#791 Resolve Sonar Security Issues Part 2 - Add nosec to select subprocess commands

doc/changes/unreleased.md

@@ -17,5 +17,5 @@ using.
 ## Refactoring
 
 * #800: Removed tbx security pretty-print, tbx lint pretty-print, and creation of .lint.txt, as superseded by Sonar and .lint.json usage
-* #791: Resolved Sonar concerns: accepted specific `subprocess` import usage & improved minor maintainability items
+* #791: Resolved Sonar concerns: accepted specific `subprocess` import usage, `subprocess` commands, & improved minor maintainability items
 * #629: Replace `version.py` with version from the `__init__.py`

exasol/toolbox/nox/_documentation.py

@@ -54,7 +54,7 @@ def _git_diff_changes_main() -> int:
             PROJECT_CONFIG.documentation_path / "changes",
         ],
         capture_output=True,
-    )
+    )  # nosec: B603, B607 - fixed git command; PATH lookup and args are trusted here
     return p.returncode
 
 

exasol/toolbox/nox/_release.py

@@ -76,7 +76,7 @@ def run(*args: str):
         try:
             return subprocess.run(
                 args, capture_output=True, text=True, check=True
-            ).stdout
+            ).stdout  # nosec: B603 - risk accepted for internally used wrapper function
         except subprocess.CalledProcessError as ex:
             raise ReleaseError(
                 f"failed to execute command {ex.cmd}\n\n{ex.stderr}"

exasol/toolbox/sphinx/multiversion/git.py

@@ -23,24 +23,28 @@
 
 
 def get_toplevel_path(cwd=None):
-    cmd = (
-        "git",
-        "rev-parse",
-        "--show-toplevel",
-    )
-    output = subprocess.check_output(cmd, cwd=cwd).decode()
+    output = subprocess.check_output(
+        (
+            "git",
+            "rev-parse",
+            "--show-toplevel",
+        ),
+        cwd=cwd,
+    ).decode()  # nosec: B603 - allow fixed git command
     return output.rstrip("\n")
 
 
 def get_all_refs(gitroot):
-    cmd = (
-        "git",
-        "for-each-ref",
-        "--format",
-        "%(objectname)\t%(refname)\t%(creatordate:iso)",
-        "refs",
-    )
-    output = subprocess.check_output(cmd, cwd=gitroot).decode()
+    output = subprocess.check_output(
+        (
+            "git",
+            "for-each-ref",
+            "--format",
+            "%(objectname)\t%(refname)\t%(creatordate:iso)",
+            "refs",
+        ),
+        cwd=gitroot,
+    ).decode()  # nosec: B603 - allow fixed git command and fixed arguments
     for line in output.splitlines():
         is_remote = False
         fields = line.strip().split("\t")
@@ -127,34 +131,36 @@ def file_exists(gitroot, refname, filename):
         # Git requires / path sep, make sure we use that
         filename = filename.replace(os.sep, "/")
 
-    cmd = (
-        "git",
-        "cat-file",
-        "-e",
-        f"{refname}:{filename}",
-    )
     proc = subprocess.run(
-        cmd,
+        (
+            "git",
+            "cat-file",
+            "-e",
+            f"{refname}:{filename}",
+        ),
         cwd=gitroot,
         stdout=subprocess.DEVNULL,
         stderr=subprocess.DEVNULL,
         check=False,
-    )
+    )  # nosec: B603 - allow fixed git command and internally defined arguments
     return proc.returncode == 0
 
 
 def copy_tree(gitroot, dst, reference, sourcepath="."):
     with tempfile.SpooledTemporaryFile() as fp:
-        cmd = (
-            "git",
-            "archive",
-            "--format",
-            "tar",
-            reference.commit,
-            "--",
-            sourcepath,
-        )
-        subprocess.check_call(cmd, cwd=gitroot, stdout=fp)
+        subprocess.check_call(
+            (
+                "git",
+                "archive",
+                "--format",
+                "tar",
+                reference.commit,
+                "--",
+                sourcepath,
+            ),
+            cwd=gitroot,
+            stdout=fp,
+        )  # nosec: B603 - allow fixed git command and internally defined arguments
         fp.seek(0)
         with tarfile.TarFile(fileobj=fp) as tarfp:
             tarfp.extractall(dst)

