Merge pull request #617 from wlemkows/ur-bandit-setup

Add Bandit scan for python tools

Author: pbalcer

.github/workflows/bandit.yml

@@ -0,0 +1,26 @@
+# Runs bandit security checker for code written in Python.
+name: Bandit
+
+on: [push, pull_request, workflow_dispatch]
+
+jobs:
+  linux:
+    name: Bandit
+    runs-on: ubuntu-latest
+  
+    steps:
+      - name: Clone the git repo
+        uses: actions/checkout@v3
+
+      - name: Install apt packages
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y doxygen
+       
+      - name: Install pip packages
+        run: pip install -r third_party/requirements.txt
+
+      # Scan is run only for the 'tools' folder.
+      - name: Run Bandit
+        run: |
+          bandit -r tools

third_party/requirements.txt

@@ -1,5 +1,6 @@
 alabaster==0.7.12
 Babel==2.7.0
+bandit==1.6.2
 beautifulsoup4==4.11.1
 breathe==4.33.1
 bs4==0.0.1

tools/urtrace/urtrace.py

@@ -5,7 +5,7 @@
 # See LICENSE.TXT
 # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 import argparse
-import subprocess
+import subprocess  # nosec B404
 import os
 import sys
 
@@ -134,7 +134,9 @@ def get_dynamic_library_name(name):
     print(env)
 
 if config['command']:
-    result = subprocess.run(config['command'], env=env)
+    # The core functionality is to pass the user's command,
+    # and it is the user's responsibility to pass secure parameters.
+    result = subprocess.run(config['command'], env=env)  # nosec B603
     if args.debug:
         print(result)
     exit(result.returncode)