add bandit integration and fix its warnings

.bandit-test.yml

@@ -0,0 +1 @@
+skips: ['B101', 'B306', 'B404']

.bandit.yml

@@ -0,0 +1 @@
+skips: ['B404', 'B603']

Makefile

@@ -26,6 +26,8 @@ archlinux: archive
 check: clean mypy
 	find "src/$(PROJECT)" "tests/$(PROJECT)" -name "*.py" -execdir autopep8 --exit-code --max-line-length 120 -aa -i {} +
 	cd src && pylint --rcfile=../.pylintrc "$(PROJECT)"
+	cd src && bandit -c ../.bandit.yml -r "$(PROJECT)"
+	cd tests && bandit -c ../.bandit-test.yml -r "$(PROJECT)"
 
 clean:
 	find . -type f -name "$(PROJECT)-*-src.tar.xz" -delete

setup.py

@@ -74,6 +74,7 @@ setup(
     extras_require={
         "check": [
             "autopep8",
+            "bandit",
             "mypy",
             "pylint",
         ],

src/ahriman/application/ahriman.py

@@ -19,6 +19,7 @@
 #
 import argparse
 import sys
+import tempfile
 
 from pathlib import Path
 
@@ -44,7 +45,14 @@ def _parser() -> argparse.ArgumentParser:
                         action="append")
     parser.add_argument("-c", "--configuration", help="configuration path", type=Path, default=Path("/etc/ahriman.ini"))
     parser.add_argument("--force", help="force run, remove file lock", action="store_true")
-    parser.add_argument("-l", "--lock", help="lock file", type=Path, default=Path("/tmp/ahriman.lock"))
+    parser.add_argument(
+        "-l",
+        "--lock",
+        help="lock file",
+        type=Path,
+        default=Path(
+            tempfile.gettempdir()) /
+        "ahriman.lock")
     parser.add_argument("--no-log", help="redirect all log messages to stderr", action="store_true")
     parser.add_argument("--no-report", help="force disable reporting to web service", action="store_true")
     parser.add_argument("--unsafe", help="allow to run ahriman as non-ahriman user", action="store_true")

src/ahriman/core/upload/s3.py

@@ -50,6 +50,7 @@ class S3(Upload):
         """
         calculate amazon s3 etag
         credits to https://teppen.io/2018/10/23/aws_s3_verify_etags/
+        For this method we have to define nosec because it is out of any security context and provided by AWS
         :param path: path to local file
         :param chunk_size: read chunk size, which depends on client settings
         :return: calculated entity tag for local file
@@ -57,11 +58,11 @@ class S3(Upload):
         md5s = []
         with path.open("rb") as local_file:
             for chunk in iter(lambda: local_file.read(chunk_size), b""):
-                md5s.append(hashlib.md5(chunk))
+                md5s.append(hashlib.md5(chunk))  # nosec
 
         # in case if there is only one chunk it must be just this checksum
         # and checksum of joined digest otherwise (including empty list)
-        checksum = md5s[0] if len(md5s) == 1 else hashlib.md5(b"".join(md5.digest() for md5 in md5s))
+        checksum = md5s[0] if len(md5s) == 1 else hashlib.md5(b"".join(md5.digest() for md5 in md5s))  # nosec
         # in case if there are more than one chunk it should be appended with amount of chunks
         suffix = f"-{len(md5s)}" if len(md5s) > 1 else ""
         return f"{checksum.hexdigest()}{suffix}"