Modify diagnostic ranges for shell-related bandit rules

[charliermarsh]

Summary

The rules that flag shell calls now center on the function name, rather than the shell argument (which isn't really relevant -- especially it it's falsy). The rules that center on specific arguments (e.g., a wildcard in a string) now highlight the argument.

Closes #9994.

[github-actions]

ruff-ecosystem results

Linter (stable)

ℹ️ ecosystem check detected linter changes. (+251 -249 violations, +0 -0 fixes in 5 projects; 39 projects unchanged)

apache/airflow (+171 -171 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --no-preview --select ALL

+ airflow/cli/commands/dag_command.py:307:14: S603 `subprocess` call: check for execution of untrusted input
- airflow/cli/commands/dag_command.py:307:31: S603 `subprocess` call: check for execution of untrusted input
+ airflow/cli/commands/info_command.py:199:18: S603 `subprocess` call: check for execution of untrusted input
- airflow/cli/commands/info_command.py:199:35: S603 `subprocess` call: check for execution of untrusted input
+ airflow/cli/commands/internal_api_command.py:164:17: S603 `subprocess` call: check for execution of untrusted input
- airflow/cli/commands/internal_api_command.py:164:34: S603 `subprocess` call: check for execution of untrusted input
+ airflow/cli/commands/internal_api_command.py:177:22: S603 `subprocess` call: check for execution of untrusted input
- airflow/cli/commands/internal_api_command.py:177:39: S603 `subprocess` call: check for execution of untrusted input
+ airflow/cli/commands/standalone_command.py:267:24: S603 `subprocess` call: check for execution of untrusted input
... 296 additional changes omitted for rule S603
+ airflow/example_dags/example_kubernetes_executor.py:132:35: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
- airflow/example_dags/example_kubernetes_executor.py:132:45: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+ airflow/example_dags/example_kubernetes_executor.py:94:27: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
- airflow/example_dags/example_kubernetes_executor.py:94:37: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+ airflow/providers/apache/beam/hooks/beam.py:573:25: S604 Function call with `shell=True` parameter identified, security issue
- airflow/providers/apache/beam/hooks/beam.py:575:13: S604 Function call with `shell=True` parameter identified, security issue
+ dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1063:13: S604 Function call with `shell=True` parameter identified, security issue
- dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1072:17: S604 Function call with `shell=True` parameter identified, security issue
+ dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1075:13: S604 Function call with `shell=True` parameter identified, security issue
- dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1084:17: S604 Function call with `shell=True` parameter identified, security issue
+ dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1087:13: S604 Function call with `shell=True` parameter identified, security issue
- dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1096:17: S604 Function call with `shell=True` parameter identified, security issue
- dev/breeze/src/airflow_breeze/commands/release_candidate_command.py:160:87: S604 Function call with `shell=True` parameter identified, security issue
... 6 additional changes omitted for rule S604
+ hatch_build.py:603:13: S602 `subprocess` call with `shell=True` identified, security issue
- hatch_build.py:603:59: S602 `subprocess` call with `shell=True` identified, security issue
+ hatch_build.py:616:13: S602 `subprocess` call with `shell=True` identified, security issue
- hatch_build.py:616:59: S602 `subprocess` call with `shell=True` identified, security issue
+ scripts/ci/pre_commit/pre_commit_ruff_format.py:26:1: S602 `subprocess` call with `shell=True` identified, security issue
- scripts/ci/pre_commit/pre_commit_ruff_format.py:26:33: S602 `subprocess` call with `shell=True` identified, security issue
+ tests/dags/test_on_kill.py:44:13: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
- tests/dags/test_on_kill.py:44:23: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+ tests/system/providers/amazon/aws/example_emr_eks.py:102:13: S602 `subprocess` call with `shell=True` identified, security issue
- tests/system/providers/amazon/aws/example_emr_eks.py:104:9: S602 `subprocess` call with `shell=True` identified, security issue
+ tests/system/providers/amazon/aws/example_emr_eks.py:120:13: S602 `subprocess` call with `shell=True` identified, security issue
... 8 additional changes omitted for rule S602
- tests/task/task_runner/test_standard_task_runner.py:335:19: S605 Starting a process with a shell, possible injection detected
... 308 additional changes omitted for project

bokeh/bokeh (+38 -38 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --no-preview --select ALL

