fix: resolve Bandit security warnings in metadata generators

SckyzO · SckyzO · commit 43e0aaba5e5e · 2026-02-10T09:44:18.000+01:00
- Add usedforsecurity=False to MD5 hash functions (B324)
  * MD5 used only for cache filenames (non-security purpose)
  * MD5 required by Debian/APT format specification (with #nosec)
- Replace hardcoded /tmp paths with tempfile.gettempdir() (B108)
- Add import tempfile to both scripts

Bandit scan now reports: No issues identified
diff --git a/core/scripts/generate_apt_metadata.py b/core/scripts/generate_apt_metadata.py
@@ -13,6 +13,7 @@
 import json
 import subprocess
 import sys
+import tempfile
 from pathlib import Path
 from typing import Dict, List
 
@@ -32,7 +33,8 @@ def get_deb_metadata(url: str, local_cache: Path) -> Dict:
     Download DEB and extract metadata.
     Cache locally to avoid repeated downloads.
     """
-    cache_file = local_cache / hashlib.md5(url.encode()).hexdigest()
+    # MD5 used only for cache filename generation, not for security
+    cache_file = local_cache / hashlib.md5(url.encode(), usedforsecurity=False).hexdigest()  # nosec B324
 
     if cache_file.exists():
         print(f"Using cached DEB: {cache_file.name}")
@@ -76,7 +78,8 @@ def get_deb_metadata(url: str, local_cache: Path) -> Dict:
         "Size": str(len(deb_content)),
         "Filename": url,
         "SHA256": hashlib.sha256(deb_content).hexdigest(),
-        "MD5sum": hashlib.md5(deb_content).hexdigest(),
+        # MD5sum required by Debian package format specification
+        "MD5sum": hashlib.md5(deb_content, usedforsecurity=False).hexdigest(),  # nosec B324
     }
 
 
@@ -122,11 +125,12 @@ def create_release_file(codename: str, arch: str, packages_dir: Path):
 """
 
     # Calculate checksums for Packages files
+    # MD5Sum required by APT repository format specification
     release_content += "MD5Sum:\n"
     for file in [packages_file, packages_gz]:
         if file.exists():
             content = file.read_bytes()
-            md5 = hashlib.md5(content).hexdigest()
+            md5 = hashlib.md5(content, usedforsecurity=False).hexdigest()  # nosec B324
             size = len(content)
             rel_path = file.relative_to(packages_dir.parent.parent)
             release_content += f" {md5} {size} {rel_path}\n"
@@ -165,7 +169,7 @@ def main():
     parser.add_argument("--arch", required=True, help="Architecture (amd64, arm64)")
     parser.add_argument(
         "--cache-dir",
-        default="/tmp/deb-metadata-cache",
+        default=f"{tempfile.gettempdir()}/deb-metadata-cache",
         help="Cache directory for downloaded DEBs",
     )
 
diff --git a/core/scripts/generate_yum_metadata.py b/core/scripts/generate_yum_metadata.py
@@ -13,6 +13,7 @@
 import json
 import os
 import sys
+import tempfile
 import xml.etree.ElementTree as ET
 from pathlib import Path
 from typing import Dict, List
@@ -25,8 +26,8 @@ def get_rpm_metadata(url: str, local_cache: Path) -> Dict:
     Download RPM and extract metadata (name, version, arch, etc.).
     Cache locally to avoid repeated downloads.
     """
-    # Create cache filename from URL
-    cache_file = local_cache / hashlib.md5(url.encode()).hexdigest()
+    # Create cache filename from URL - MD5 used only for filename, not security
+    cache_file = local_cache / hashlib.md5(url.encode(), usedforsecurity=False).hexdigest()  # nosec B324
 
     if cache_file.exists():
         print(f"Using cached RPM: {cache_file.name}")
@@ -170,7 +171,7 @@ def main():
     parser.add_argument("--arch", required=True, help="Architecture (x86_64, aarch64)")
     parser.add_argument(
         "--cache-dir",
-        default="/tmp/rpm-metadata-cache",
+        default=f"{tempfile.gettempdir()}/rpm-metadata-cache",
         help="Cache directory for downloaded RPMs",
     )
 
