Add bandit, remove pyroma

.bandit.yaml

@@ -0,0 +1,5 @@
+skips:
+  - B101 # Use of assert detected.
+  - B603 # subprocess call - check for execution of untrusted input
+  - B607 # Starting a process with a partial executable path
+  - B108 # Probable insecure usage of temp file/directory.

.prospector.yaml

@@ -37,5 +37,10 @@ pep257:
 mypy:
   run: true
 
+bandit:
+  run: true
+  options:
+    config: .bandit.yaml
+
 mccabe:
   run: false

Pipfile

@@ -17,9 +17,10 @@ google-auth-oauthlib = "==0.4.6"
 jsonschema = "==3.2.0"
 jsonschema-gentypes = "==0.9.4"
 node-vm2 = "==0.4.0"
+defusedxml = "==0.7.1"
 
 [dev-packages]
-prospector = {version = "==1.5.1", extras = ["with_bandit", "with_pyroma"]}
+prospector = {version = "==1.5.1", extras = ["with_bandit", "with_mypy"]}
 types-requests = "==2.25.6"
 types-pyyaml = "==5.4.10"
 types-setuptools = "==57.0.2"

c2cciutils/__init__.py

@@ -7,7 +7,7 @@
 import os.path
 import pkgutil
 import re
-import subprocess
+import subprocess  # nosec
 import sys
 from typing import Any, Dict, List, Match, Optional, Pattern, Tuple, TypedDict, cast
 

c2cciutils/audit.py

@@ -6,7 +6,7 @@
 import json
 import os.path
 import re
-import subprocess
+import subprocess  # nosec
 import sys
 from argparse import Namespace
 from typing import Any, Callable, Dict, List

c2cciutils/checks.py

@@ -6,7 +6,7 @@
 import glob
 import os
 import re
-import subprocess
+import subprocess  # nosec
 import sys
 from argparse import Namespace
 from io import StringIO
@@ -246,7 +246,7 @@ def eof(config: None, full_config: c2cciutils.configuration.Configuration, args:
                 if (
                     subprocess.call(
                         f"git check-attr -a '{filename}' | grep ' text: set'",
-                        shell=True,
+                        shell=True,  # nosec
                         stdout=FNULL,
                     )
                     == 0
@@ -300,7 +300,7 @@ def workflows(
     files += glob.glob(".github/workflows/*.yml")
     for filename in files:
         with open(filename, encoding="utf-8") as open_file:
-            workflow = yaml.load(open_file, yaml.SafeLoader)
+            workflow = yaml.load(open_file, Loader=yaml.SafeLoader)
 
         for name, job in workflow.get("jobs").items():
             if job.get("runs-on") in config.get("images_blacklist", []):
@@ -367,7 +367,7 @@ def required_workflows(
             continue
 
         with open(filename, encoding="utf-8") as open_file:
-            workflow = yaml.load(open_file, yaml.SafeLoader)
+            workflow = yaml.load(open_file, Loader=yaml.SafeLoader)
 
         for name, job in workflow.get("jobs").items():
             if "if" in conf:
@@ -557,7 +557,7 @@ def _versions_audit(all_versions: Set[str], full_config: c2cciutils.configuratio
         success = False
     else:
         with open(filename, encoding="utf-8") as open_file:
-            workflow = yaml.load(open_file, yaml.SafeLoader)
+            workflow = yaml.load(open_file, Loader=yaml.SafeLoader)
 
         branch_to_version_re = c2cciutils.compile_re(full_config["version"].get("branch_to_version_re", []))
 
@@ -603,7 +603,7 @@ def _versions_rebuild(
             success = False
         else:
             with open(filename, encoding="utf-8") as open_file:
-                workflow = yaml.load(open_file, yaml.SafeLoader)
+                workflow = yaml.load(open_file, Loader=yaml.SafeLoader)
 
             for _, job in workflow.get("jobs").items():
                 rebuild_versions += _get_branch_matrix(job, branch_to_version_re)

c2cciutils/publish.py

@@ -6,8 +6,8 @@
 import datetime
 import glob
 import os
-import pickle
-import subprocess
+import pickle  # nosec
+import subprocess  # nosec
 import sys
 import uuid
 from typing import Optional
@@ -68,7 +68,7 @@ def init_calendar_service(self) -> Credentials:
         # time.
         if os.path.exists(self.credentials_pickle_file):
             with open(self.credentials_pickle_file, "rb") as token:
-                creds = pickle.load(token)
+                creds = pickle.load(token)  # nosec
         # If there are no (valid) credentials available, let the user log in.
         if not creds or not creds.valid:
             if creds and creds.expired and creds.refresh_token:

c2cciutils/scripts/publish.py

@@ -7,7 +7,7 @@
 import argparse
 import os
 import re
-import subprocess
+import subprocess  # nosec
 import sys
 import tarfile
 from typing import Match, Optional, cast

c2cciutils/security.py

@@ -2,7 +2,7 @@
 Read the table of versions from SECURITY.md.
 """
 
-import xml.etree.ElementTree
+import defusedxml.ElementTree
 from typing import List, Optional
 
 import markdown
@@ -40,7 +40,7 @@ def __init__(self, status: str):
         for row in self.data:
             row.append("")
 
-    def _pe(self, elem: xml.etree.ElementTree.Element) -> None:
+    def _pe(self, elem: defusedxml.ElementTree.Element) -> None:
         """
         Parse the HTML table.
 

example-project/.bandit.yaml

@@ -0,0 +1,2 @@
+skips:
+  - B101 # Use of assert detected.

example-project/.prospector.yaml

@@ -27,5 +27,10 @@ mypy:
     check-untyped-defs: True
     skip-version-check: True
 
+bandit:
+  run: true
+  options:
+    config: .bandit.yaml
+
 mccabe:
   run: false

example-project/Pipfile

@@ -4,7 +4,7 @@ url = "https://pypi.org/simple"
 verify_ssl = true
 
 [dev-packages]
-prospector = {extras = ["with_mypy", "with_bandit", "with_pyroma"],version = "==1.5.1"}
+prospector = {extras = ["with_mypy", "with_bandit"],version = "==1.5.1"}
 
 [packages]
 

requirements.txt

@@ -17,3 +17,4 @@ google-auth-oauthlib==0.4.4
 ruamel.yaml==0.17.16
 jsonschema==3.2.0
 jsonschema_gentypes==0.9.3
+defusedxml==0.7.1