+ examples/output/apis/server_document/flask_server.py:45:17: S603 `subprocess` call: check for execution of untrusted input
- examples/output/apis/server_document/flask_server.py:46:5: S603 `subprocess` call: check for execution of untrusted input
+ release/system.py:43:18: S602 `subprocess` call with `shell=True` identified, security issue
- release/system.py:43:34: S602 `subprocess` call with `shell=True` identified, security issue
- scripts/hooks/install.py:5:20: S603 `subprocess` call: check for execution of untrusted input
+ scripts/hooks/install.py:5:5: S603 `subprocess` call: check for execution of untrusted input
+ scripts/hooks/protect_branches.py:10:22: S603 `subprocess` call: check for execution of untrusted input
- scripts/hooks/protect_branches.py:10:26: S603 `subprocess` call: check for execution of untrusted input
... 69 additional changes omitted for rule S603
... 68 additional changes omitted for project

freedomofpress/securedrop (+2 -0 violations, +0 -0 fixes)

+ devops/scripts/verify-mo.py:116:16: S602 `subprocess` call with `shell=True` identified, security issue
+ devops/scripts/verify-mo.py:120:26: RUF100 [*] Unused `noqa` directive (unused: `S602`)

rotki/rotki (+3 -3 violations, +0 -0 fixes)

+ packaging/docker/entrypoint.py:144:11: S603 `subprocess` call: check for execution of untrusted input
- packaging/docker/entrypoint.py:144:28: S603 `subprocess` call: check for execution of untrusted input
- packaging/docker/entrypoint.py:166:26: S603 `subprocess` call: check for execution of untrusted input
+ packaging/docker/entrypoint.py:166:9: S603 `subprocess` call: check for execution of untrusted input
- packaging/docker/entrypoint.py:174:52: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell`
+ packaging/docker/entrypoint.py:174:9: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell`

zulip/zulip (+37 -37 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --no-preview --select ALL

+ scripts/lib/check_rabbitmq_queue.py:136:26: S603 `subprocess` call: check for execution of untrusted input
- scripts/lib/check_rabbitmq_queue.py:137:9: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/check_rabbitmq_queue.py:153:23: S603 `subprocess` call: check for execution of untrusted input
- scripts/lib/check_rabbitmq_queue.py:154:9: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/hash_reqs.py:38:12: S603 `subprocess` call: check for execution of untrusted input
- scripts/lib/hash_reqs.py:38:36: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/puppet_cache.py:25:30: S603 `subprocess` call: check for execution of untrusted input
- scripts/lib/puppet_cache.py:27:9: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/setup_venv.py:177:31: S603 `subprocess` call: check for execution of untrusted input
- scripts/lib/setup_venv.py:177:55: S603 `subprocess` call: check for execution of untrusted input
... 64 additional changes omitted for project

Changes by rule (5 rules affected)

code	total	+ violation	- violation	+ fix	- fix
S603	456	228	228	0	0
S602	21	11	10	0	0
S604	14	7	7	0	0
S605	8	4	4	0	0
RUF100	1	1	0	0	0

Linter (preview)

ℹ️ ecosystem check detected linter changes. (+251 -249 violations, +0 -0 fixes in 5 projects; 39 projects unchanged)

apache/airflow (+171 -171 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL

+ airflow/cli/commands/dag_command.py:307:14: S603 `subprocess` call: check for execution of untrusted input
- airflow/cli/commands/dag_command.py:307:31: S603 `subprocess` call: check for execution of untrusted input
+ airflow/cli/commands/info_command.py:199:18: S603 `subprocess` call: check for execution of untrusted input
- airflow/cli/commands/info_command.py:199:35: S603 `subprocess` call: check for execution of untrusted input
+ airflow/cli/commands/internal_api_command.py:164:17: S603 `subprocess` call: check for execution of untrusted input
- airflow/cli/commands/internal_api_command.py:164:34: S603 `subprocess` call: check for execution of untrusted input
+ airflow/cli/commands/internal_api_command.py:177:22: S603 `subprocess` call: check for execution of untrusted input
- airflow/cli/commands/internal_api_command.py:177:39: S603 `subprocess` call: check for execution of untrusted input
+ airflow/cli/commands/standalone_command.py:267:24: S603 `subprocess` call: check for execution of untrusted input
... 296 additional changes omitted for rule S603
+ airflow/example_dags/example_kubernetes_executor.py:132:35: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
- airflow/example_dags/example_kubernetes_executor.py:132:45: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+ airflow/example_dags/example_kubernetes_executor.py:94:27: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
- airflow/example_dags/example_kubernetes_executor.py:94:37: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+ airflow/providers/apache/beam/hooks/beam.py:573:25: S604 Function call with `shell=True` parameter identified, security issue
- airflow/providers/apache/beam/hooks/beam.py:575:13: S604 Function call with `shell=True` parameter identified, security issue
+ dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1063:13: S604 Function call with `shell=True` parameter identified, security issue
- dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1072:17: S604 Function call with `shell=True` parameter identified, security issue
+ dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1075:13: S604 Function call with `shell=True` parameter identified, security issue
- dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1084:17: S604 Function call with `shell=True` parameter identified, security issue
+ dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1087:13: S604 Function call with `shell=True` parameter identified, security issue
- dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1096:17: S604 Function call with `shell=True` parameter identified, security issue
- dev/breeze/src/airflow_breeze/commands/release_candidate_command.py:160:87: S604 Function call with `shell=True` parameter identified, security issue
... 6 additional changes omitted for rule S604
+ hatch_build.py:603:13: S602 `subprocess` call with `shell=True` identified, security issue
- hatch_build.py:603:59: S602 `subprocess` call with `shell=True` identified, security issue
+ hatch_build.py:616:13: S602 `subprocess` call with `shell=True` identified, security issue
- hatch_build.py:616:59: S602 `subprocess` call with `shell=True` identified, security issue
+ scripts/ci/pre_commit/pre_commit_ruff_format.py:26:1: S602 `subprocess` call with `shell=True` identified, security issue
- scripts/ci/pre_commit/pre_commit_ruff_format.py:26:33: S602 `subprocess` call with `shell=True` identified, security issue
+ tests/dags/test_on_kill.py:44:13: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
- tests/dags/test_on_kill.py:44:23: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell`
+ tests/system/providers/amazon/aws/example_emr_eks.py:102:13: S602 `subprocess` call with `shell=True` identified, security issue
- tests/system/providers/amazon/aws/example_emr_eks.py:104:9: S602 `subprocess` call with `shell=True` identified, security issue
+ tests/system/providers/amazon/aws/example_emr_eks.py:120:13: S602 `subprocess` call with `shell=True` identified, security issue
... 8 additional changes omitted for rule S602
- tests/task/task_runner/test_standard_task_runner.py:335:19: S605 Starting a process with a shell, possible injection detected
... 308 additional changes omitted for project

bokeh/bokeh (+38 -38 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL

+ examples/output/apis/server_document/flask_server.py:45:17: S603 `subprocess` call: check for execution of untrusted input
- examples/output/apis/server_document/flask_server.py:46:5: S603 `subprocess` call: check for execution of untrusted input
+ release/system.py:43:18: S602 `subprocess` call with `shell=True` identified, security issue
- release/system.py:43:34: S602 `subprocess` call with `shell=True` identified, security issue
- scripts/hooks/install.py:5:20: S603 `subprocess` call: check for execution of untrusted input
+ scripts/hooks/install.py:5:5: S603 `subprocess` call: check for execution of untrusted input
+ scripts/hooks/protect_branches.py:10:22: S603 `subprocess` call: check for execution of untrusted input
- scripts/hooks/protect_branches.py:10:26: S603 `subprocess` call: check for execution of untrusted input
... 69 additional changes omitted for rule S603
... 68 additional changes omitted for project

freedomofpress/securedrop (+2 -0 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview

+ devops/scripts/verify-mo.py:116:16: S602 `subprocess` call with `shell=True` identified, security issue
+ devops/scripts/verify-mo.py:120:26: RUF100 [*] Unused `noqa` directive (unused: `S602`)

rotki/rotki (+3 -3 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview

+ packaging/docker/entrypoint.py:144:11: S603 `subprocess` call: check for execution of untrusted input
- packaging/docker/entrypoint.py:144:28: S603 `subprocess` call: check for execution of untrusted input
- packaging/docker/entrypoint.py:166:26: S603 `subprocess` call: check for execution of untrusted input
+ packaging/docker/entrypoint.py:166:9: S603 `subprocess` call: check for execution of untrusted input
- packaging/docker/entrypoint.py:174:52: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell`
+ packaging/docker/entrypoint.py:174:9: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell`

zulip/zulip (+37 -37 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL

+ scripts/lib/check_rabbitmq_queue.py:136:26: S603 `subprocess` call: check for execution of untrusted input
- scripts/lib/check_rabbitmq_queue.py:137:9: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/check_rabbitmq_queue.py:153:23: S603 `subprocess` call: check for execution of untrusted input
- scripts/lib/check_rabbitmq_queue.py:154:9: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/hash_reqs.py:38:12: S603 `subprocess` call: check for execution of untrusted input
- scripts/lib/hash_reqs.py:38:36: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/puppet_cache.py:25:30: S603 `subprocess` call: check for execution of untrusted input
- scripts/lib/puppet_cache.py:27:9: S603 `subprocess` call: check for execution of untrusted input
+ scripts/lib/setup_venv.py:177:31: S603 `subprocess` call: check for execution of untrusted input
- scripts/lib/setup_venv.py:177:55: S603 `subprocess` call: check for execution of untrusted input
... 64 additional changes omitted for project

Changes by rule (5 rules affected)

code	total	+ violation	- violation	+ fix	- fix
S603	456	228	228	0	0
S602	21	11	10	0	0
S604	14	7	7	0	0
S605	8	4	4	0	0
RUF100	1	1	0	0	0

[dhruvmanila]

This has the side effect that some of the noqa comments would need to be moved like in the case highlighted by the ecosystem checks: https://github.com/freedomofpress/securedrop/blob/da8ac79a2017001e017b2a742fcb8c81b2f3e7b0/devops/scripts/verify-mo.py#L120:

        return subprocess.run(  # <- The below `noqa` comment should be here now
            cmd,
            capture_output=True,
            env=os.environ,
            shell=True,  # noqa: S602  # <- This `noqa` command needs to be moved up
        )

This now raises RUF100 [*] Unused noqa directive (unused: S602).

I think this change should go either under preview or in the next minor release.

[MichaReiser]

The code looks good to me. I'm not sure if the incompatibility with another tool warrants a breaking change

[MichaReiser]

Nit: Rename to evaluate_shell_keywrod and return a Option<Truthiness> directly. The ShellKeyword type seems superfluous now that it only stores Truthiness

[MichaReiser]

To me it's now unclear what shell is referring to. What I assumed from before is that the first argument ("true") is the shell argument. Now, that context is lost. I'm not saying that we shouldn't make this change but it might require fine-tuning the diagnostic message as well.

[charliermarsh]

To be clear, the motivation here isn't achieving complete compatibility with another tool. Some of our ranges are still different. The motivation is that the current ranges don't really make sense (why highlight shell=False for a diagnostic that's about subprocess.call?).

(We definitely can't ship these without a minor bump though.)