4 files changed, 36 insertions, 52 deletions

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 7033a29..08f5f7e 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -81,6 +81,12 @@ repos:
     - id: blocklint
       exclude: setup.cfg
 
+- repo: https://github.com/PyCQA/bandit
+  rev: '1.7.4'
+  hooks:
+    - id: bandit
+      args: ["--skip", "B101"]
+
 - repo: local
   hooks:
     - id: mypy
diff --git a/src/mlia/backend/proc.py b/src/mlia/backend/proc.py
index a4c0be3..911d672 100644
--- a/src/mlia/backend/proc.py
+++ b/src/mlia/backend/proc.py
@@ -9,6 +9,7 @@ import datetime
 import logging
 import shlex
 import signal
+import tempfile
 import time
 from pathlib import Path
 from typing import Any
@@ -33,13 +34,6 @@ class CommandFailedException(Exception):
 class ShellCommand:
     """Wrapper class for shell commands."""
 
-    def __init__(self, base_log_path: str = "/tmp") -> None:
-        """Initialise the class.
-
-        base_log_path: it is the base directory where logs will be stored
-        """
-        self.base_log_path = base_log_path
-
     def run(
         self,
         cmd: str,
@@ -73,18 +67,15 @@ class ShellCommand:
 
         out, err = _out, _err
         if not _out and not _err:
-            out, err = [
-                str(item)
-                for item in self.get_stdout_stderr_paths(self.base_log_path, cmd)
-            ]
+            out, err = [str(item) for item in self.get_stdout_stderr_paths(cmd)]
 
         return command(_out=out, _err=err, _tee=_tee, _bg=_bg, _bg_exc=False)
 
     @classmethod
-    def get_stdout_stderr_paths(cls, base_log_path: str, cmd: str) -> Tuple[Path, Path]:
+    def get_stdout_stderr_paths(cls, cmd: str) -> Tuple[Path, Path]:
         """Construct and returns the paths of stdout/stderr files."""
         timestamp = datetime.datetime.now().timestamp()
-        base_path = Path(base_log_path)
+        base_path = Path(tempfile.mkdtemp(prefix="mlia-", suffix=f"{timestamp}"))
         base = base_path / f"{valid_for_filename(cmd, '_')}_{timestamp}"
         stdout = base.with_suffix(".out")
         stderr = base.with_suffix(".err")
@@ -108,15 +99,6 @@ def parse_command(command: str, shell: str = "bash") -> List[str]:
     return [cmd] + args
 
 
-def get_stdout_stderr_paths(
-    command: str, base_log_path: str = "/tmp"
-) -> Tuple[Path, Path]:
-    """Construct and returns the paths of stdout/stderr files."""
-    cmd, *_ = parse_command(command)
-
-    return ShellCommand.get_stdout_stderr_paths(base_log_path, cmd)
-
-
 def execute_command(  # pylint: disable=invalid-name
     command: str,
     cwd: Path,
diff --git a/src/mlia/tools/metadata/corstone.py b/src/mlia/tools/metadata/corstone.py
index 6a3c1c8..023369c 100644
--- a/src/mlia/tools/metadata/corstone.py
+++ b/src/mlia/tools/metadata/corstone.py
@@ -1,9 +1,14 @@
 # SPDX-FileCopyrightText: Copyright 2022, Arm Limited and/or its affiliates.
 # SPDX-License-Identifier: Apache-2.0
-"""Module for Corstone based FVPs."""
+"""Module for Corstone based FVPs.
+
+The import of subprocess module raises a B404 bandit error. MLIA usage of
+subprocess is needed and can be considered safe hence disabling the security
+check.
+"""
 import logging
 import platform
-import subprocess
+import subprocess  # nosec
 import tarfile
 from dataclasses import dataclass
 from pathlib import Path
@@ -25,6 +30,7 @@ from mlia.utils.filesystem import get_mlia_resources
 from mlia.utils.filesystem import temp_directory
 from mlia.utils.filesystem import working_directory
 
+
 logger = logging.getLogger(__name__)
 
 
@@ -296,7 +302,11 @@ class Corstone300Installer:
                         "--i-agree-to-the-contained-eula",
                     ]
 
-                subprocess.check_call(fvp_install_cmd)
+                # The following line raises a B603 error for bandit. In this
+                # specific case, the input is pretty much static and cannot be
+                # changed byt the user hence disabling the security check for
+                # this instance
+                subprocess.check_call(fvp_install_cmd)  # nosec
             except subprocess.CalledProcessError as err:
                 raise Exception(
                     "Error occurred during Corstone-300 installation"
diff --git a/tests/test_backend_proc.py b/tests/test_backend_proc.py
index f47c244..99e0bd5 100644
--- a/tests/test_backend_proc.py
+++ b/tests/test_backend_proc.py
@@ -22,26 +22,13 @@ from mlia.backend.proc import terminate_command
 class TestShellCommand:
     """Sample class for collecting tests."""
 
