of insecure hash functions in `crypt`: `crypt.METHOD_CRYPT`
+   |
+20 | hashlib.new('sha1', usedforsecurity=True)
+21 | 
+22 | crypt.crypt("test", salt=crypt.METHOD_CRYPT)
+   |                          ^^^^^^^^^^^^^^^^^^ S324
+23 | crypt.crypt("test", salt=crypt.METHOD_MD5)
+24 | crypt.crypt("test", salt=crypt.METHOD_BLOWFISH)
+   |
 
+S324.py:23:26: S324 Probable use of insecure hash functions in `crypt`: `crypt.METHOD_MD5`
+   |
+22 | crypt.crypt("test", salt=crypt.METHOD_CRYPT)
+23 | crypt.crypt("test", salt=crypt.METHOD_MD5)
+   |                          ^^^^^^^^^^^^^^^^ S324
+24 | crypt.crypt("test", salt=crypt.METHOD_BLOWFISH)
+25 | crypt.crypt("test", crypt.METHOD_BLOWFISH)
+   |
+
+S324.py:24:26: S324 Probable use of insecure hash functions in `crypt`: `crypt.METHOD_BLOWFISH`
+   |
+22 | crypt.crypt("test", salt=crypt.METHOD_CRYPT)
+23 | crypt.crypt("test", salt=crypt.METHOD_MD5)
+24 | crypt.crypt("test", salt=crypt.METHOD_BLOWFISH)
+   |                          ^^^^^^^^^^^^^^^^^^^^^ S324
+25 | crypt.crypt("test", crypt.METHOD_BLOWFISH)
+   |
+
+S324.py:25:21: S324 Probable use of insecure hash functions in `crypt`: `crypt.METHOD_BLOWFISH`
+   |
+23 | crypt.crypt("test", salt=crypt.METHOD_MD5)
+24 | crypt.crypt("test", salt=crypt.METHOD_BLOWFISH)
+25 | crypt.crypt("test", crypt.METHOD_BLOWFISH)
+   |                     ^^^^^^^^^^^^^^^^^^^^^ S324
+26 | 
+27 | crypt.mksalt(crypt.METHOD_CRYPT)
+   |
+
+S324.py:27:14: S324 Probable use of insecure hash functions in `crypt`: `crypt.METHOD_CRYPT`
+   |
+25 | crypt.crypt("test", crypt.METHOD_BLOWFISH)
+26 | 
+27 | crypt.mksalt(crypt.METHOD_CRYPT)
+   |              ^^^^^^^^^^^^^^^^^^ S324
+28 | crypt.mksalt(crypt.METHOD_MD5)
+29 | crypt.mksalt(crypt.METHOD_BLOWFISH)
+   |
+
+S324.py:28:14: S324 Probable use of insecure hash functions in `crypt`: `crypt.METHOD_MD5`
+   |
+27 | crypt.mksalt(crypt.METHOD_CRYPT)
+28 | crypt.mksalt(crypt.METHOD_MD5)
+   |              ^^^^^^^^^^^^^^^^ S324
+29 | crypt.mksalt(crypt.METHOD_BLOWFISH)
+   |
+
+S324.py:29:14: S324 Probable use of insecure hash functions in `crypt`: `crypt.METHOD_BLOWFISH`
+   |
+27 | crypt.mksalt(crypt.METHOD_CRYPT)
+28 | crypt.mksalt(crypt.METHOD_MD5)
+29 | crypt.mksalt(crypt.METHOD_BLOWFISH)
+   |              ^^^^^^^^^^^^^^^^^^^^^ S324
+30 | 
+31 | # OK
+   |

crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S605_S605.py.snap

@@ -1,147 +1,165 @@
 ---
 source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
 ---
-S605.py:7:11: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
-  |
-6 | # Check all shell functions.
-7 | os.system("true")
-  |           ^^^^^^ S605
-8 | os.popen("true")
-9 | os.popen2("true")
-  |
-
-S605.py:8:10: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+S605.py:8:11: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
    |
- 6 | # Check all shell functions.
- 7 | os.system("true")
- 8 | os.popen("true")
-   |          ^^^^^^ S605
- 9 | os.popen2("true")
-10 | os.popen3("true")
-   |
-
-S605.py:9:11: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
-   |
- 7 | os.system("true")
- 8 | os.popen("true")
- 9 | os.popen2("true")
+ 7 | # Check all shell functions.
+ 8 | os.system("true")
    |           ^^^^^^ S605
-10 | os.popen3("true")
-11 | os.popen4("true")
+ 9 | os.popen("true")
+10 | os.popen2("true")
+   |
+
+S605.py:9:10: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+   |
+ 7 | # Check all shell functions.
+ 8 | os.system("true")
+ 9 | os.popen("true")
+   |          ^^^^^^ S605
+10 | os.popen2("true")
+11 | os.popen3("true")
    |
 
