From 2d65d74069b739e2168bd307b0bae38cc075c76d Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Tue, 14 Apr 2026 17:32:18 -0400
Subject: [PATCH] chore: fix ruff lint errors, bandit suppressions, and pin
 pip>=26.0

Remove unused imports (ruff F401), suppress B324 false positives on
spec-mandated MD5 in HASSH/JA3/JA3S fingerprinting, drop unused
record_version assignment in JARM parser, and pin pip>=26.0 in dev
deps to address CVE-2025-8869 and CVE-2026-1703.
---
 decnet/prober/hassh.py        | 2 +-
 decnet/prober/jarm.py         | 2 +-
 decnet/sniffer/fingerprint.py | 5 ++---
 decnet/sniffer/worker.py      | 2 --
 pyproject.toml                | 1 +
 5 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/decnet/prober/hassh.py b/decnet/prober/hassh.py
index 9068e07..de2e19e 100644
--- a/decnet/prober/hassh.py
+++ b/decnet/prober/hassh.py
@@ -208,7 +208,7 @@ def _compute_hassh(kex: str, enc: str, mac: str, comp: str) -> str:
     Returns 32-character lowercase hex digest.
     """
     raw = f"{kex};{enc};{mac};{comp}"
-    return hashlib.md5(raw.encode("utf-8")).hexdigest()
+    return hashlib.md5(raw.encode("utf-8")).hexdigest()  # nosec B324
 
 
 # ─── Public API ─────────────────────────────────────────────────────────────
diff --git a/decnet/prober/jarm.py b/decnet/prober/jarm.py
index ac06d83..54807e3 100644
--- a/decnet/prober/jarm.py
+++ b/decnet/prober/jarm.py
@@ -297,7 +297,7 @@ def _parse_server_hello(data: bytes) -> str:
         if data[0] != _CONTENT_HANDSHAKE:
             return "|||"
 
-        record_version = struct.unpack_from("!H", data, 1)[0]
+        struct.unpack_from("!H", data, 1)[0]  # record_version (unused)
         record_len = struct.unpack_from("!H", data, 3)[0]
         hs = data[5: 5 + record_len]
 
diff --git a/decnet/sniffer/fingerprint.py b/decnet/sniffer/fingerprint.py
index 487db32..756d70c 100644
--- a/decnet/sniffer/fingerprint.py
+++ b/decnet/sniffer/fingerprint.py
@@ -12,7 +12,6 @@ from __future__ import annotations
 import hashlib
 import struct
 import time
-from pathlib import Path
 from typing import Any, Callable
 
 from decnet.sniffer.syslog import SEVERITY_INFO, SEVERITY_WARNING, syslog_line
@@ -519,7 +518,7 @@ def _ja3(ch: dict[str, Any]) -> tuple[str, str]:
         "-".join(str(p) for p in ch["ec_point_formats"]),
     ]
     ja3_str = ",".join(parts)
-    return ja3_str, hashlib.md5(ja3_str.encode()).hexdigest()
+    return ja3_str, hashlib.md5(ja3_str.encode()).hexdigest()  # nosec B324
 
 
 def _ja3s(sh: dict[str, Any]) -> tuple[str, str]:
@@ -529,7 +528,7 @@ def _ja3s(sh: dict[str, Any]) -> tuple[str, str]:
         "-".join(str(e) for e in sh["extensions"]),
     ]
     ja3s_str = ",".join(parts)
-    return ja3s_str, hashlib.md5(ja3s_str.encode()).hexdigest()
+    return ja3s_str, hashlib.md5(ja3s_str.encode()).hexdigest()  # nosec B324
 
 
 # ─── JA4 / JA4S ─────────────────────────────────────────────────────────────
diff --git a/decnet/sniffer/worker.py b/decnet/sniffer/worker.py
index 91fd15d..e61ec75 100644
--- a/decnet/sniffer/worker.py
+++ b/decnet/sniffer/worker.py
@@ -14,9 +14,7 @@ import asyncio
 import os
 import subprocess
 import threading
-import time
 from pathlib import Path
-from typing import Any
 
 from decnet.logging import get_logger
 from decnet.network import HOST_MACVLAN_IFACE
diff --git a/pyproject.toml b/pyproject.toml
index ac445d5..41c56c7 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -28,6 +28,7 @@ dev = [
     "pytest>=9.0.3",
     "ruff>=0.15.10",
     "bandit>=1.9.4",
+    "pip>=26.0",
     "pip-audit>=2.10.0",
     "httpx>=0.28.1",
     "hypothesis>=6.151.14",