Preserve current env vars to git clone

[pastalian]

There are several environment variables that should be kept, such as git and proxy settings.
Other git commands already keep these.
Resolves: AlmaLinux/build-system#312

[metalefty]

LGTM

[github-actions]

Code Coverage Summary

Package	Line Rate
build_node	32%
build_node.builders	24%
build_node.mock	45%
build_node.uploaders	72%
build_node.utils	56%
Summary	47% (1392 / 2977)

Linter reports

Pylint report

************* Module build_node.utils.git_utils
build_node/utils/git_utils.py:754:0: C0301: Line too long (100/80) (line-too-long)
build_node/utils/git_utils.py:846:0: C0301: Line too long (91/80) (line-too-long)
build_node/utils/git_utils.py:857:0: C0301: Line too long (90/80) (line-too-long)
build_node/utils/git_utils.py:50:8: R1725: Consider using Python 3 style super() without arguments (super-with-arguments)
build_node/utils/git_utils.py:57:4: W0231: __init__ method from base class 'GitError' is not called (super-init-not-called)
build_node/utils/git_utils.py:148:4: W0612: Unused variable 'exit_code' (unused-variable)
build_node/utils/git_utils.py:148:23: W0612: Unused variable 'stderr' (unused-variable)
build_node/utils/git_utils.py:198:8: W1203: Use lazy % formatting in logging functions (logging-fstring-interpolation)
build_node/utils/git_utils.py:200:8: W1203: Use lazy % formatting in logging functions (logging-fstring-interpolation)
build_node/utils/git_utils.py:201:8: R1724: Unnecessary "elif" after "continue", remove the leading "el" from "elif" (no-else-continue)
build_node/utils/git_utils.py:190:4: W0612: Unused variable 'exit_code' (unused-variable)
build_node/utils/git_utils.py:190:23: W0612: Unused variable 'stderr' (unused-variable)
build_node/utils/git_utils.py:281:0: R0914: Too many local variables (17/15) (too-many-locals)
build_node/utils/git_utils.py:309:22: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:315:31: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:341:8: W0707: Consider explicitly re-raising using 'raise GitError(f'cannot execute git-push in repository {repo_dir}: {e}') from e' (raise-missing-from)
build_node/utils/git_utils.py:328:15: R1732: Consider using 'with' for resource-allocating operations (consider-using-with)
build_node/utils/git_utils.py:331:13: W0612: Unused variable 'err' (unused-variable)
build_node/utils/git_utils.py:360:32: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:371:8: W0707: Consider explicitly re-raising using 'raise GitError(f'cannot execute git-tag in repository {repo_dir}: {e}') from e' (raise-missing-from)
build_node/utils/git_utils.py:360:15: R1732: Consider using 'with' for resource-allocating operations (consider-using-with)
build_node/utils/git_utils.py:364:13: W0612: Unused variable 'err' (unused-variable)
build_node/utils/git_utils.py:402:8: W0707: Consider explicitly re-raising using 'raise GitError(f'cannot execute git-commit in repository {repo_dir}: {e}') from e' (raise-missing-from)
build_node/utils/git_utils.py:392:15: R1732: Consider using 'with' for resource-allocating operations (consider-using-with)
build_node/utils/git_utils.py:395:13: W0612: Unused variable 'err' (unused-variable)
build_node/utils/git_utils.py:441:25: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:444:42: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:480:13: C3001: Lambda expression assigned to a variable. Define a function using the "def" keyword instead. (unnecessary-lambda-assignment)
build_node/utils/git_utils.py:482:11: E1101: Module 'rpm' has no 'labelCompare' member (no-member)
build_node/utils/git_utils.py:510:27: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:516:8: W0707: Consider explicitly re-raising using 'raise GitError('cannot checkout {0} in the git repository {1}: {2}'.format(ref, repo_dir, str(e))) from e' (raise-missing-from)
build_node/utils/git_utils.py:516:23: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:504:15: R1732: Consider using 'with' for resource-allocating operations (consider-using-with)
build_node/utils/git_utils.py:532:0: C0115: Missing class docstring (missing-class-docstring)
build_node/utils/git_utils.py:564:19: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:567:19: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:570:19: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:571:15: R1732: Consider using 'with' for resource-allocating operations (consider-using-with)
build_node/utils/git_utils.py:586:36: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:586:19: R1732: Consider using 'with' for resource-allocating operations (consider-using-with)
build_node/utils/git_utils.py:605:36: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:605:19: R1732: Consider using 'with' for resource-allocating operations (consider-using-with)
build_node/utils/git_utils.py:651:27: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:647:19: R1732: Consider using 'with' for resource-allocating operations (consider-using-with)
build_node/utils/git_utils.py:666:18: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:672:31: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:677:12: W0707: Consider explicitly re-raising using 'raise GitError('cannot fetch {0!r} {1!r}: {2}'.format(repository, ref, str(e))) from e' (raise-missing-from)
build_node/utils/git_utils.py:677:27: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:667:19: R1732: Consider using 'with' for resource-allocating operations (consider-using-with)
build_node/utils/git_utils.py:680:4: R0914: Too many local variables (16/15) (too-many-locals)
build_node/utils/git_utils.py:703:19: R0916: Too many boolean expressions in if statement (10/5) (too-many-boolean-expressions)
build_node/utils/git_utils.py:680:0: W0613: Unused argument 'kwargs' (unused-argument)
build_node/utils/git_utils.py:739:0: C0115: Missing class docstring (missing-class-docstring)
build_node/utils/git_utils.py:739:0: R0205: Class 'MirroredGitRepo' inherits from object, can be safely removed from bases in python3 (useless-object-inheritance)
build_node/utils/git_utils.py:756:8: R1720: Unnecessary "elif" after "raise", remove the leading "el" from "elif" (no-else-raise)
build_node/utils/git_utils.py:762:15: W1116: Second argument of isinstance is not a type (isinstance-second-argument-not-valid-type)
build_node/utils/git_utils.py:771:12: W0707: Consider explicitly re-raising using 'raise GitCacheError('cannot create {0} directory: {1}'.format(repos_dir, str(e))) from e' (raise-missing-from)
build_node/utils/git_utils.py:771:32: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:776:12: W0707: Consider explicitly re-raising using 'raise GitCacheError('cannot create {0} directory: {1}'.format(locks_dir, str(e))) from e' (raise-missing-from)
build_node/utils/git_utils.py:776:32: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:779:51: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:781:26: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:784:40: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:798:32: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:809:28: W1202: Use lazy % formatting in logging functions (logging-format-interpolation)
build_node/utils/git_utils.py:809:28: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:814:36: W1202: Use lazy % formatting in logging functions (logging-format-interpolation)
build_node/utils/git_utils.py:814:36: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:822:36: W1202: Use lazy % formatting in logging functions (logging-format-interpolation)
build_node/utils/git_utils.py:822:36: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:832:40: W1202: Use lazy % formatting in logging functions (logging-format-interpolation)
build_node/utils/git_utils.py:832:40: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:836:20: W0707: Consider explicitly re-raising using 'raise LockError('timeout occurred') from e' (raise-missing-from)
build_node/utils/git_utils.py:837:36: W1202: Use lazy % formatting in logging functions (logging-format-interpolation)
build_node/utils/git_utils.py:837:36: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:871:28: W1202: Use lazy % formatting in logging functions (logging-format-interpolation)
build_node/utils/git_utils.py:871:28: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:880:18: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:882:32: W1202: Use lazy % formatting in logging functions (logging-format-interpolation)
build_node/utils/git_utils.py:882:32: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:873:20: R1732: Consider using 'with' for resource-allocating operations (consider-using-with)
build_node/utils/git_utils.py:905:18: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:907:32: W1202: Use lazy % formatting in logging functions (logging-format-interpolation)
build_node/utils/git_utils.py:907:32: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:899:20: R1732: Consider using 'with' for resource-allocating operations (consider-using-with)
build_node/utils/git_utils.py:928:18: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:929:32: W1202: Use lazy % formatting in logging functions (logging-format-interpolation)
build_node/utils/git_utils.py:929:32: C0209: Formatting a regular string which could be an f-string (consider-using-f-string)
build_node/utils/git_utils.py:921:20: R1732: Consider using 'with' for resource-allocating operations (consider-using-with)

