Run bandit checks and add appropriate exclusions

[holmboe]

Run bandit checks and add appropriate exclusions to the source code.

[Grokzen]

(bandit) ➜  subgit git:(master) ✗   bandit subgit/ -r
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.10.12
Run started:2024-01-04 21:49:26.530119

Test results:
        No issues identified.

Code scanned:
        Total lines of code: 1162
        Total lines skipped (#nosec): 8

Run metrics:
        Total issues (by severity):
                Undefined: 0
                Low: 0
                Medium: 0
                High: 0
        Total issues (by confidence):
                Undefined: 0
                Low: 0
                Medium: 0
                High: 0
Files skipped (0):

[holmboe]

@Grokzen could you go a little bit further on this to add more context? Add a comment in the ticket on what the Bandit result was before the exclusions were added.

Perhaps even use the more explicit #nosec Xnnn in the code? See https://bandit.readthedocs.io/en/latest/config.html#exclusions for examples.

[Grokzen]

This is the bandit log before the exclusions was added in

Run started:2024-01-11 10:04:16.004581

Test results:
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.6/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: subgit/core.py:11:0
10	from pathlib import Path
11	from subprocess import PIPE, Popen
12	

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: subgit/core.py:34:14
33	        stderr=None,
34	        shell=True,
35	    )
36	    output, stderr = process.communicate()
37	
38	    return output, stderr
39	
40	

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.6/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: subgit/inspect/git_inspect.py:6:0
5	import logging
6	import subprocess
7	

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b603_subprocess_without_shell_equals_true.html
   Location: subgit/inspect/git_inspect.py:37:12
36	                ],
37	                shell=False,
38	                capture_output=True,
39	            )
40	        except FileNotFoundError:
41	            return False
42	
43	        return True
44	

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b607_start_process_with_partial_path.html
   Location: subgit/inspect/git_inspect.py:54:14
53	
54	        out = subprocess.run([
55	                "gh", "repo", "list",
56	                f"{owner}",
57	                "--json", "id,name,defaultBranchRef,sshUrl,isArchived",
58	                "-L", "100"
59	            ],
60	            shell=False,
61	            capture_output=True,
62	        )
63	        data = json.loads(out.stdout)

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b603_subprocess_without_shell_equals_true.html
   Location: subgit/inspect/git_inspect.py:60:14
59	            ],
60	            shell=False,
61	            capture_output=True,
62	        )
63	        data = json.loads(out.stdout)
64	        repos = {}
65	        mapped_data = {
66	            repo["name"].lower():
67	            repo for repo in data
68	            if repo["isArchived"] == self.is_archived
69	        }

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b607_start_process_with_partial_path.html
   Location: subgit/inspect/git_inspect.py:111:14
110	
111	        out = subprocess.run(
112	            [
113	                "gitlab",
114	                "-o", "json",
115	                "project", "list",
116	                "--membership", "yes",
117	                "--all",
118	            ],
119	            shell=False,
120	            capture_output=True,
121	        )
122	        repos = {}

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b603_subprocess_without_shell_equals_true.html
   Location: subgit/inspect/git_inspect.py:119:14
118	            ],
119	            shell=False,
120	            capture_output=True,
121	        )
122	        repos = {}
123	        data = json.loads(out.stdout)
124	        mapped_data = {
125	            repo["name"].lower():
126	            repo for repo in data
127	            if repo["namespace"]["name"] == owner and repo["archived"] == self.is_archived
128	        }
129	        sorted_names = sorted([
130	            repo["name"].lower()

--------------------------------------------------

Code scanned:
	Total lines of code: 1162
	Total lines skipped (#nosec): 0
	Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0
		Low: 7
		Medium: 0
		High: 1
	Total issues (by confidence):
		Undefined: 0
		Low: 0
		Medium: 0
		High: 8
Files skipped (0):