diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md index 1d529adc43..760278667c 100644 --- a/doc/changes/unreleased.md +++ b/doc/changes/unreleased.md @@ -17,5 +17,5 @@ using. ## Refactoring * #800: Removed tbx security pretty-print, tbx lint pretty-print, and creation of .lint.txt, as superseded by Sonar and .lint.json usage -* #791: Resolved Sonar concerns: accepted specific `subprocess` import usage & improved minor maintainability items +* #791: Resolved Sonar concerns: accepted specific `subprocess` import usage, `subprocess` commands, & improved minor maintainability items * #629: Replace `version.py` with version from the `__init__.py` diff --git a/exasol/toolbox/nox/_documentation.py b/exasol/toolbox/nox/_documentation.py index 5c2988e0d3..e731dca3ed 100644 --- a/exasol/toolbox/nox/_documentation.py +++ b/exasol/toolbox/nox/_documentation.py @@ -54,7 +54,7 @@ def _git_diff_changes_main() -> int: PROJECT_CONFIG.documentation_path / "changes", ], capture_output=True, - ) + ) # nosec: B603, B607 - fixed git command; PATH lookup and args are trusted here return p.returncode diff --git a/exasol/toolbox/nox/_release.py b/exasol/toolbox/nox/_release.py index 0756a03fb0..a855cb7d32 100644 --- a/exasol/toolbox/nox/_release.py +++ b/exasol/toolbox/nox/_release.py @@ -76,7 +76,7 @@ def run(*args: str): try: return subprocess.run( args, capture_output=True, text=True, check=True - ).stdout + ).stdout # nosec: B603 - risk accepted for internally used wrapper function except subprocess.CalledProcessError as ex: raise ReleaseError( f"failed to execute command {ex.cmd}\n\n{ex.stderr}" diff --git a/exasol/toolbox/sphinx/multiversion/git.py b/exasol/toolbox/sphinx/multiversion/git.py index 22fca61259..b9ddfe2b55 100644 --- a/exasol/toolbox/sphinx/multiversion/git.py +++ b/exasol/toolbox/sphinx/multiversion/git.py @@ -23,24 +23,28 @@ def get_toplevel_path(cwd=None): - cmd = ( - "git", - "rev-parse", - "--show-toplevel", - ) - output = subprocess.check_output(cmd, cwd=cwd).decode() + output = subprocess.check_output( + ( + "git", + "rev-parse", + "--show-toplevel", + ), + cwd=cwd, + ).decode() # nosec: B603 - allow fixed git command return output.rstrip("\n") def get_all_refs(gitroot): - cmd = ( - "git", - "for-each-ref", - "--format", - "%(objectname)\t%(refname)\t%(creatordate:iso)", - "refs", - ) - output = subprocess.check_output(cmd, cwd=gitroot).decode() + output = subprocess.check_output( + ( + "git", + "for-each-ref", + "--format", + "%(objectname)\t%(refname)\t%(creatordate:iso)", + "refs", + ), + cwd=gitroot, + ).decode() # nosec: B603 - allow fixed git command and fixed arguments for line in output.splitlines(): is_remote = False fields = line.strip().split("\t") @@ -127,34 +131,36 @@ def file_exists(gitroot, refname, filename): # Git requires / path sep, make sure we use that filename = filename.replace(os.sep, "/") - cmd = ( - "git", - "cat-file", - "-e", - f"{refname}:{filename}", - ) proc = subprocess.run( - cmd, + ( + "git", + "cat-file", + "-e", + f"{refname}:{filename}", + ), cwd=gitroot, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, check=False, - ) + ) # nosec: B603 - allow fixed git command and internally defined arguments return proc.returncode == 0 def copy_tree(gitroot, dst, reference, sourcepath="."): with tempfile.SpooledTemporaryFile() as fp: - cmd = ( - "git", - "archive", - "--format", - "tar", - reference.commit, - "--", - sourcepath, - ) - subprocess.check_call(cmd, cwd=gitroot, stdout=fp) + subprocess.check_call( + ( + "git", + "archive", + "--format", + "tar", + reference.commit, + "--", + sourcepath, + ), + cwd=gitroot, + stdout=fp, + ) # nosec: B603 - allow fixed git command and internally defined arguments fp.seek(0) with tarfile.TarFile(fileobj=fp) as