-----------------------------------
Your code has been rated at 7.71/10

Black report

--- build_node/utils/git_utils.py	2024-06-25 17:23:46.994829+00:00
+++ build_node/utils/git_utils.py	2024-06-25 17:26:25.972970+00:00
@@ -27,17 +27,25 @@
 from build_node.errors import CommandExecutionError, LockError
 from build_node.utils.rpm_utils import string_to_version as stringToVersion
 from build_node.utils.file_utils import safe_mkdir
 from build_node.ported import to_unicode
 
-__all__ = ['git_get_commit_id', 'git_ls_remote', 'GitError', 'GitCommandError',
-           'git_merge', 'git_list_branches', 'git_init_repo', 'git_push',
-           'git_create_tag', 'git_commit']
+__all__ = [
+    'git_get_commit_id',
+    'git_ls_remote',
+    'GitError',
+    'GitCommandError',
+    'git_merge',
+    'git_list_branches',
+    'git_init_repo',
+    'git_push',
+    'git_create_tag',
+    'git_commit',
+]
 
 
 class GitError(Exception):
-
     """Git related errors base class."""
 
     def __init__(self, message):
         """
         Git error initialization.
@@ -49,11 +57,10 @@
         """
         super(GitError, self).__init__(message)
 
 
 class GitCommandError(GitError, CommandExecutionError):
-
     """Git shell command execution error."""
 
     def __init__(self, message, exit_code, stdout, stderr, command):
         """
         Git shell command execution error initialization.
@@ -69,12 +76,13 @@
         stderr : str
             Command stderr.
         command : list of str
             Executed git command.
         """
-        CommandExecutionError.__init__(self, message, exit_code, stdout,
-                                       stderr, command)
+        CommandExecutionError.__init__(
+            self, message, exit_code, stdout, stderr, command
+        )
 
     @staticmethod
     def from_common_exception(git_exception):
         """
         Make more specific exception from ProcessExecutionError.
@@ -92,12 +100,15 @@
         message = git_exception.stderr.strip()
         re_rslt = re.search(r'fatal:\s+(.*?)$', message, re.MULTILINE)
         if re_rslt:
             message = re_rslt.group(1)
         return GitCommandError(
-            message, git_exception.retcode, git_exception.stdout,
-            git_exception.stderr, git_exception.argv
+            message,
+            git_exception.retcode,
+            git_exception.stdout,
+            git_exception.stderr,
+            git_exception.argv,
         )
 
 
 def handle_git_error(fn):
     """
@@ -116,16 +127,18 @@
     Raises
     ------
     GitCommandError
         If the git command execution function failed.
     """
+
     @functools.wraps(fn)
     def wrapper(*args, **kwargs):
         try:
             return fn(*args, **kwargs)
         except ProcessExecutionError as git_exception:
             raise GitCommandError.from_common_exception(git_exception)
+
     return wrapper
 
