Description
There are some valid use cases for shell=True in subprocess calls. In such cases, a developer may annotate this code with # noqa: S602 in order to indicate to bandit and other tools that this code should not be considered insecure.
We should also honor this annotation when processing this codemod and we should not make changes to lines where this annotation is present.
Implementation
- We need to generalize the existing annotation detector in
remove-unused-imports so that it can be used in multiple codemods
- Make this particular codemod sensitive to the aforementioned annotation
- Add some good unit tests
Resources:
https://docs.astral.sh/ruff/rules/subprocess-popen-with-shell-equals-true/
Description
There are some valid use cases for
shell=Truein subprocess calls. In such cases, a developer may annotate this code with# noqa: S602in order to indicate tobanditand other tools that this code should not be considered insecure.We should also honor this annotation when processing this codemod and we should not make changes to lines where this annotation is present.
Implementation
remove-unused-importsso that it can be used in multiple codemodsResources:
https://docs.astral.sh/ruff/rules/subprocess-popen-with-shell-equals-true/