-    def test_shellcommand_default_value(self) -> None:
-        """Test the instantiation of the class ShellCommand with no parameter."""
-        shell_command = ShellCommand()
-        assert shell_command.base_log_path == "/tmp"
-
-    @pytest.mark.parametrize(
-        "base_log_path,expected", [("/test", "/test"), ("/asd", "/asd")]
-    )
-    def test_shellcommand_with_param(self, base_log_path: str, expected: str) -> None:
-        """Test init ShellCommand with different parameters."""
-        shell_command = ShellCommand(base_log_path)
-        assert shell_command.base_log_path == expected
-
     def test_run_ls(self, monkeypatch: Any) -> None:
         """Test a simple ls command."""
         mock_command = mock.MagicMock()
         monkeypatch.setattr(Command, "bake", mock_command)
 
         mock_get_stdout_stderr_paths = mock.MagicMock()
-        mock_get_stdout_stderr_paths.return_value = ("/tmp/std.out", "/tmp/std.err")
+        mock_get_stdout_stderr_paths.return_value = ("/path/std.out", "/path/std.err")
         monkeypatch.setattr(
             ShellCommand, "get_stdout_stderr_paths", mock_get_stdout_stderr_paths
         )
@@ -50,7 +37,11 @@ class TestShellCommand:
         shell_command.run("ls", "-l")
         assert mock_command.mock_calls[0] == mock.call(("-l",))
         assert mock_command.mock_calls[1] == mock.call()(
-            _bg=True, _err="/tmp/std.err", _out="/tmp/std.out", _tee=True, _bg_exc=False
+            _bg=True,
+            _err="/path/std.err",
+            _out="/path/std.out",
+            _tee=True,
+            _bg_exc=False,
         )
 
     def test_run_command_not_found(self) -> None:
@@ -59,23 +50,15 @@ class TestShellCommand:
         with pytest.raises(CommandNotFound):
             shell_command.run("lsl", "-l")
 
-    def test_get_stdout_stderr_paths_valid_path(self) -> None:
+    def test_get_stdout_stderr_paths(self) -> None:
         """Test the method to get files to store stdout and stderr."""
-        valid_path = "/tmp"
-        shell_command = ShellCommand(valid_path)
-        out, err = shell_command.get_stdout_stderr_paths(valid_path, "cmd")
+        shell_command = ShellCommand()
+        out, err = shell_command.get_stdout_stderr_paths("cmd")
         assert out.exists() and out.is_file()
         assert err.exists() and err.is_file()
         assert "cmd" in out.name
         assert "cmd" in err.name
 
-    def test_get_stdout_stderr_paths_not_invalid_path(self) -> None:
-        """Test the method to get output files with an invalid path."""
-        invalid_path = "/invalid/foo/bar"
-        shell_command = ShellCommand(invalid_path)
-        with pytest.raises(FileNotFoundError):
-            shell_command.get_stdout_stderr_paths(invalid_path, "cmd")
-
 
 @mock.patch("builtins.print")
 def test_print_command_stdout_alive(mock_print: Any) -> None:
@@ -198,6 +181,9 @@ class TestRunAndWait:
 def test_parse_command() -> None:
     """Test parse_command function."""
     assert parse_command("1.sh") == ["bash", "1.sh"]
-    assert parse_command("1.sh", shell="sh") == ["sh", "1.sh"]
+    # The following line raises a B604  bandit error. In our case we specify
+    # what shell to use instead of using the default one. It is a safe use
+    # we are ignoring this instance.
+    assert parse_command("1.sh", shell="sh") == ["sh", "1.sh"]  # nosec
     assert parse_command("command") == ["command"]
     assert parse_command("command 123 --param=1") == ["command", "123", "--param=1"]