 S605.py:10:11: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
    |
- 8 | os.popen("true")
- 9 | os.popen2("true")
-10 | os.popen3("true")
+ 8 | os.system("true")
+ 9 | os.popen("true")
+10 | os.popen2("true")
    |           ^^^^^^ S605
-11 | os.popen4("true")
-12 | popen2.popen2("true")
+11 | os.popen3("true")
+12 | os.popen4("true")
    |
 
 S605.py:11:11: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
    |
- 9 | os.popen2("true")
-10 | os.popen3("true")
-11 | os.popen4("true")
+ 9 | os.popen("true")
+10 | os.popen2("true")
+11 | os.popen3("true")
    |           ^^^^^^ S605
-12 | popen2.popen2("true")
-13 | popen2.popen3("true")
+12 | os.popen4("true")
+13 | popen2.popen2("true")
    |
 
-S605.py:12:15: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+S605.py:12:11: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
    |
-10 | os.popen3("true")
-11 | os.popen4("true")
-12 | popen2.popen2("true")
-   |               ^^^^^^ S605
-13 | popen2.popen3("true")
-14 | popen2.popen4("true")
+10 | os.popen2("true")
+11 | os.popen3("true")
+12 | os.popen4("true")
+   |           ^^^^^^ S605
+13 | popen2.popen2("true")
+14 | popen2.popen3("true")
    |
 
 S605.py:13:15: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
    |
-11 | os.popen4("true")
-12 | popen2.popen2("true")
-13 | popen2.popen3("true")
+11 | os.popen3("true")
+12 | os.popen4("true")
+13 | popen2.popen2("true")
    |               ^^^^^^ S605
-14 | popen2.popen4("true")
-15 | popen2.Popen3("true")
+14 | popen2.popen3("true")
+15 | popen2.popen4("true")
    |
 
 S605.py:14:15: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
    |
-12 | popen2.popen2("true")
-13 | popen2.popen3("true")
-14 | popen2.popen4("true")
+12 | os.popen4("true")
+13 | popen2.popen2("true")
+14 | popen2.popen3("true")
    |               ^^^^^^ S605
-15 | popen2.Popen3("true")
-16 | popen2.Popen4("true")
+15 | popen2.popen4("true")
+16 | popen2.Popen3("true")
    |
 
 S605.py:15:15: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
    |
-13 | popen2.popen3("true")
-14 | popen2.popen4("true")
-15 | popen2.Popen3("true")
+13 | popen2.popen2("true")
+14 | popen2.popen3("true")
+15 | popen2.popen4("true")
    |               ^^^^^^ S605
-16 | popen2.Popen4("true")
-17 | commands.getoutput("true")
+16 | popen2.Popen3("true")
+17 | popen2.Popen4("true")
    |
 
 S605.py:16:15: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
    |
-14 | popen2.popen4("true")
-15 | popen2.Popen3("true")
-16 | popen2.Popen4("true")
+14 | popen2.popen3("true")
+15 | popen2.popen4("true")
+16 | popen2.Popen3("true")
    |               ^^^^^^ S605
-17 | commands.getoutput("true")
-18 | commands.getstatusoutput("true")
+17 | popen2.Popen4("true")
+18 | commands.getoutput("true")
    |
 
-S605.py:17:20: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+S605.py:17:15: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
    |
-15 | popen2.Popen3("true")
-16 | popen2.Popen4("true")
-17 | commands.getoutput("true")
+15 | popen2.popen4("true")
+16 | popen2.Popen3("true")
+17 | popen2.Popen4("true")
+   |               ^^^^^^ S605
+18 | commands.getoutput("true")
+19 | commands.getstatusoutput("true")
+   |
+
+S605.py:18:20: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+   |
+16 | popen2.Popen3("true")
+17 | popen2.Popen4("true")
+18 | commands.getoutput("true")
    |                    ^^^^^^ S605
-18 | commands.getstatusoutput("true")
+19 | commands.getstatusoutput("true")
+20 | subprocess.getoutput("true")
    |
 