 
 @handle_git_error
 def git_get_commit_id(repo_path, ref='HEAD'):
@@ -143,14 +156,15 @@
     -------
     str
         Git commit id.
     """
     git = plumbum.local['git']
-    exit_code, stdout, stderr = \
-        git.with_env(HISTFILE='/dev/null', LANG='C').with_cwd(
-            repo_path).run(args=('log', '--pretty=format:%H', '-n', 1, ref),
-                           retcode=None)
+    exit_code, stdout, stderr = (
+        git.with_env(HISTFILE='/dev/null', LANG='C')
+        .with_cwd(repo_path)
+        .run(args=('log', '--pretty=format:%H', '-n', 1, ref), retcode=None)
+    )
     return stdout.strip()
 
 
 @handle_git_error
 def git_ls_remote(repo_path, heads=False, tags=False):
@@ -185,12 +199,13 @@
     if heads:
         args.append('--heads')
     if tags:
         args.append('--tags')
     args.append(repo_path)
-    exit_code, stdout, stderr = \
-        git.with_env(HISTFILE='/dev/null', LANG='C')[args].run(retcode=None)
+    exit_code, stdout, stderr = git.with_env(HISTFILE='/dev/null', LANG='C')[
+        args
+    ].run(retcode=None)
     refs = []
     for line in stdout.split('\n'):
         line = line.strip()
         re_rslt = re.search(r'^([a-zA-Z0-9]{40})\s*\w+/(\w+)/(\S+)$', line)
         if not re_rslt:
@@ -223,12 +238,14 @@
     Returns
     -------
     list
         List of git references.
     """
-    return [(commit, ref) if commit_id else ref
-            for commit, ref, ref_type in git_ls_remote(repo_path, heads=True)]
+    return [
+        (commit, ref) if commit_id else ref
+        for commit, ref, ref_type in git_ls_remote(repo_path, heads=True)
+    ]
 
 
 @handle_git_error
 def git_init_repo(repo_path, bare=False):
     """
@@ -276,12 +293,19 @@
             conflict_callback(conflict_files)
             return
         raise GitCommandError.from_common_exception(error)
 
 
-def git_push(repo_dir, repository, tags=False, gerrit=False, branch=None,
-             set_upstream=False, reviewers=None):
+def git_push(
+    repo_dir,
+    repository,
+    tags=False,
+    gerrit=False,
+    branch=None,
+    set_upstream=False,
+    reviewers=None,
+):
     """
     Executes 'git push' command in local git repository.
 
     @type repo_dir:     str or unicode
     @param repo_dir:    Local git repository path.
@@ -323,25 +347,28 @@
             cmd.append(str(branch))
         else:
             cmd.append("master")
     cmd = " ".join(cmd)
     try:
-        proc = subprocess.Popen(cmd, cwd=repo_dir, shell=True,
-                                stdout=subprocess.PIPE,
-                                stderr=subprocess.STDOUT)
+        proc = subprocess.Popen(
+            cmd,
+            cwd=repo_dir,
+            shell=True,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+        )
         out, err = proc.communicate()
         if proc.returncode != 0 or "fatal" in out.decode('utf-8').lower():
             raise GitError(
                 f"cannot execute git-push in repository {repo_dir}: "
                 f"{out.decode('utf-8')}"
             )
         return out
     except GitError as e:
         raise e
     except Exception as e:
-        raise GitError(
-            f"cannot execute git-push in repository {repo_dir}: {e}")
+        raise GitError(f"cannot execute git-push in repository {repo_dir}: {e}")
 
 
 def git_create_tag(repo_dir, git_tag, force=False):
     """
     Executes 'git tag $git_tag' command in local git repository.
@@ -355,18 +382,22 @@
     """
     try:
         cmd = "git tag"
         if force:
             cmd += " -f"
-        proc = subprocess.Popen("{0} {1}".format(cmd, pipes.quote(git_tag)),
-                                cwd=repo_dir, shell=True,
-                                stdout=subprocess.PIPE,
-                                stderr=subprocess.STDOUT)
+        proc = subprocess.Popen(
+            "{0} {1}".format(cmd, pipes.quote(git_tag)),
+            cwd=repo_dir,
+            shell=True,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+        )
         out, err = proc.communicate()
         if proc.returncode != 0:
             raise GitError(
-                f"cannot execute git-tag in repository {repo_dir}: {out}")
+                f"cannot execute git-tag in repository {repo_dir}: {out}"
+            )
     except GitError as e:
         raise e
     except Exception as e:
         raise GitError(f"cannot execute git-tag in repository {repo_dir}: {e}")
 
@@ -387,22 +418,28 @@
     else:
         cmd = "git commit -m %s"
     if signoff:
         cmd += " --signoff"
     try:
-        proc = subprocess.Popen(cmd % pipes.quote(message), cwd=repo_dir,
-                                shell=True, stdout=subprocess.PIPE,
-                                stderr=subprocess.STDOUT)
+        proc = subprocess.Popen(
+            cmd % pipes.quote(message),
+            cwd=repo_dir,
+            shell=True,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+        )
         out, err = proc.communicate()
         if proc.returncode != 0:
             raise GitError(
-                f"cannot execute git-commit in repository {repo_dir}: {out}")
+                f"cannot execute git-commit in repository {repo_dir}: {out}"
+            )
     except GitError as e:
         raise e
     except Exception as e:
         raise GitError(
-            f"cannot execute git-commit in repository {repo_dir}: {e}")
+            f"cannot execute git-commit in repository {repo_dir}: {e}"
+        )
 
 
 def list_git_tags(uri, commit_id=False):
     """
     Returns list of git repository (raw, not parsed) tags. Note: tags are
@@ -417,12 +454,14 @@
     @rtype:             list
     @return:            List of git repository (raw, not parsed) tags.
 
