From 35e42b1d223066e475a6588ec9b5ee37cb2c52b9 Mon Sep 17 00:00:00 2001
From: Diego Russo <diego.russo@arm.com>
Date: Fri, 29 Jul 2022 22:16:46 +0100
Subject: MLIA-389 Enable bandit check in pre-commit

Add bandit to pre-commit and fix some bandit errors.
We use the default security level (low) with few exceptions:
* B101 assert_use: apart of tests, we use assert in our codebase
  hence we globally ignore error B101.
* B404/B603: these are errors related to subprocesse and they are
  being ignored locally when used.
* B604 Test for any function with shell equals true: we have disabled
  this locally because of its safe use in the tests.

Change-Id: If654e5e92285f7c86ac210a6f1373dbab6be17c9
---
 src/mlia/backend/proc.py            | 26 ++++----------------------
 src/mlia/tools/metadata/corstone.py | 16 +++++++++++++---
 2 files changed, 17 insertions(+), 25 deletions(-)

(limited to 'src')

diff --git a/src/mlia/backend/proc.py b/src/mlia/backend/proc.py
index a4c0be3..911d672 100644
--- a/src/mlia/backend/proc.py
+++ b/src/mlia/backend/proc.py
@@ -9,6 +9,7 @@ import datetime
 import logging
 import shlex
 import signal
+import tempfile
 import time
 from pathlib import Path
 from typing import Any
@@ -33,13 +34,6 @@ class CommandFailedException(Exception):
 class ShellCommand:
     """Wrapper class for shell commands."""
 
-    def __init__(self, base_log_path: str = "/tmp") -> None:
-        """Initialise the class.
-
-        base_log_path: it is the base directory where logs will be stored
-        """
-        self.base_log_path = base_log_path
-
     def run(
         self,
         cmd: str,
@@ -73,18 +67,15 @@ class ShellCommand:
 
         out, err = _out, _err
         if not _out and not _err:
-            out, err = [
-                str(item)
-                for item in self.get_stdout_stderr_paths(self.base_log_path, cmd)
-            ]
+            out, err = [str(item) for item in self.get_stdout_stderr_paths(cmd)]
 
         return command(_out=out, _err=err, _tee=_tee, _bg=_bg, _bg_exc=False)
 
     @classmethod
-    def get_stdout_stderr_paths(cls, base_log_path: str, cmd: str) -> Tuple[Path, Path]:
+    def get_stdout_stderr_paths(cls, cmd: str) -> Tuple[Path, Path]:
         """Construct and returns the paths of stdout/stderr files."""
         timestamp = datetime.datetime.now().timestamp()
-        base_path = Path(base_log_path)
+        base_path = Path(tempfile.mkdtemp(prefix="mlia-", suffix=f"{timestamp}"))
         base = base_path / f"{valid_for_filename(cmd, '_')}_{timestamp}"
         stdout = base.with_suffix(".out")
         stderr = base.with_suffix(".err")
@@ -108,15 +99,6 @@ def parse_command(command: str, shell: str = "bash") -> List[str]:
     return [cmd] + args
 
 
-def get_stdout_stderr_paths(
-    command: str, base_log_path: str = "/tmp"
-) -> Tuple[Path, Path]:
-    """Construct and returns the paths of stdout/stderr files."""
-    cmd, *_ = parse_command(command)
-
-    return ShellCommand.get_stdout_stderr_paths(base_log_path, cmd)
-
-
 def execute_command(  # pylint: disable=invalid-name
     command: str,
     cwd: Path,
diff --git a/src/mlia/tools/metadata/corstone.py b/src/mlia/tools/metadata/corstone.py
index 6a3c1c8..023369c 100644
--- a/src/mlia/tools/metadata/corstone.py
+++ b/src/mlia/tools/metadata/corstone.py
@@ -1,9 +1,14 @@
 # SPDX-FileCopyrightText: Copyright 2022, Arm Limited and/or its affiliates.
 # SPDX-License-Identifier: Apache-2.0
-"""Module for Corstone based FVPs."""
+"""Module for Corstone based FVPs.
+
+The import of subprocess module raises a B404 bandit error. MLIA usage of
+subprocess is needed and can be considered safe hence disabling the security
+check.
+"""
 import logging
 import platform
-import subprocess
+import subprocess  # nosec
 import tarfile
 from dataclasses import dataclass
 from pathlib import Path
@@ -25,6 +30,7 @@ from mlia.utils.filesystem import get_mlia_resources
 from mlia.utils.filesystem import temp_directory
 from mlia.utils.filesystem import working_directory
 
+
 logger = logging.getLogger(__name__)
 
 
@@ -296,7 +302,11 @@ class Corstone300Installer:
                         "--i-agree-to-the-contained-eula",
                     ]
 
-                subprocess.check_call(fvp_install_cmd)
+                # The following line raises a B603 error for bandit. In this
+                # specific case, the input is pretty much static and cannot be
+                # changed byt the user hence disabling the security check for
+                # this instance
+                subprocess.check_call(fvp_install_cmd)  # nosec
             except subprocess.CalledProcessError as err:
                 raise Exception(
                     "Error occurred during Corstone-300 installation"
-- 
cgit v1.2.1