-S605.py:18:26: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+S605.py:19:26: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
    |
-16 | popen2.Popen4("true")
-17 | commands.getoutput("true")
-18 | commands.getstatusoutput("true")
+17 | popen2.Popen4("true")
+18 | commands.getoutput("true")
+19 | commands.getstatusoutput("true")
    |                          ^^^^^^ S605
+20 | subprocess.getoutput("true")
+21 | subprocess.getstatusoutput("true")
    |
 
-S605.py:23:11: S605 Starting a process with a shell, possible injection detected
+S605.py:20:22: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
    |
-21 | # Check command argument looks unsafe.
-22 | var_string = "true"
-23 | os.system(var_string)
+18 | commands.getoutput("true")
+19 | commands.getstatusoutput("true")
+20 | subprocess.getoutput("true")
+   |                      ^^^^^^ S605
+21 | subprocess.getstatusoutput("true")
+   |
+
+S605.py:21:28: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+   |
+19 | commands.getstatusoutput("true")
+20 | subprocess.getoutput("true")
+21 | subprocess.getstatusoutput("true")
+   |                            ^^^^^^ S605
+   |
+
+S605.py:26:11: S605 Starting a process with a shell, possible injection detected
+   |
+24 | # Check command argument looks unsafe.
+25 | var_string = "true"
+26 | os.system(var_string)
    |           ^^^^^^^^^^ S605
-24 | os.system([var_string])
-25 | os.system([var_string, ""])
+27 | os.system([var_string])
+28 | os.system([var_string, ""])
    |
 
-S605.py:24:11: S605 Starting a process with a shell, possible injection detected
+S605.py:27:11: S605 Starting a process with a shell, possible injection detected
    |
-22 | var_string = "true"
-23 | os.system(var_string)
-24 | os.system([var_string])
+25 | var_string = "true"
+26 | os.system(var_string)
+27 | os.system([var_string])
    |           ^^^^^^^^^^^^ S605
-25 | os.system([var_string, ""])
+28 | os.system([var_string, ""])
    |
 
-S605.py:25:11: S605 Starting a process with a shell, possible injection detected
+S605.py:28:11: S605 Starting a process with a shell, possible injection detected
    |
-23 | os.system(var_string)
-24 | os.system([var_string])
-25 | os.system([var_string, ""])
+26 | os.system(var_string)
+27 | os.system([var_string])
+28 | os.system([var_string, ""])
    |           ^^^^^^^^^^^^^^^^ S605
    |
-
-

crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S610_S610.py.snap

@@ -0,0 +1,105 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+---
+S610.py:4:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
+  |
+3 | # Errors
+4 | User.objects.filter(username='admin').extra(dict(could_be='insecure'))
+  |                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^ S610
+5 | User.objects.filter(username='admin').extra(select=dict(could_be='insecure'))
+6 | User.objects.filter(username='admin').extra(select={'test': '%secure' % 'nos'})
+  |
+
+S610.py:5:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
+  |
+3 | # Errors
+4 | User.objects.filter(username='admin').extra(dict(could_be='insecure'))
+5 | User.objects.filter(username='admin').extra(select=dict(could_be='insecure'))
+  |                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S610
+6 | User.objects.filter(username='admin').extra(select={'test': '%secure' % 'nos'})
+7 | User.objects.filter(username='admin').extra(select={'test': '{}secure'.format('nos')})
+  |
+
+S610.py:6:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
+  |
+4 | User.objects.filter(username='admin').extra(dict(could_be='insecure'))
+5 | User.objects.filter(username='admin').extra(select=dict(could_be='insecure'))
+6 | User.objects.filter(username='admin').extra(select={'test': '%secure' % 'nos'})
+  |                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S610
+7 | User.objects.filter(username='admin').extra(select={'test': '{}secure'.format('nos')})
+8 | User.objects.filter(username='admin').extra(where=['%secure' % 'nos'])
+  |
+
+S610.py:7:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
+  |
+5 | User.objects.filter(username='admin').extra(select=dict(could_be='insecure'))
+6 | User.objects.filter(username='admin').extra(select={'test': '%secure' % 'nos'})
+7 | User.objects.filter(username='admin').extra(select={'test': '{}secure'.format('nos')})
+  |                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S610
+8 | User.objects.filter(username='admin').extra(where=['%secure' % 'nos'])
+9 | User.objects.filter(username='admin').extra(where=['{}secure'.format('no')])
+  |
+
+S610.py:8:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
+  |
+6 | User.objects.filter(username='admin').extra(select={'test': '%secure' % 'nos'})
+7 | User.objects.filter(username='admin').extra(select={'test': '{}secure'.format('nos')})
+8 | User.objects.filter(username='admin').extra(where=['%secure' % 'nos'])
+  |                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^ S610
+9 | User.objects.filter(username='admin').extra(where=['{}secure'.format('no')])
+  |
+
+S610.py:9:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
+   |
+ 7 | User.objects.filter(username='admin').extra(select={'test': '{}secure'.format('nos')})
+ 8 | User.objects.filter(username='admin').extra(where=['%secure' % 'nos'])
+ 9 | User.objects.filter(username='admin').extra(where=['{}secure'.format('no')])
+   |                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S610
+10 | 
+11 | query = '"username") AS "username", * FROM "auth_user" WHERE 1=1 OR "username"=? --'
+   |
+
+S610.py:12:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
+   |
+11 | query = '"username") AS "username", * FROM "auth_user" WHERE 1=1 OR "username"=? --'
+12 | User.objects.filter(username='admin').extra(select={'test': query})
+   |                                            ^^^^^^^^^^^^^^^^^^^^^^^^ S610
+13 | 
+14 | where_var = ['1=1) OR 1=1 AND (1=1']
+   |
+
+S610.py:15:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
+   |
+14 | where_var = ['1=1) OR 1=1 AND (1=1']
+15 | User.objects.filter(username='admin').extra(where=where_var)
+   |                                            ^^^^^^^^^^^^^^^^^ S610
+16 | 
+17 | where_str = '1=1) OR 1=1 AND (1=1'
+   |
+
+S610.py:18:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
+   |
+17 | where_str = '1=1) OR 1=1 AND (1=1'
+18 | User.objects.filter(username='admin').extra(where=[where_str])
+   |                                            ^^^^^^^^^^^^^^^^^^^ S610
+19 | 
+20 | tables_var = ['django_content_type" WHERE "auth_user"."username"="admin']
+   |
+
+S610.py:21:25: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
+   |
+20 | tables_var = ['django_content_type" WHERE "auth_user"."username"="admin']
+21 | User.objects.all().extra(tables=tables_var).distinct()
+   |                         ^^^^^^^^^^^^^^^^^^^ S610
+22 | 
+23 | tables_str = 'django_content_type" WHERE "auth_user"."username"="admin'
+   |
+
+S610.py:24:25: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
+   |
+23 | tables_str = 'django_content_type" WHERE "auth_user"."username"="admin'
+24 | User.objects.all().extra(tables=[tables_str]).distinct()
+   |                         ^^^^^^^^^^^^^^^^^^^^^ S610
+25 | 
+26 | # OK
+   |

crates/ruff_linter/src/rules/flake8_bugbear/rules/function_uses_loop_variable.rs

@@ -67,7 +67,7 @@ impl<'a> Visitor<'a> for LoadedNamesVisitor<'a> {
             Expr::Name(name) => match &name.ctx {
                 ExprContext::Load => self.loaded.push(name),
                 ExprContext::Store => self.stored.push(name),
-                ExprContext::Del => {}
+                _ => {}
             },
             _ => visitor::walk_expr(self, expr),
         }

crates/ruff_linter/src/rules/flake8_builtins/rules/builtin_argument_shadowing.rs

@@ -73,7 +73,7 @@ pub(crate) fn builtin_argument_shadowing(checker: &mut Checker, parameter: &Para
             BuiltinArgumentShadowing {
                 name: parameter.name.to_string(),
             },
-            parameter.range(),
+            parameter.name.range(),
         ));
     }
 }

crates/ruff_linter/src/rules/flake8_commas/rules/trailing_commas.rs

@@ -243,7 +243,7 @@ pub(crate) fn trailing_commas(
             // F-strings are handled as `String` token type with the complete range
             // of the outermost f-string. This means that the expression inside the
             // f-string is not checked for trailing commas.
-            Tok::FStringStart => {
+            Tok::FStringStart(_) => {
                 fstrings = fstrings.saturating_add(1);
                 None
             }

crates/ruff_linter/src/rules/flake8_comprehensions/rules/unnecessary_collection_call.rs

