Fix bandit high-severity warnings and use pre-commit (#7913)

Remove `shell=True` argument of `subprocess.call`.
Refactor: Use `subprocess.run` instead of `subprocess.call`.
Add `bandit` to .pre-commit-config.yaml.
Use `gitpython` for clone command.

Co-authored-by: Pierre Sassoulas <[email protected]>

Author: mbyrnepr2

.pre-commit-config.yaml

@@ -146,3 +146,9 @@ repos:
               pylint/__pkginfo__.py|
               setup.cfg
           )$
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.7.4
+    hooks:
+      - id: bandit
+        args: ["-r", "-lll"]
+        exclude: *fixtures

pylint/graph.py

@@ -13,7 +13,6 @@
 import os
 import shutil
 import subprocess
-import sys
 import tempfile
 from collections.abc import Sequence
 from typing import Any
@@ -113,9 +112,8 @@ def generate(
                     "executable not found. Install graphviz, or specify a `.gv` "
                     "outputfile to produce the DOT source code."
                 )
-            use_shell = sys.platform == "win32"
             if mapfile:
-                subprocess.call(
+                subprocess.run(
                     [
                         self.renderer,
                         "-Tcmapx",
@@ -127,12 +125,12 @@ def generate(
                         "-o",
                         outputfile,
                     ],
-                    shell=use_shell,
+                    check=True,
                 )
             else:
-                subprocess.call(
+                subprocess.run(
                     [self.renderer, "-T", target, dot_sourcepath, "-o", outputfile],
-                    shell=use_shell,
+                    check=True,
                 )
             os.unlink(dot_sourcepath)
         return outputfile

pylint/pyreverse/dot_printer.py

@@ -8,7 +8,6 @@
 
 import os
 import subprocess
-import sys
 import tempfile
 from enum import Enum
 from pathlib import Path
@@ -164,10 +163,8 @@ def generate(self, outputfile: str) -> None:
         with open(dot_sourcepath, "w", encoding="utf8") as outfile:
             outfile.writelines(self.lines)
         if target not in graphviz_extensions:
-            use_shell = sys.platform == "win32"
-            subprocess.call(
-                ["dot", "-T", target, dot_sourcepath, "-o", outputfile],
-                shell=use_shell,
+            subprocess.run(
+                ["dot", "-T", target, dot_sourcepath, "-o", outputfile], check=True
             )
             os.unlink(dot_sourcepath)
 

requirements_test_pre_commit.txt

@@ -1,5 +1,6 @@
 # Everything in this file should reflect the pre-commit configuration
 # in .pre-commit-config.yaml
+bandit==1.7.4
 black==22.10.0
 flake8==6.0.0
 flake8-bugbear==22.10.27

tests/profile/test_profile_against_externals.py

@@ -13,6 +13,7 @@
 from pathlib import Path
 
 import pytest
+from git.repo import Repo
 
 from pylint.testutils import GenericTestReporter as Reporter
 from pylint.testutils._run import _Run as Run
@@ -45,7 +46,7 @@ def test_run(tmp_path: Path, name: str, git_repo: str) -> None:
     """Runs pylint against external sources."""
     checkoutdir = tmp_path / name
     checkoutdir.mkdir()
-    os.system(f"git clone --depth=1 {git_repo} {checkoutdir}")
+    Repo.clone_from(url=git_repo, to_path=checkoutdir, depth=1)
     filepaths = _get_py_files(scanpath=str(checkoutdir))
     print(f"Have {len(filepaths)} files")