exasol/toolbox/sphinx/multiversion/main.py

@@ -411,7 +411,7 @@ def _main(args, argv):
                 )
                 subprocess.check_call(
                     config.smv_prebuild_command, cwd=current_cwd, shell=True
-                )
+                )  # nosec: B602 - explicit user-configured shell hook from Sphinx config
 
                 if config.smv_prebuild_export_pattern != "":
                     matches = find_matching_files_and_dirs(
@@ -478,7 +478,9 @@ def _main(args, argv):
                     }
                 )
                 # Run sphinx-build
-                subprocess.check_call(cmd, cwd=current_cwd, env=env)
+                subprocess.check_call(
+                    cmd, cwd=current_cwd, env=env
+                )  # nosec: B603 - sphinx-build command and env are constructed internally
 
                 # Create artefacts if this build target should be downloadable
                 if downloadable:
@@ -563,7 +565,7 @@ def _main(args, argv):
                 )
                 subprocess.check_call(
                     config.smv_postbuild_command, cwd=current_cwd, shell=True
-                )
+                )  # nosec: B602 - explicit user-configured shell hook from Sphinx config
                 if config.smv_postbuild_export_pattern != "":
                     matches = find_matching_files_and_dirs(
                         config.smv_postbuild_export_pattern, current_cwd

exasol/toolbox/tools/security.py

@@ -68,7 +68,9 @@ def gh_security_issues() -> Generator[tuple[str, str]]:
     ]
     # fmt: on
     try:
-        result = subprocess.run(command, check=True, capture_output=True)
+        result = subprocess.run(
+            command, check=True, capture_output=True
+        )  # nosec: B603 - fixed gh CLI command is constructed internally
     except FileNotFoundError as ex:
         msg = "Command 'gh' not found. Please make sure you have installed the github cli."
         raise FileNotFoundError(msg) from ex
@@ -205,7 +207,9 @@ def create_security_issue(issue: Issue, project: str | None = None) -> tuple[str
         command.extend(['--project', project])
     # fmt: on
     try:
-        result = subprocess.run(command, check=True, capture_output=True)
+        result = subprocess.run(
+            command, check=True, capture_output=True
+        )  # nosec: B603 - fixed gh CLI command is constructed internally
     except FileNotFoundError as ex:
         msg = "Command 'gh' not found. Please make sure you have installed the github cli."
         raise FileNotFoundError(msg) from ex

exasol/toolbox/util/dependencies/licenses.py

@@ -110,7 +110,7 @@ def _packages_from_json(json: str) -> dict[NormalizedPackageStr, PackageLicense]
 
 def get_licenses() -> dict[NormalizedPackageStr, PackageLicense]:
     with tempfile.NamedTemporaryFile() as file:
-        subprocess.run(
+        subprocess.run(  # nosec: B603, B607 - allow fixed pip-licenses command
             [
                 "pip-licenses",
                 "--format=json",

exasol/toolbox/util/version.py

@@ -88,7 +88,7 @@ def from_string(version):
     @staticmethod
     @poetry_command
     def from_poetry():
-        output = subprocess.run(
+        output = subprocess.run(  # nosec: B603, B607 - allow fixed poetry command
             ["poetry", "version", "--no-ansi", "--short"],
             capture_output=True,
             text=True,
@@ -98,7 +98,7 @@ def from_poetry():
     @staticmethod
     @poetry_command
     def upgrade_version_from_poetry(t: ReleaseTypes):
-        output = subprocess.run(
+        output = subprocess.run(  # nosec: B603, B607 - allow fixed poetry command
             ["poetry", "version", str(t), "--dry-run", "--no-ansi", "--short"],
             capture_output=True,
             text=True,