     @raise AltGitError: When command execution failed.
     """
-    return [(commit, ref) if commit_id else ref
-            for commit, ref, ref_type in git_ls_remote(uri, tags=True)]
+    return [
+        (commit, ref) if commit_id else ref
+        for commit, ref, ref_type in git_ls_remote(uri, tags=True)
+    ]
 
 
 def parse_cl_git_tag(tag):
     """
     Cloud Linux git tags ([name@][epoch+]version[-release][^modifier]) parsing
@@ -433,15 +472,17 @@
 
     @rtype:     dict
     @return:    Dictionary that contains parsed git tag information (only
         version field is mandatory).
     """
-    re_rslt = re.search(r"^((?P<name>[^@]+)@|)((?P<epoch>\d+)\+|)(?P<vr>.*?)"
-                        r"(\^(?P<modifier>[\w\.-]+)|)$", tag)
+    re_rslt = re.search(
+        r"^((?P<name>[^@]+)@|)((?P<epoch>\d+)\+|)(?P<vr>.*?)"
+        r"(\^(?P<modifier>[\w\.-]+)|)$",
+        tag,
+    )
     if not re_rslt:
-        raise ValueError("invalid Cloud Linux git tag ({0}) format".
-                         format(tag))
+        raise ValueError("invalid Cloud Linux git tag ({0}) format".format(tag))
     t = {}
     _, version, release = stringToVersion("0:{0}".format(re_rslt.group("vr")))
     t["version"] = to_unicode(version)
     if release is not None:
         t["release"] = to_unicode(release)
@@ -475,15 +516,16 @@
         tag2 = tag2.as_dict()
     elif not isinstance(tag2, dict):
         tag2 = parse_cl_git_tag(tag2)
     epoch1 = str(tag1.get("epoch")) if tag1.get("epoch") is not None else "0"
     epoch2 = str(tag2.get("epoch")) if tag2.get("epoch") is not None else "0"
-    get_vr = lambda tag, key: tag.get(key, "") if tag.get(key) is not None \
-        else ""
+    get_vr = lambda tag, key: (
+        tag.get(key, "") if tag.get(key) is not None else ""
+    )
     return rpm.labelCompare(
         (epoch1, get_vr(tag1, "version"), get_vr(tag1, "release")),
-        (epoch2, get_vr(tag2, "version"), get_vr(tag2, "release"))
+        (epoch2, get_vr(tag2, "version"), get_vr(tag2, "release")),
     )
 
 
 def git_checkout(repo_dir, ref, options=None):
     """
@@ -499,34 +541,51 @@
     try:
         cmd = ["git", "checkout"]
         if isinstance(options, (list, tuple)):
             cmd.extend(options)
         cmd.append(ref)
-        proc = subprocess.Popen(cmd, cwd=repo_dir, shell=False,
-                                stdout=subprocess.PIPE,
-                                stderr=subprocess.STDOUT)
+        proc = subprocess.Popen(
+            cmd,
+            cwd=repo_dir,
+            shell=False,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+        )
         out, _ = proc.communicate()
         status = proc.returncode
         if status != 0:
-            raise GitError("cannot checkout {0} in the git repository {1}"
-                           " ({2} return code): {3}".format(ref, repo_dir,
-                                                            status, out))
+            raise GitError(
+                "cannot checkout {0} in the git repository {1}"
+                " ({2} return code): {3}".format(ref, repo_dir, status, out)
+            )
     except GitError as e:
         raise e
     except Exception as e:
-        raise GitError("cannot checkout {0} in the git repository {1}: "
-                       "{2}".format(ref, repo_dir, str(e)))
-
-
-class AltGitTag(collections.namedtuple("AltGitTag",
-                                       ["tag", "name", "epoch", "version",
-                                        "release", "modifier", "commit"])):
+        raise GitError(
+            "cannot checkout {0} in the git repository {1}: "
+            "{2}".format(ref, repo_dir, str(e))
+        )
+
+
+class AltGitTag(
+    collections.namedtuple(
+        "AltGitTag",
+        ["tag", "name", "epoch", "version", "release", "modifier", "commit"],
+    )
+):
 
     def as_dict(self):
         d = {}
-        for f in ("tag", "name", "epoch", "version", "release", "modifier",
-                  "commit"):
+        for f in (
+            "tag",
+            "name",
+            "epoch",
+            "version",
+            "release",
+            "modifier",
+            "commit",
+        ):
             d[f] = getattr(self, f)
         return d
 
 
 class WrappedGitRepo:
@@ -536,12 +595,18 @@
         @type repo_dir:  str or unicode
         @param repo_dir: Local git repository directory.
         """
         self.__repo_dir = repo_dir
 
-    def archive(self, ref, archive_path, archive_format="tar.bz2", prefix=None,
-                exclude=None):
+    def archive(
+        self,
+        ref,
+        archive_path,
+        archive_format="tar.bz2",
+        prefix=None,
+        exclude=None,
+    ):
         """
         git archive command wrapper.
 
