Subprocess usage flagging

Describe the bug

Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.

On

import subprocess

and

Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.

On

result = subprocess.call(args, shell=False)

Expected behavior
Is that expected behaviour to flag import of subprocess module and also flag call function with shell=False ?

Bandit version

➜  bandit --version
bandit 1.5.1
  python version = 2.7.15 (default, Aug 17 2018, 22:39:05) [GCC 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]

Additional context

[ehooo]

@michaltango in both cases call to subprocess.call has risk, the only difference is the level of the severity and confidence.

[thanatos]

As a new user of bandit: the .call call, sure, but import subprocess is harmless, and dinging me twice for every use (and forcing me to # nosec both of them) just seems pointless. (And I've ended up just wholesale --skip'ing the import subprocess warning, since I don't think it adds anything.)

[stephen-dexda]

There's an additional problem with flagging the import, namely that using # nosec on the import also disables warnings for any subsequent uses of the module.

This means that if I can either:

• # nosec the import, and not be warned about any subsequent use of the module; or
• not # nosec the import, and have a linting error.

The former is a problem because code may be a mix of legacy/bad subprocess use, and considered/unavoidable use. In the former case I want to be warned, and in the latter case I want to # nosec each individual use.

The latter is a problem for CI/CD purposes, since I want to be able to enforce passing of all linting tests.

[ehooo]

@stephen-dexda I think for CI/CD is better option use --baseline to remove the hits on the code.

[simonkowallik]

There's an additional problem with flagging the import, namely that using # nosec on the import also disables warnings for any subsequent uses of the module.

This means that if I can either:

• # nosec the import, and not be warned about any subsequent use of the module; or
• not # nosec the import, and have a linting error.

The former is a problem because code may be a mix of legacy/bad subprocess use, and considered/unavoidable use. In the former case I want to be warned, and in the latter case I want to # nosec each individual use.

The latter is a problem for CI/CD purposes, since I want to be able to enforce passing of all linting tests.

CI/CD is one thing but to me the added security risk by not detecting new and potentially unsafe uses of subprocess is the critical point here.
I'll live with the module import warning and # nosec the specific finding.