Add python bandit checks. (#316)

* Add bandit dependency * Add bandit checks on CI * Disable some warnings Co-authored-by: Andrey Zhavoronkov <andrey.zhavoronkov@intel.com> Co-authored-by: Maxim Zhiltsov <maxim.zhiltsov@intel.com>
openvinotoolkit · Jul 5, 2021 · 36012d4 · 36012d4
1 parent 2c9d720
commit 36012d4
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 10 deletions.
diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
@@ -0,0 +1,16 @@
+name: Linter
+on: pull_request
+jobs:
+  Bandit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Run checks
+        run: |
+          pip install --user -r <(grep "^bandit" ./requirements.txt)
+          echo "Bandit version: "`bandit --version | head -1`
+          bandit -r ./
diff --git a/datumaro/components/operations.py b/datumaro/components/operations.py
@@ -1292,7 +1292,8 @@ def _default_hash(item):
             log.warning("Item (%s, %s) has no image "
                 "info, counted as unique", item.id, item.subset)
             return None
-        return hashlib.md5(item.image.data.tobytes()).hexdigest()
+        # ignore B303 (md5 check), because the hash is not used in a security context
+        return hashlib.md5(item.image.data.tobytes()).hexdigest() # nosec
 
     if item_hash is None:
         item_hash = _default_hash

diff --git a/datumaro/plugins/cifar_format.py b/datumaro/plugins/cifar_format.py
@@ -4,7 +4,7 @@
 
 import os
 import os.path as osp
-import pickle
+import pickle # nosec - disable B403:import_pickle check
 
 import numpy as np
 from datumaro.components.converter import Converter
@@ -52,7 +52,7 @@ def _load_categories(self, path):
             #               'dog', 'frog', 'horse', 'ship', 'truck']
             # num_vis: 3072
             with open(path, 'rb') as labels_file:
-                data = pickle.load(labels_file)
+                data = pickle.load(labels_file) # nosec - disable B301:pickle check
             for label in data['label_names']:
                 label_cat.add(label)
         else:
@@ -69,7 +69,7 @@ def _load_items(self, path):
         # 'filenames': list
         # 'labels': list
         with open(path, 'rb') as anno_file:
-            annotation_dict = pickle.load(anno_file, encoding='latin1')
+            annotation_dict = pickle.load(anno_file, encoding='latin1') # nosec - disable B301:pickle check
 
         labels = annotation_dict.get('labels', [])
         filenames = annotation_dict.get('filenames', [])

diff --git a/datumaro/util/command_targets.py b/datumaro/util/command_targets.py
@@ -25,7 +25,7 @@ def is_project_path(value):
         try:
             Project.load(value)
             return True
-        except Exception:
+        except Exception: # nosec - disable B110:try_except_pass check
             pass
     return False
 

diff --git a/datumaro/util/tf_util.py b/datumaro/util/tf_util.py
@@ -16,7 +16,8 @@ def check_import():
 
     from .os_util import check_instruction_set
 
-    result = subprocess.run([sys.executable, '-c', 'import tensorflow'],
+    # Disable B603:subprocess_without_shell_equals_true - the command line is controlled
+    result = subprocess.run([sys.executable, '-c', 'import tensorflow'], # nosec
         timeout=60,
         universal_newlines=True, # use text mode for output stream
         stdout=subprocess.PIPE, stderr=subprocess.PIPE) # capture output

diff --git a/requirements.txt b/requirements.txt
@@ -3,4 +3,5 @@ Cython>=0.27.3 # include before pycocotools
 opencv-python-headless>=4.1.0.25
 pandas>=1.1.5
 pytest>=5.3.5
+bandit>=1.7.0
 pylint>=2.7.0
diff --git a/tests/test_util.py b/tests/test_util.py
@@ -33,7 +33,7 @@ def cb():
             with Rollback() as on_error:
                 on_error.do(cb)
                 raise Exception('err')
-        except Exception:
+        except Exception: # nosec - disable B110:try_except_pass check
             pass
         finally:
             self.assertTrue(success)
@@ -52,7 +52,7 @@ def foo(on_error=None):
 
         try:
             foo()
-        except Exception:
+        except Exception: # nosec - disable B110:try_except_pass check
             pass
         finally:
             self.assertTrue(success)
@@ -86,7 +86,7 @@ def foo():
 
         try:
             foo()
-        except Exception:
+        except Exception: # nosec - disable B110:try_except_pass check
             pass
         finally:
             self.assertTrue(success)
@@ -111,7 +111,7 @@ def cb2(a1, a2=None, ignore_errors=None):
                 on_error.do(cb2, 5, a2=2, ignore_errors=True,
                     fwd_kwargs={'ignore_errors': 4})
                 raise Exception('err')
-        except Exception:
+        except Exception: # nosec - disable B110:try_except_pass check
             pass
         finally:
             self.assertTrue(success1)