         @type ref:             str or unicode
         @param ref:            Git reference to archive.
@@ -559,20 +624,25 @@
         """
         cmd = "git archive "
         if archive_format == "tar.bz2":
             cmd += "--format=tar "
         else:
-            cmd += "--format={0} --output={1} ".format(archive_format,
-                                                       archive_path)
+            cmd += "--format={0} --output={1} ".format(
+                archive_format, archive_path
+            )
         if prefix:
             cmd += "--prefix={0} ".format(prefix)
         cmd += ref
         if archive_format == "tar.bz2":
             cmd += " | bzip2 > {0}".format(archive_path)
-        proc = subprocess.Popen(cmd, cwd=self.__repo_dir, shell=True,
-                                stdout=subprocess.PIPE,
-                                stderr=subprocess.STDOUT)
+        proc = subprocess.Popen(
+            cmd,
+            cwd=self.__repo_dir,
+            shell=True,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+        )
         out, _ = proc.communicate()
         if exclude:
             self.remove_from_tarball(archive_path, exclude)
         if proc.returncode != 0:
             raise GitError(f"cannot execute git archive command: {out}")
@@ -581,33 +651,40 @@
         working_dir = None
         try:
             working_dir = tempfile.mkdtemp(prefix='alt_git_', dir=tmp_dir)
             sources_dir = os.path.join(working_dir, 'sources')
             os.makedirs(sources_dir)
-            proc = subprocess.Popen('tar -xjpf {0}'.format(archive_path),
-                                    cwd=sources_dir, shell=True,
-                                    stdout=subprocess.PIPE,
-                                    stderr=subprocess.STDOUT)
+            proc = subprocess.Popen(
+                'tar -xjpf {0}'.format(archive_path),
+                cwd=sources_dir,
+                shell=True,
+                stdout=subprocess.PIPE,
+                stderr=subprocess.STDOUT,
+            )
             out, _ = proc.communicate()
             if proc.returncode != 0:
                 raise GitError(
-                    f'cannot unpack {archive_path} git archive: {out}')
+                    f'cannot unpack {archive_path} git archive: {out}'
+                )
             for excluded in exclude:
                 for sub_dir in os.listdir(sources_dir):
-                    excluded_path = os.path.join(sources_dir, sub_dir,
-                                                 excluded)
+                    excluded_path = os.path.join(sources_dir, sub_dir, excluded)
                     if os.path.exists(excluded_path):
                         if os.path.isfile(excluded_path):
                             os.unlink(excluded_path)
                         else:
                             shutil.rmtree(excluded_path)
-            new_archive_path = os.path.join(working_dir,
-                                            os.path.basename(archive_path))
-            proc = subprocess.Popen('tar -cjpf {0} .'.format(new_archive_path),
-                                    cwd=sources_dir, shell=True,
-                                    stdout=subprocess.PIPE,
-                                    stderr=subprocess.STDOUT)
+            new_archive_path = os.path.join(
+                working_dir, os.path.basename(archive_path)
+            )
+            proc = subprocess.Popen(
+                'tar -cjpf {0} .'.format(new_archive_path),
+                cwd=sources_dir,
+                shell=True,
+                stdout=subprocess.PIPE,
+                stderr=subprocess.STDOUT,
+            )
             out, _ = proc.communicate()
             if proc.returncode != 0:
                 raise GitError(
                     f'cannot create {new_archive_path} git archive: {out}'
                 )
@@ -642,18 +719,24 @@
         @raise AltGitError: If something went wrong.
         """
         cmd = ["git", "clone", repo_url, repo_dir]
         if mirror:
             cmd.insert(2, "--mirror")
-        git_proc = subprocess.Popen(cmd, stdout=subprocess.PIPE,
-                                    stderr=subprocess.STDOUT)
+        git_proc = subprocess.Popen(
+            cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT
+        )
         stdout, _ = git_proc.communicate()
         if git_proc.returncode != 0:
-            raise GitError("cannot clone {0} git repository to {1} "
-                           "directory: return code {2}, git output: {3}".
-                           format(repo_url, repo_dir, git_proc.returncode,
-                                  stdout.decode('utf-8')))
+            raise GitError(
+                "cannot clone {0} git repository to {1} "
+                "directory: return code {2}, git output: {3}".format(
+                    repo_url,
+                    repo_dir,
+                    git_proc.returncode,
+                    stdout.decode('utf-8'),
+                )
+            )
 
     def fetch(self, repository, ref):
         """
         Executes git-fetch command in repository directory.
 
@@ -662,25 +745,40 @@
         @type ref:         str
         @param ref:        Git reference to fetch.
         """
         try:
             cmd = "git fetch {0} {1}".format(repository, ref)
-            proc = subprocess.Popen(cmd, cwd=self.__repo_dir, shell=True,
-                                    stdout=subprocess.PIPE,
-                                    stderr=subprocess.STDOUT)
+            proc = subprocess.Popen(
+                cmd,
+                cwd=self.__repo_dir,
+                shell=True,
+                stdout=subprocess.PIPE,
+                stderr=subprocess.STDOUT,
+            )
             out, _ = proc.communicate()
             if proc.returncode != 0:
-                raise GitError("cannot fetch {0!r} {1!r}: {2}".format(
-                    repository, ref, out))
+                raise GitError(
+                    "cannot fetch {0!r} {1!r}: {2}".format(repository, ref, out)
+                )
         except GitError as e:
             raise e
         except Exception as e:
-            raise GitError("cannot fetch {0!r} {1!r}: {2}".format(
-                repository, ref, str(e)))
-
-    def list_tags(self, tag=None, name=None, version=None, release=None,
-                  epoch=None, modifier=None, tag_regex=None, **kwargs):
+            raise GitError(
+                "cannot fetch {0!r} {1!r}: {2}".format(repository, ref, str(e))
+            )
+
+    def list_tags(
+        self,
+        tag=None,
+        name=None,
+        version=None,
+        release=None,
+        epoch=None,
+        modifier=None,
+        tag_regex=None,
+        **kwargs,
+    ):
         """
         @rtype:  list
         @return: List that contains AltGitTag object for each matched git
             repository tag.
         """
@@ -698,27 +796,37 @@
             raw_tags = [(c, t) for c, t in raw_tags if tag_regex.search(t)]
         parsed_tags = []
         for commit, raw_tag in raw_tags:
             try:
                 parsed_tag = parse_cl_git_tag(raw_tag)
-                if (epoch is not None and parsed_tag.get("epoch") != epoch) or \
-                        (version and parsed_tag.get("version") != version) or \
-                        (release and parsed_tag.get("release") != release) or \
-                        (name and parsed_tag.get("name") != name) or \
-                        (modifier and parsed_tag.get("modifier") != modifier):
+                if (
+                    (epoch is not None and parsed_tag.get("epoch") != epoch)
+                    or (version and parsed_tag.get("version") != version)
+                    or (release and parsed_tag.get("release") != release)
+                    or (name and parsed_tag.get("name") != name)
+                    or (modifier and parsed_tag.get("modifier") != modifier)
+                ):
                     continue
-                args = [parsed_tag.get(f) for f in ("name", "epoch", "version",
-                                                    "release", "modifier")]
+                args = [
+                    parsed_tag.get(f)
+                    for f in ("name", "epoch", "version", "release", "modifier")
+                ]
                 args.append(commit)
                 parsed_tags.append(AltGitTag(raw_tag, *args))
             except ValueError:
                 # NOTE: this is ugly hack for existent CL repositories with
                 #       bad tags
-                if name is None and version is None and release is None and \
-                        epoch is None and modifier is None:
-                    parsed_tags.append(AltGitTag(raw_tag, None, None, None,
-                                                 None, None, commit))
+                if (
+                    name is None
+                    and version is None
+                    and release is None
+                    and epoch is None
+                    and modifier is None
+                ):
+                    parsed_tags.append(
+                        AltGitTag(raw_tag, None, None, None, None, None, commit)
+                    )
         parsed_tags.sort(cmp_cl_git_tags, reverse=True)
         return parsed_tags
 
