Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.7.0 to 6.9.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@5cd11c3...4f58ea7)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

The new pytorch_load_save plugin has official bandit ID of
B614, however the doc file was still named b704_pytorch_load_save.
Small rename fix so this is consistent. This also fixes the
ordering on how it is displayed on the plugins index page:
https://bandit.readthedocs.io/en/latest/plugins/index.html

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

As of October 1st, 2024, Python 3.8 becomes end-of-life. As such
Bandit should also no longer support the version.

This commit will bump minimum version of support to Python 3.9
and remove any legacy 3.8 specific code.

This is a breaking change for those still using Python 3.8 and
so the minor version will be bumped to 1.8.x for it.

Closes #1173

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

The cryptography project has added a few more cipher algorithms
to its list of insecure, out-dated, or deprecated, i.e. decrepit
symmetric algorithms.

Namely, CAST5, SEED, and TripleDES were added. As a result, Bandit
should also alert to usage of these ciphers.

https://cryptography.io/en/latest/hazmat/decrepit/

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.6.1 to 3.7.1.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@988b5a0...c47758b)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.6.0 to 3.7.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@4959ce0...dc72c7d)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

updates:
- [github.com/pre-commit/pre-commit-hooks: v4.6.0 → v5.0.0](pre-commit/pre-commit-hooks@v4.6.0...v5.0.0)
- [github.com/psf/black-pre-commit-mirror: 24.4.2 → 24.10.0](psf/black-pre-commit-mirror@24.4.2...24.10.0)
- [github.com/asottile/pyupgrade: v3.16.0 → v3.17.0](asottile/pyupgrade@v3.16.0...v3.17.0)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

Unlike python-requests, the httpx client has a default
timeout of 5 seconds on its class and functions. As such,
there is no need for Bandit to check for an undefined
timeout. However, explicitly setting the timeout to None
is still a potential problem as that would create a
situtation where the client would block forever.

Fixes: #1175

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

updates:
- [github.com/asottile/reorder-python-imports: v3.13.0 → v3.14.0](asottile/reorder-python-imports@v3.13.0...v3.14.0)
- [github.com/asottile/pyupgrade: v3.17.0 → v3.18.0](asottile/pyupgrade@v3.17.0...v3.18.0)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

Make Python 3.13 officially support

This change updates the unit testing to only use released
versions of Python 3.13. It also updates the PyPI classifier
to declare 3.13 support.

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

The PyPI warehouse supports a number of custom links to display
on the project page. Of interest to Bandit are the links to
the docs, sponsors, and discord.

https://github.com/pypi/warehouse/blob/main/warehouse/templates/packaging/detail.html

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

updates:
- [github.com/asottile/pyupgrade: v3.18.0 → v3.19.0](asottile/pyupgrade@v3.18.0...v3.19.0)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

The FLOSS/fund is running a program to invest support in critical,
impactful, and valuable open source projects.

Adding this file doesn't guarantee funding, but raises awareness
Bandit is seeking it.

The JSON has been validated using their online validation tool:
https://dir.floss.fund/validate

More info:
https://floss.fund/blog/announcing-floss-fund/

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

Sentry recently ended their sponsorship. Technically the sponsorship wasn't going specifically to the project anyway, but to a user (me). So this change updates the README to reflect this.

The tox.ini still had some test environments specifically for
testing within OpenStack. This is no longer needed. Also no
longer necessary is stestr configuration that used OpenStack
variables.

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>