TechQA.

Bandit B404 security issue with subprocess import?

1.3k views Asked by At

According to Bandit's documentation, importing the subprocess module is considered a low security issue (B404). Unfortunately, it does not provide alternatives or explanation why. Thus, I have 2 questions:

  1. How could just importing this module be an issue in itself?
  2. What alternatives should I use instead? Should I import only a specific function from this library or should I just avoid it?
python python-3.x security bandit-python
Original Q&A
2

There are 2 answers

0
Carl Walsh On

Our team decided to turn off the B404 warning, because as you pointed out it is not useful.

We have B602: subprocess_popen_with_shell_equals_true and B603: subprocess_without_shell_equals_true both turned on, which are where actual security issues could happen.

0
Jman On

As noted in the Bandit blacklist imports documentation, this is a low severity issue. It is just a heads-up for anyone who is not aware of the potential security issues related to the library.

You can suppress the warning by excluding it with # nosec B404 on the corresponding line, or by changing scan behavior in your Bandit configuration.

Related Questions in PYTHON

Related Questions in PYTHON-3.X

Related Questions in SECURITY

Related Questions in BANDIT-PYTHON

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions