Fix up issues found running Bandit on itself

ericwb · ericwb · commit 5b00efbe15e5 · 2024-01-13T21:40:30.000-08:00
* Used nosec for false various positives. 1. xml.etree is used only for XML generation not parsing 2. "0.0.0.0" is used in the plugin itself 3. Various strings of temp directories are used in the plugin itself. 4. The subprocess call does use user input, but only from the command line itself that is running baseline. Although maybe this could be argued as an issue though. * Fixed the empty try-except-pass to have code in the except block. Fixes #1092 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
diff --git a/bandit/cli/baseline.py b/bandit/cli/baseline.py
@@ -15,7 +15,7 @@
 import logging
 import os
 import shutil
-import subprocess
+import subprocess  # nosec: B404
 import sys
 import tempfile
 
@@ -101,7 +101,7 @@ def main():
             bandit_command = ["bandit"] + step["args"]
 
             try:
-                output = subprocess.check_output(bandit_command)
+                output = subprocess.check_output(bandit_command)  # nosec: B603
             except subprocess.CalledProcessError as e:
                 output = e.output
                 return_code = e.returncode
diff --git a/bandit/core/utils.py b/bandit/core/utils.py
@@ -62,7 +62,6 @@ def get_func_name(node):
 
 
 def get_qual_attr(node, aliases):
-    prefix = ""
     if isinstance(node, ast.Attribute):
         try:
             val = deepgetattr(node, "value.id")
@@ -73,7 +72,7 @@ def get_qual_attr(node, aliases):
         except Exception:
             # NOTE(tkelsey): degrade gracefully when we can't get the fully
             # qualified name for an attr, just return its base name.
-            pass
+            prefix = ""
 
         return f"{prefix}.{node.attr}"
     else:
diff --git a/bandit/formatters/xml.py b/bandit/formatters/xml.py
@@ -35,7 +35,7 @@
 """
 import logging
 import sys
-from xml.etree import ElementTree as ET
+from xml.etree import ElementTree as ET  # nosec: B405
 
 from bandit.core import docs_utils
 
diff --git a/bandit/plugins/general_bind_all_interfaces.py b/bandit/plugins/general_bind_all_interfaces.py
@@ -43,7 +43,7 @@
 @test.checks("Str")
 @test.test_id("B104")
 def hardcoded_bind_all_interfaces(context):
-    if context.string_val == "0.0.0.0":
+    if context.string_val == "0.0.0.0":  # nosec: B104
         return bandit.Issue(
             severity=bandit.MEDIUM,
             confidence=bandit.MEDIUM,
diff --git a/bandit/plugins/general_hardcoded_tmp.py b/bandit/plugins/general_hardcoded_tmp.py
@@ -59,7 +59,7 @@
 
 def gen_config(name):
     if name == "hardcoded_tmp_directory":
-        return {"tmp_dirs": ["/tmp", "/var/tmp", "/dev/shm"]}
+        return {"tmp_dirs": ["/tmp", "/var/tmp", "/dev/shm"]}  # nosec: B108
 
 
 @test.takes_config
@@ -69,7 +69,7 @@ def hardcoded_tmp_directory(context, config):
     if config is not None and "tmp_dirs" in config:
         tmp_dirs = config["tmp_dirs"]
     else:
-        tmp_dirs = ["/tmp", "/var/tmp", "/dev/shm"]
+        tmp_dirs = ["/tmp", "/var/tmp", "/dev/shm"]  # nosec: B108
 
     if any(context.string_val.startswith(s) for s in tmp_dirs):
         return bandit.Issue(