@@ -13,7 +13,7 @@ use crate::rules::flake8_comprehensions::settings::Settings;
 /// rewritten as empty literals.
 ///
 /// ## Why is this bad?
-/// It's unnecessary to call e.g., `dict()` as opposed to using an empty
+/// It's unnecessary to call, e.g., `dict()` as opposed to using an empty
 /// literal (`{}`). The former is slower because the name `dict` must be
 /// looked up in the global scope in case it has been rebound.
 ///

crates/ruff_linter/src/rules/flake8_comprehensions/snapshots/ruff_linter__rules__flake8_comprehensions__tests__C413_C413.py.snap

@@ -205,7 +205,7 @@ C413.py:14:1: C413 [*] Unnecessary `reversed` call around `sorted()`
    14 |+sorted((i for i in range(42)), reverse=True)
 15 15 | reversed(sorted((i for i in range(42)), reverse=True))
 16 16 | 
-17 17 | 
+17 17 | # Regression test for: https://github.com/astral-sh/ruff/issues/10335
 
 C413.py:15:1: C413 [*] Unnecessary `reversed` call around `sorted()`
    |
@@ -213,6 +213,8 @@ C413.py:15:1: C413 [*] Unnecessary `reversed` call around `sorted()`
 14 | reversed(sorted(i for i in range(42)))
 15 | reversed(sorted((i for i in range(42)), reverse=True))
    | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ C413
+16 | 
+17 | # Regression test for: https://github.com/astral-sh/ruff/issues/10335
    |
    = help: Remove unnecessary `reversed` call
 
@@ -223,7 +225,38 @@ C413.py:15:1: C413 [*] Unnecessary `reversed` call around `sorted()`
 15    |-reversed(sorted((i for i in range(42)), reverse=True))
    15 |+sorted((i for i in range(42)), reverse=False)
 16 16 | 
-17 17 | 
-18 18 | def reversed(*args, **kwargs):
+17 17 | # Regression test for: https://github.com/astral-sh/ruff/issues/10335
+18 18 | reversed(sorted([1, 2, 3], reverse=False or True))
 
+C413.py:18:1: C413 [*] Unnecessary `reversed` call around `sorted()`
+   |
+17 | # Regression test for: https://github.com/astral-sh/ruff/issues/10335
+18 | reversed(sorted([1, 2, 3], reverse=False or True))
+   | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ C413
+19 | reversed(sorted([1, 2, 3], reverse=(False or True)))
+   |
+   = help: Remove unnecessary `reversed` call
 
+ℹ Unsafe fix
+15 15 | reversed(sorted((i for i in range(42)), reverse=True))
+16 16 | 
+17 17 | # Regression test for: https://github.com/astral-sh/ruff/issues/10335
+18    |-reversed(sorted([1, 2, 3], reverse=False or True))
+   18 |+sorted([1, 2, 3], reverse=not (False or True))
+19 19 | reversed(sorted([1, 2, 3], reverse=(False or True)))
+
+C413.py:19:1: C413 [*] Unnecessary `reversed` call around `sorted()`
+   |
+17 | # Regression test for: https://github.com/astral-sh/ruff/issues/10335
+18 | reversed(sorted([1, 2, 3], reverse=False or True))
+19 | reversed(sorted([1, 2, 3], reverse=(False or True)))
+   | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ C413
+   |
+   = help: Remove unnecessary `reversed` call
+
+ℹ Unsafe fix
+16 16 | 
+17 17 | # Regression test for: https://github.com/astral-sh/ruff/issues/10335
+18 18 | reversed(sorted([1, 2, 3], reverse=False or True))
+19    |-reversed(sorted([1, 2, 3], reverse=(False or True)))
+   19 |+sorted([1, 2, 3], reverse=not (False or True))