Run bandit checks and add appropriate exclusions

[holmboe]

Run bandit checks and add appropriate exclusions to the source code.

[Grokzen]

(bandit) ➜  phabfive git:(master) ✗   bandit phabfive/ -r
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.10.12
Run started:2024-01-04 21:54:51.783562

Test results:
        No issues identified.

Code scanned:
        Total lines of code: 1245
        Total lines skipped (#nosec): 4

Run metrics:
        Total issues (by severity):
                Undefined: 0
                Low: 0
                Medium: 0
                High: 0
        Total issues (by confidence):
                Undefined: 0
                Low: 0
                Medium: 0
                High: 0
Files skipped (0):

[holmboe]

@Grokzen could you go a little bit further on this to add more context? Add a comment in the ticket on what the Bandit result was before the exclusions were added.

Perhaps even use the more explicit #nosec Xnnn in the code? See https://bandit.readthedocs.io/en/latest/config.html#exclusions for examples.

[Grokzen]

Bandit log before the fixes

Run started:2024-01-11 09:54:38.444877

Test results:
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: '
Usage:
    phabfive passphrase <id> [options]

Options:
    -h, --help   Show this help message and exit

'
   Severity: Low   Confidence: Medium
   CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
   More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b105_hardcoded_password_string.html
   Location: phabfive/cli.py:39:22
38 
39 sub_passphrase_args = """
40 Usage:
41     phabfive passphrase <id> [options]
42 
43 Options:
44     -h, --help   Show this help message and exit
45 
46 """
47 

--------------------------------------------------
>> Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval.
   Severity: Medium   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.6/blacklists/blacklist_calls.html#b307-eval
   Location: phabfive/cli.py:177:26
176           cli_args["<command>"] = app
177           sub_args = docopt(eval("sub_{app}_args".format(app=app)), argv=argv)
178       elif cli_args["<command>"] == "passphrase":

--------------------------------------------------
>> Issue: [B506:yaml_load] Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
   Severity: Medium   Confidence: High
   CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
   More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b506_yaml_load.html
   Location: phabfive/maniphest.py:54:24
53         with open(config_file) as stream:
54             root_data = yaml.load(stream, Loader=yaml.Loader)
55 

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'password'
   Severity: Low   Confidence: Medium
   CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
   More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b105_hardcoded_password_string.html
   Location: phabfive/passphrase.py:66:34
65             for secret_type, secret_value in value["material"].items():
66                 if secret_type == "password":
67                     print(secret_value)

--------------------------------------------------

Code scanned:
   Total lines of code: 1245
   Total lines skipped (#nosec): 0
   Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
   Total issues (by severity):
      Undefined: 0
      Low: 2
      Medium: 2
      High: 0
   Total issues (by confidence):
      Undefined: 0
      Low: 0
      Medium: 2
      High: 2
Files skipped (0):

[Grokzen]

Fixed in b102afaac40b8da3f03af40706b3e9c56a3da343