Ignore low/medium-severity bandit issues inline

Inline-disable low/medium-severity bandit issues raised by running `bandit --recursive securesystemslib --exclude _vendor`, by adding inline comments a la `"# nosec"`. This allows running bandit on future PRs without spending much effort on existing code, whose future is uncertain (see secure-systems-lab#270). Signed-off-by: Lukas Puehringer <[email protected]>
lukpueh · Oct 20, 2022 · 5c2b1d2 · 5c2b1d2
1 parent 8bf06db
commit 5c2b1d2
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 7 deletions.
diff --git a/securesystemslib/ed25519_keys.py b/securesystemslib/ed25519_keys.py
@@ -335,7 +335,7 @@ def verify_signature(public_key, scheme, signature, data):
 
             # The pure Python implementation raises 'Exception' if 'signature' is
             # invalid.
-            except Exception:  # pylint: disable=broad-except
+            except Exception:  # pylint: disable=broad-except  # nosec
                 pass
 
     # This is a defensive check for a valid 'scheme', which should have already

diff --git a/securesystemslib/gpg/constants.py b/securesystemslib/gpg/constants.py
@@ -18,7 +18,7 @@
 import functools
 import logging
 import os
-import subprocess
+import subprocess  # nosec
 
 from securesystemslib import process
 

diff --git a/securesystemslib/gpg/util.py b/securesystemslib/gpg/util.py
@@ -235,7 +235,9 @@ def compute_keyid(pubkey_packet_data):
     if not CRYPTO:  # pragma: no cover
         raise exceptions.UnsupportedLibraryError(NO_CRYPTO_MSG)
 
-    hasher = hashing.Hash(hashing.SHA1(), backend=backends.default_backend())
+    hasher = hashing.Hash(
+        hashing.SHA1(), backend=backends.default_backend()  # nosec
+    )
     hasher.update(b"\x99")
     hasher.update(struct.pack(">H", len(pubkey_packet_data)))
     hasher.update(bytes(pubkey_packet_data))

diff --git a/securesystemslib/process.py b/securesystemslib/process.py
@@ -25,7 +25,7 @@
 import logging
 import os
 import shlex
-import subprocess
+import subprocess  # nosec
 import sys
 import tempfile
 import time
@@ -119,7 +119,7 @@ def run(cmd, check=True, timeout=_default_timeout(), **kwargs):
         )
         del kwargs["stdin"]
 
-    return subprocess.run(cmd, check=check, timeout=timeout, **kwargs)
+    return subprocess.run(cmd, check=check, timeout=timeout, **kwargs)  # nosec
 
 
 def run_duplicate_streams(cmd, timeout=_default_timeout()):
@@ -205,7 +205,7 @@ def _duplicate_streams():
                 _std["err"] += stderr_part
 
             # Start child process, writing its standard streams to temporary files
-            proc = subprocess.Popen(  # pylint: disable=consider-using-with
+            proc = subprocess.Popen(  # pylint: disable=consider-using-with  # nosec
                 cmd,
                 stdout=stdout_writer,
                 stderr=stderr_writer,

diff --git a/securesystemslib/unittest_toolbox.py b/securesystemslib/unittest_toolbox.py
@@ -131,6 +131,6 @@ def random_string(length=15):
 
         rand_str = ""
         for letter in range(length):  # pylint: disable=unused-variable
-            rand_str += random.choice("abcdefABCDEF" + string.digits)
+            rand_str += random.choice("abcdefABCDEF" + string.digits)  # nosec
 
         return rand_str