Ensure that each #nosec usage has an accompanying explanation

[ericwb]

Transfer of OpenStack blueprint:
https://blueprints.launchpad.net/bandit/+spec/nosec-has-comment

#nosec tags should not just be used to make problems go away. Every time somebody uses #nosec it should be accompanied by an explanation for why this really isn't a security issue.

[andren]

@ericwb my team has an interest in this feature and I'm willing to contribute if we can agree on a format and if you would accept it of course.

Regarding formats

1. Suppressing Individual Lines:

# The following hash is not used in any security context. It is only used
# to generate unique values, collisions are acceptable and "data" is not
# coming from user-generated input
the_hash = md5(data).hexdigest()  # nosec

2. nosec-has-comment proposal:

# nosec(sigmavirus24): This is example text

3. We could also use a slightly more complex hybrid system:

# The following hash is not used in any security context. It is only used
# to generate unique values, collisions are acceptable and "data" is not
# coming from user-generated input
the_hash = md5(data).hexdigest()  # nosec(sigmavirus24)

Point 1. might be harder to implement but would make it easier to follow PEP 8 - Maximum Line Length guidance. (in this case, max. of 72 chars for comments)

Point 2. seems to be easier to implement, but much fewer characters would be available for the justification if one would be following PEP 8. It also seems to have some sort of alias or ID tracking.

Point 3. is a bit more complex than 1. but it's easier to follow PEP 8 and has that alias/ID tracking thing.

---

What do you think?