     @property
     def repo_dir(self):
@@ -736,12 +844,19 @@
     pass
 
 
 class MirroredGitRepo(object):
 
-    def __init__(self, repo_url, repos_dir, locks_dir, timeout=60,
-                 git_command_extras=None, logger=None):
+    def __init__(
+        self,
+        repo_url,
+        repos_dir,
+        locks_dir,
+        timeout=60,
+        git_command_extras=None,
+        logger=None,
+    ):
         """
         @type repo_url:   str or unicode
         @param repo_url:  Git repository URL.
         @type repos_dir:  str or unicode
         @param repos_dir: Directory where git repositories cache is located.
@@ -760,30 +875,35 @@
         else:
             self.__repo_url = repo_url
         if not isinstance(timeout, (int, None)):
             raise ValueError("timeout must be instance of int or None")
         self.__timeout = timeout
-        self.__logger = (logger if logger
-                         else logging.getLogger("alt_stubs_kcare_build"))
+        self.__logger = (
+            logger if logger else logging.getLogger("alt_stubs_kcare_build")
+        )
         self.__repo_hash = hashlib.sha256(repo_url.encode('utf-8')).hexdigest()
         try:
             safe_mkdir(repos_dir)
         except Exception as e:
-            raise GitCacheError("cannot create {0} directory: {1}".
-                                format(repos_dir, str(e)))
+            raise GitCacheError(
+                "cannot create {0} directory: {1}".format(repos_dir, str(e))
+            )
         try:
             safe_mkdir(locks_dir)
         except Exception as e:
-            raise GitCacheError("cannot create {0} directory: {1}".
-                                format(locks_dir, str(e)))
+            raise GitCacheError(
+                "cannot create {0} directory: {1}".format(locks_dir, str(e))
+            )
         self.__base_dir = repos_dir
-        self.__lock_file = os.path.join(locks_dir, "{0}.lock".
-                                        format(self.__repo_hash))
+        self.__lock_file = os.path.join(
+            locks_dir, "{0}.lock".format(self.__repo_hash)
+        )
         self.__repo_str = "{0} ({1})".format(repo_url, self.__repo_hash)
         self.__repo_dir = os.path.join(repos_dir, self.__repo_hash)
-        self.__lock_file = os.path.join(locks_dir,
-                                        "{0}.lock".format(self.__repo_hash))
+        self.__lock_file = os.path.join(
+            locks_dir, "{0}.lock".format(self.__repo_hash)
+        )
         self.__fd = None
 
         self.__git_command_extras = git_command_extras
 
     def clone_to(self, target_dir, branch=None):
@@ -793,59 +913,73 @@
         @type target_dir:  str or unicode
         @param target_dir: Directory where you want to clone cached git
             repository.
         """
         if not self.__fd:
-            raise GitCacheError("{0} git repository cache is not "
-                                "initialized yet".format(self.__repo_str))
+            raise GitCacheError(
+                "{0} git repository cache is not "
+                "initialized yet".format(self.__repo_str)
+            )
         self.__clone_repo(self.__repo_dir, target_dir, branch=branch)
         return WrappedGitRepo(target_dir)
 
     def __enter__(self):
         self.__fd = open(self.__lock_file, "w")
         start_time = time.time()
         lock_flags = fcntl.LOCK_EX
         if self.__timeout is not None:
             lock_flags = lock_flags | fcntl.LOCK_NB
-        self.__logger.debug("obtaining exclusive lock for {0} git repository".
-                            format(self.__repo_str))
+        self.__logger.debug(
+            "obtaining exclusive lock for {0} git repository".format(
+                self.__repo_str
+            )
+        )
         while True:
             try:
                 fcntl.flock(self.__fd, lock_flags)
-                self.__logger.debug("{0} git repository lock has been "
-                                    "successfully obtained: fetching changes "
-                                    "now".format(self.__repo_str))
+                self.__logger.debug(
+                    "{0} git repository lock has been "
+                    "successfully obtained: fetching changes "
+                    "now".format(self.__repo_str)
+                )
                 if os.path.exists(self.__repo_dir):
                     self.__update_repo()
                 else:
-                    self.__clone_repo(self.__repo_url, self.__repo_dir,
-                                      mirror=True)
-                self.__logger.debug("changing {0} git repository lock from "
-                                    "exclusive to shared".
-                                    format(self.__repo_str))
+                    self.__clone_repo(
+                        self.__repo_url, self.__repo_dir, mirror=True
+                    )
+                self.__logger.debug(
+                    "changing {0} git repository lock from "
+                    "exclusive to shared".format(self.__repo_str)
+                )
                 fcntl.flock(self.__fd, fcntl.LOCK_SH)
                 break
             except (IOError, BlockingIOError) as e:
                 if e.errno != errno.EAGAIN or self.__timeout is None:
                     self.__finalize()
                     raise e
                 if (time.time() - start_time) >= self.__timeout:
-                    self.__logger.error("cannot obtain {0} git repository "
-                                        "lock: timeout occurred ".
-                                        format(self.__repo_str))
+                    self.__logger.error(
+                        "cannot obtain {0} git repository "
+                        "lock: timeout occurred ".format(self.__repo_str)
+                    )
                     self.__finalize()
                     raise LockError("timeout occurred")
-                self.__logger.debug("{0} repository is already locked by "
-                                    "another process: will retry after 1 "
-                                    "second".format(self.__repo_str))
+                self.__logger.debug(
+                    "{0} repository is already locked by "
+                    "another process: will retry after 1 "
+                    "second".format(self.__repo_str)
+                )
                 time.sleep(1)
             except Exception as e:
                 self.__finalize()
                 raise e
         return self
 
