add bandit, a security linter (#51)

skshetry · web-flow · commit dc8fda8a3ce8 · 2022-11-08T12:43:27.000+05:45
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -44,3 +44,9 @@ repos:
           - flake8-comprehensions==3.10.0
           - flake8-debugger==4.1.2
           - flake8-string-format==0.3.0
+  - repo: https://github.com/pycqa/bandit
+    rev: 1.7.4
+    hooks:
+      - id: bandit
+        args: [-c, pyproject.toml]
+        additional_dependencies: ["toml"]
diff --git a/pyproject.toml b/pyproject.toml
@@ -70,3 +70,7 @@ disable = ["fixme", "missing-class-docstring", "too-many-arguments", "missing-fu
 [tool.pylint.variables]
 dummy-variables-rgx = "_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_"
 ignored-argument-names = "_.*|^ignored_|^unused_|args|kwargs"
+
+[tool.bandit]
+exclude_dirs = ["tests"]
+skips = ["B101"]
diff --git a/src/iterative_telemetry/__init__.py b/src/iterative_telemetry/__init__.py
@@ -6,7 +6,7 @@
 import logging
 import os
 import platform
-import subprocess
+import subprocess  # nosec B404
 import sys
 import uuid
 from functools import lru_cache, wraps
@@ -20,7 +20,7 @@
 from filelock import FileLock, Timeout
 
 logger = logging.getLogger(__name__)
-TOKEN = "s2s.jtyjusrpsww4k9b76rrjri.bl62fbzrb7nd9n6vn5bpqt"
+TOKEN = "s2s.jtyjusrpsww4k9b76rrjri.bl62fbzrb7nd9n6vn5bpqt"  # nosec B105
 URL = (
     "https://iterative-telemetry.herokuapp.com"
     "/api/v1/s2s/event?ip_policy=strict"
@@ -168,7 +168,7 @@ def _send_daemon(self, payload):
 
         if os.name == "nt":
 
-            from subprocess import (
+            from subprocess import (  # nosec B404
                 CREATE_NEW_PROCESS_GROUP,
                 CREATE_NO_WINDOW,
                 STARTF_USESHOWWINDOW,
@@ -178,14 +178,16 @@ def _send_daemon(self, payload):
             detached_flags = CREATE_NEW_PROCESS_GROUP | CREATE_NO_WINDOW
             startupinfo = STARTUPINFO()
             startupinfo.dwFlags |= STARTF_USESHOWWINDOW
-            subprocess.Popen(  # pylint: disable=consider-using-with
+            # pylint: disable=consider-using-with
+            subprocess.Popen(  # nosec B603
                 [sys.executable, "-c", cmd],
                 creationflags=detached_flags,
                 close_fds=True,
                 startupinfo=startupinfo,
             )
         elif os.name == "posix":
-            subprocess.Popen(  # pylint: disable=consider-using-with
+            # pylint: disable=consider-using-with
+            subprocess.Popen(  # nosec B603
                 [sys.executable, "-c", cmd],
                 close_fds=True,
             )
@@ -280,7 +282,7 @@ def _generate_github_id():
     actor = os.environ.get("GITHUB_ACTOR")
     group_id = f"{server_url}/{os.path.dirname(repository)}"
     try:
-        user_id = subprocess.check_output(
+        user_id = subprocess.check_output(  # nosec B603, B607
             ["gh", "api", f"users/{actor}", "--jq", ".name, .login, .id"]
         )
     except subprocess.SubprocessError:
@@ -313,7 +315,7 @@ def _generate_bitbucket_id():
     if not group_id:
         return None
     try:
-        user_id = subprocess.check_output(
+        user_id = subprocess.check_output(  # nosec B603, B607
             ["git", "log", "-1", "--pretty=format:'%ae'"]
         )
         return group_id, user_id
