Mock part of python 3.x

[ericwb]

Now that Bandit is Python 3.5+ only, there is no need to install
the mock library. The mock library became part of base Python as
of Python 3.3. See [1]

[1] https://pypi.org/project/mock/

Signed-off-by: Eric Brown browne@vmware.com

[sigmavirus24]

Except that the mock library backports features from the latest versions of Python to older versions that won't receive those features. I'd rather not have to do nonsense to manage which features are used

[rooterkyberian]

Except that the mock library backports features from the latest versions of Python to older versions that won't receive those features. I'd rather not have to do nonsense to manage which features are used

1. CI that is already in place (

   bandit/.github/workflows/pythonpackage.yml

   Line 46 in 8eee173

   py35:

   ) will let you know if you use something that is not there - so you don't have to "do nonsense to manage which features are used"

2. you will in fact a more complicated if you stay with mock libary
   https://mock.readthedocs.io/en/latest/#python-version-compatibility
   mock version 3.0.5 is the last version supporting Python 3.5 and lower.
   so in fact, you will get different versions of mock library but instead of checking just single page as you can with unittest.mock you will have to determine which version of mock is installed on which the oldest supported python and see the corresponding version documentation on ... I don't know where even - mock is actually delegating to look at https://docs.python.org/dev/library/unittest.mock.html but I don't know how to determine which features are backported to particular mock version

3. python documentation is quite good about mentioning when something was added
   https://docs.python.org/3/library/unittest.mock.html

[sigmavirus24]

1. will let you know if you use something that is not there

Right, so I will push a change with tests that fails on CI and have to adjust to dance around something missing from unittest.mock on a version I don't personally care about. That's exactly what I want to avoid. Thank you for proving my point.

[rooterkyberian]

Right, so I will push a change with tests that fails on CI and have to adjust to dance around something missing from unittest.mock on a version I don't personally care about. That's exactly what I want to avoid. Thank you for proving my point.

no problem, but please be aware that due to second point the very same thing will happen with mock lib

[sigmavirus24]

no problem, but please be aware that due to second point the very same thing will happen with mock lib

It never has in my experience. It's excellently maintained

[rooterkyberian]

no problem, but please be aware that due to second point the very same thing will happen with mock lib

It never has in my experience. It's excellently maintained

It really seem to be, but there is no mention on it when, for a particular python version, you will or will not have a support for particular unittest.mock feature. And there is warning in the changelog that python 3.5 is supported by mock<=3.0.5 only. And now we have mock==4.0.3 being installed for Python 3.6+. Since bandit supports both 3.5 and higher, you will get discrepancies that are not directly documented.

Example:
https://docs.python.org/3/library/unittest.mock.html

Changed in version 3.8: patch.dict() now returns the patched dictionary when used as a context manager.

In under python 3.6 the mock==4.0.3 is installed and patched dict is returned.

$ docker run -i --rm python:3.6 bash << EOF
pip install mock
python << EOF2   
from mock import patch
with patch.dict({}) as d:
 print(d)
EOF2
EOF
Collecting mock
  Downloading mock-4.0.3-py3-none-any.whl (28 kB)
Installing collected packages: mock
Successfully installed mock-4.0.3
WARNING: You are using pip version 20.2.3; however, version 20.3.3 is available.
You should consider upgrading via the '/usr/local/bin/python -m pip install --upgrade pip' command.
{}

In under python 3.5 the mock==3.0.5 is installed and patched dict is NOT returned.

$ docker run -i --rm python:3.5 bash << EOF
pip install mock
python << EOF2
from mock import patch
with patch.dict({}) as d:
 print(d)
EOF2
EOF
DEPRECATION: Python 3.5 reached the end of its life on September 13th, 2020. Please upgrade your Python as Python 3.5 is no longer maintained. pip 21.0 will drop support for Python 3.5 in January 2021. pip 21.0 will remove support for this functionality.
Collecting mock
  Downloading mock-3.0.5-py2.py3-none-any.whl (25 kB)
Collecting six
  Downloading six-1.15.0-py2.py3-none-any.whl (10 kB)
Installing collected packages: six, mock
Successfully installed mock-3.0.5 six-1.15.0
WARNING: You are using pip version 20.2.3; however, version 20.3.3 is available.
You should consider upgrading via the '/usr/local/bin/python -m pip install --upgrade pip' command.
None

fun fact: some (not all) unittest.mock features are in mock==3.0.5 and some aren't. which makes it all extra confusing.

So if you original was that with mock we will get always the same set of features for all bandit supported version of python, then it is untrue.

[ericwb]

@sigmavirus24 We're now seeing pep8 failures in Bandit on new PRs due to using the 3rd party mock. We could disable the warning, but interested to hear if you've changed your mind on this one?

 tests/unit/formatters/test_yaml.py:8:1: H216: The unittest.mock module should be used rather than the third party mock package unless actually needed. If so, disable the H216 check in hacking config and ensure mock is declared in the project's requirements.

[ericwb]

I'm going to merge this in order to repair our unit tests and cut down on another dependency.