-    def __clone_repo(self, repo_url, target_dir, mirror=False, branch=None, git_opts=None):
+    def __clone_repo(
+        self, repo_url, target_dir, mirror=False, branch=None, git_opts=None
+    ):
         """
         Clones git repository to the specified directory.
 
         @type repo_url:       str or unicode
         @param repo_url:      Git repository URL.
@@ -860,29 +994,33 @@
         """
         cmd = ["git", "clone"]
         env = dict(os.environ, GIT_TERMINAL_PROMPT='0')
 
         if self.__git_command_extras is not None:
-            cmd.extend( self.__git_command_extras )
+            cmd.extend(self.__git_command_extras)
         if git_opts is not None:
-            cmd.extend( git_opts )
+            cmd.extend(git_opts)
         if mirror:
             cmd.append("--mirror")
         cmd.extend((repo_url, target_dir))
-        self.__logger.debug("__clone_repo: environment variables {0}".
-                            format(env))
-        git_clone = subprocess.Popen(cmd, cwd=self.__base_dir,
-                                     stdout=subprocess.PIPE,
-                                     stderr=subprocess.STDOUT,
-                                     env=env)
+        self.__logger.debug(
+            "__clone_repo: environment variables {0}".format(env)
+        )
+        git_clone = subprocess.Popen(
+            cmd,
+            cwd=self.__base_dir,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+            env=env,
+        )
         stdout, _ = git_clone.communicate()
         status = git_clone.returncode
         if status != 0:
-            msg = "cloning failed ({0} return code): {1}".format(
-                status, stdout)
-            self.__logger.error("{0} git repository {1}".format(
-                repo_url, stdout))
+            msg = "cloning failed ({0} return code): {1}".format(status, stdout)
+            self.__logger.error(
+                "{0} git repository {1}".format(repo_url, stdout)
+            )
             raise GitCacheError(msg)
         if branch:
             self.__checkout_branch(target_dir, branch)
 
     def __checkout_branch(self, repo_dir, branch):
@@ -894,20 +1032,22 @@
         @type branch:         str or unicode
         @param branch:        branch for checkout
         @raise GitCacheError: If git-clone execution failed.
         """
         cmd = ["git", "checkout", branch]
-        git_clone = subprocess.Popen(cmd, cwd=repo_dir,
-                                     stdout=subprocess.PIPE,
-                                     stderr=subprocess.STDOUT)
+        git_clone = subprocess.Popen(
+            cmd, cwd=repo_dir, stdout=subprocess.PIPE, stderr=subprocess.STDOUT
+        )
         stdout, _ = git_clone.communicate()
         status = git_clone.returncode
         if status != 0:
             msg = "checkout failed ({0} return code): {1}".format(
-                status, stdout)
-            self.__logger.error("{0} git repository {1}".
-                                format(repo_dir, stdout))
+                status, stdout
+            )
+            self.__logger.error(
+                "{0} git repository {1}".format(repo_dir, stdout)
+            )
             raise GitCacheError(msg)
 
     def __update_repo(self):
         """
         Updates cached git repository using git-fetch --prune command.
@@ -916,20 +1056,23 @@
         """
 
         # Unlike __clone_repo(), no need to adjust environment variable
         # because env var is not passed to Popen(). Popen inherits os.environ
         # if env is not specified.
-        git_fetch = subprocess.Popen(["git", "fetch", "--prune"],
-                                     cwd=self.__repo_dir,
-                                     stdout=subprocess.PIPE,
-                                     stderr=subprocess.STDOUT)
+        git_fetch = subprocess.Popen(
+            ["git", "fetch", "--prune"],
+            cwd=self.__repo_dir,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+        )
         stdout, _ = git_fetch.communicate()
         status = git_fetch.returncode
         if status != 0:
             msg = "update failed ({0} return code): {1}".format(status, stdout)
-            self.__logger.error("{0} git repository {1}".
-                                format(self.__repo_str, msg))
+            self.__logger.error(
+                "{0} git repository {1}".format(self.__repo_str, msg)
+            )
             raise GitCacheError(msg)
 
     def __finalize(self):
         """
         Removes lock and closes lock file descriptor if opened.