tarfp: tarfp.extractall(dst) diff --git a/exasol/toolbox/sphinx/multiversion/main.py b/exasol/toolbox/sphinx/multiversion/main.py index b3fea3760c..beaea48366 100644 --- a/exasol/toolbox/sphinx/multiversion/main.py +++ b/exasol/toolbox/sphinx/multiversion/main.py @@ -411,7 +411,7 @@ def _main(args, argv): ) subprocess.check_call( config.smv_prebuild_command, cwd=current_cwd, shell=True - ) + ) # nosec: B602 - explicit user-configured shell hook from Sphinx config if config.smv_prebuild_export_pattern != "": matches = find_matching_files_and_dirs( @@ -478,7 +478,9 @@ def _main(args, argv): } ) # Run sphinx-build - subprocess.check_call(cmd, cwd=current_cwd, env=env) + subprocess.check_call( + cmd, cwd=current_cwd, env=env + ) # nosec: B603 - sphinx-build command and env are constructed internally # Create artefacts if this build target should be downloadable if downloadable: @@ -563,7 +565,7 @@ def _main(args, argv): ) subprocess.check_call( config.smv_postbuild_command, cwd=current_cwd, shell=True - ) + ) # nosec: B602 - explicit user-configured shell hook from Sphinx config if config.smv_postbuild_export_pattern != "": matches = find_matching_files_and_dirs( config.smv_postbuild_export_pattern, current_cwd diff --git a/exasol/toolbox/tools/security.py b/exasol/toolbox/tools/security.py index bcc5e0017d..46aa505fa1 100644 --- a/exasol/toolbox/tools/security.py +++ b/exasol/toolbox/tools/security.py @@ -68,7 +68,9 @@ def gh_security_issues() -> Generator[tuple[str, str]]: ] # fmt: on try: - result = subprocess.run(command, check=True, capture_output=True) + result = subprocess.run( + command, check=True, capture_output=True + ) # nosec: B603 - fixed gh CLI command is constructed internally except FileNotFoundError as ex: msg = "Command 'gh' not found. Please make sure you have installed the github cli." raise FileNotFoundError(msg) from ex @@ -205,7 +207,9 @@ def create_security_issue(issue: Issue, project: str | None = None) -> tuple[str command.extend(['--project', project]) # fmt: on try: - result = subprocess.run(command, check=True, capture_output=True) + result = subprocess.run( + command, check=True, capture_output=True + ) # nosec: B603 - fixed gh CLI command is constructed internally except FileNotFoundError as ex: msg = "Command 'gh' not found. Please make sure you have installed the github cli." raise FileNotFoundError(msg) from ex diff --git a/exasol/toolbox/util/dependencies/licenses.py b/exasol/toolbox/util/dependencies/licenses.py index d40d9d91ad..86e9fb8c4d 100644 --- a/exasol/toolbox/util/dependencies/licenses.py +++ b/exasol/toolbox/util/dependencies/licenses.py @@ -110,7 +110,7 @@ def _packages_from_json(json: str) -> dict[NormalizedPackageStr, PackageLicense] def get_licenses() -> dict[NormalizedPackageStr, PackageLicense]: with tempfile.NamedTemporaryFile() as file: - subprocess.run( + subprocess.run( # nosec: B603, B607 - allow fixed pip-licenses command [ "pip-licenses", "--format=json", diff --git a/exasol/toolbox/util/version.py b/exasol/toolbox/util/version.py index 9ff6055472..1cde7ab5d2 100644 --- a/exasol/toolbox/util/version.py +++ b/exasol/toolbox/util/version.py @@ -88,7 +88,7 @@ def from_string(version): @staticmethod @poetry_command def from_poetry(): - output = subprocess.run( + output = subprocess.run( # nosec: B603, B607 - allow fixed poetry command ["poetry", "version", "--no-ansi", "--short"], capture_output=True, text=True, @@ -98,7 +98,7 @@ def from_poetry(): @staticmethod @poetry_command def upgrade_version_from_poetry(t: ReleaseTypes): - output = subprocess.run( + output = subprocess.run( # nosec: B603, B607 - allow fixed poetry command ["poetry", "version", str(t), "--dry-run", "--no-ansi", "--short"], capture_output=True, text=True,