Isort report

--- /build-node/build_node/utils/git_utils.py:before	2024-06-25 17:23:46.994829
+++ /build-node/build_node/utils/git_utils.py:after	2024-06-25 17:26:26.537746
@@ -6,28 +6,28 @@
 CloudLinux Build System git wrapper.
 """
 
+import collections
+import errno
+import fcntl
 import functools
-import fcntl
-import errno
+import hashlib
+import logging
+import os
 import pipes
+import re
+import shutil
 import subprocess
-import collections
 import tempfile
-import shutil
-import logging
-import hashlib
-import re
-import os
 import time
 
+import plumbum
 import rpm
-import plumbum
 from plumbum.commands.processes import ProcessExecutionError
 
 from build_node.errors import CommandExecutionError, LockError
+from build_node.ported import to_unicode
+from build_node.utils.file_utils import safe_mkdir
 from build_node.utils.rpm_utils import string_to_version as stringToVersion
-from build_node.utils.file_utils import safe_mkdir
-from build_node.ported import to_unicode
 
 __all__ = ['git_get_commit_id', 'git_ls_remote', 'GitError', 'GitCommandError',
            'git_merge', 'git_list_branches', 'git_init_repo', 'git_push',

Bandit report

Run started:2024-06-25 17:26:27.269693

Test results:
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.8/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: ./build_node/utils/git_utils.py:13:0
12	import pipes
13	import subprocess
14	import collections

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./build_node/utils/git_utils.py:328:15
327	    try:
328	        proc = subprocess.Popen(cmd, cwd=repo_dir, shell=True,
329	                                stdout=subprocess.PIPE,
330	                                stderr=subprocess.STDOUT)
331	        out, err = proc.communicate()

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./build_node/utils/git_utils.py:361:15
360	        proc = subprocess.Popen("{0} {1}".format(cmd, pipes.quote(git_tag)),
361	                                cwd=repo_dir, shell=True,
362	                                stdout=subprocess.PIPE,
363	                                stderr=subprocess.STDOUT)
364	        out, err = proc.communicate()
365	        if proc.returncode != 0:

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./build_node/utils/git_utils.py:393:15
392	        proc = subprocess.Popen(cmd % pipes.quote(message), cwd=repo_dir,
393	                                shell=True, stdout=subprocess.PIPE,
394	                                stderr=subprocess.STDOUT)
395	        out, err = proc.communicate()
396	        if proc.returncode != 0:

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.8/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./build_node/utils/git_utils.py:504:15
503	        cmd.append(ref)
504	        proc = subprocess.Popen(cmd, cwd=repo_dir, shell=False,
505	                                stdout=subprocess.PIPE,
506	                                stderr=subprocess.STDOUT)
507	        out, _ = proc.communicate()

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./build_node/utils/git_utils.py:571:15
570	            cmd += " | bzip2 > {0}".format(archive_path)
571	        proc = subprocess.Popen(cmd, cwd=self.__repo_dir, shell=True,
572	                                stdout=subprocess.PIPE,
573	                                stderr=subprocess.STDOUT)
574	        out, _ = proc.communicate()

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./build_node/utils/git_utils.py:587:19
586	            proc = subprocess.Popen('tar -xjpf {0}'.format(archive_path),
587	                                    cwd=sources_dir, shell=True,
588	                                    stdout=subprocess.PIPE,
589	                                    stderr=subprocess.STDOUT)
590	            out, _ = proc.communicate()
591	            if proc.returncode != 0:

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./build_node/utils/git_utils.py:606:19
605	            proc = subprocess.Popen('tar -cjpf {0} .'.format(new_archive_path),
606	                                    cwd=sources_dir, shell=True,
607	                                    stdout=subprocess.PIPE,
608	                                    stderr=subprocess.STDOUT)
609	            out, _ = proc.communicate()
610	            if proc.returncode != 0:

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.8/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./build_node/utils/git_utils.py:647:19
646	            cmd.insert(2, "--mirror")
647	        git_proc = subprocess.Popen(cmd, stdout=subprocess.PIPE,
648	                                    stderr=subprocess.STDOUT)
649	        stdout, _ = git_proc.communicate()

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./build_node/utils/git_utils.py:667:19
666	            cmd = "git fetch {0} {1}".format(repository, ref)
667	            proc = subprocess.Popen(cmd, cwd=self.__repo_dir, shell=True,
668	                                    stdout=subprocess.PIPE,
669	                                    stderr=subprocess.STDOUT)
670	            out, _ = proc.communicate()

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.8/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./build_node/utils/git_utils.py:873:20
872	                            format(env))
873	        git_clone = subprocess.Popen(cmd, cwd=self.__base_dir,
874	                                     stdout=subprocess.PIPE,
875	                                     stderr=subprocess.STDOUT,
876	                                     env=env)
877	        stdout, _ = git_clone.communicate()

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.8/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./build_node/utils/git_utils.py:899:20
898	        cmd = ["git", "checkout", branch]
899	        git_clone = subprocess.Popen(cmd, cwd=repo_dir,
900	                                     stdout=subprocess.PIPE,
901	                                     stderr=subprocess.STDOUT)
902	        stdout, _ = git_clone.communicate()

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.8/plugins/b607_start_process_with_partial_path.html
   Location: ./build_node/utils/git_utils.py:921:20
920	        # if env is not specified.
921	        git_fetch = subprocess.Popen(["git", "fetch", "--prune"],
922	                                     cwd=self.__repo_dir,
923	                                     stdout=subprocess.PIPE,
924	                                     stderr=subprocess.STDOUT)
925	        stdout, _ = git_fetch.communicate()

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.8/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./build_node/utils/git_utils.py:921:20
920	        # if env is not specified.
921	        git_fetch = subprocess.Popen(["git", "fetch", "--prune"],
922	                                     cwd=self.__repo_dir,
923	                                     stdout=subprocess.PIPE,
924	                                     stderr=subprocess.STDOUT)
925	        stdout, _ = git_fetch.communicate()

--------------------------------------------------

Code scanned:
	Total lines of code: 825
	Total lines skipped (#nosec): 0
	Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0
		Low: 7
		Medium: 0
		High: 7
	Total issues (by confidence):
		Undefined: 0
		Low: 0
		Medium: 0
		High: 14
Files skipped (0):

View full reports on the Job Summary page.