chore: Handle all level 1 TiCS security violations (#5103)

Ignore these bandit violations as we're not dealing with untrusted
input. Violations ignored in this commit are:
 B314: xml_bad_ElementTree
 B318: xml_bad_mindom
 B405: import_xml_etree
 B406: import_xml_sax
 B408: import_xml_minidom
 B603: subprocess_without_shell_equals_true

cloudinit/cmd/devel/logs.py

@@ -167,7 +167,7 @@ def _stream_command_output_to_file(cmd, filename, msg, verbosity):
     ensure_dir(os.path.dirname(filename))
     try:
         with open(filename, "w") as f:
-            subprocess.call(cmd, stdout=f, stderr=f)
+            subprocess.call(cmd, stdout=f, stderr=f)  # nosec B603
     except OSError as e:
         write_file(filename, str(e))
         _debug("collecting %s failed.\n" % msg, 1, verbosity)

cloudinit/config/cc_power_state_change.py

@@ -205,7 +205,7 @@ def doexit(sysexit):
 def execmd(exe_args, output=None, data_in=None):
     ret = 1
     try:
-        proc = subprocess.Popen(
+        proc = subprocess.Popen(  # nosec B603
             exe_args,
             stdin=subprocess.PIPE,
             stdout=output,

cloudinit/sources/DataSourceAzure.py

@@ -11,7 +11,7 @@
 import os.path
 import re
 import socket
-import xml.etree.ElementTree as ET
+import xml.etree.ElementTree as ET  # nosec B405
 from enum import Enum
 from pathlib import Path
 from time import sleep, time
@@ -1799,7 +1799,7 @@ def write_files(datadir, files, dirmode=None):
     def _redact_password(cnt, fname):
         """Azure provides the UserPassword in plain text. So we redact it"""
         try:
-            root = ET.fromstring(cnt)
+            root = ET.fromstring(cnt)  # nosec B314
             for elem in root.iter():
                 if (
                     "UserPassword" in elem.tag

cloudinit/sources/DataSourceOVF.py

@@ -17,7 +17,7 @@
 import logging
 import os
 import re
-from xml.dom import minidom
+from xml.dom import minidom  # nosec B408
 
 from cloudinit import safeyaml, sources, subp, util
 
@@ -353,7 +353,7 @@ def find_child(node, filter_func):
 
 
 def get_properties(contents):
-    dom = minidom.parseString(contents)
+    dom = minidom.parseString(contents)  # nosec B318
     if dom.documentElement.localName != "Environment":
         raise XmlError("No Environment Node")
 

cloudinit/sources/azure/errors.py

@@ -9,7 +9,7 @@
 from datetime import datetime
 from io import StringIO
 from typing import Any, Dict, List, Optional, Tuple
-from xml.etree import ElementTree
+from xml.etree import ElementTree  # nosec B405
 
 import requests
 

cloudinit/sources/helpers/azure.py

@@ -10,8 +10,8 @@
 from datetime import datetime
 from time import sleep, time
 from typing import Callable, List, Optional, TypeVar, Union
-from xml.etree import ElementTree
-from xml.sax.saxutils import escape
+from xml.etree import ElementTree  # nosec B405
+from xml.sax.saxutils import escape  # nosec B406
 
 from cloudinit import distros, subp, temp_utils, url_helper, util, version
 from cloudinit.reporting import events
@@ -360,7 +360,7 @@ def __init__(
         self.azure_endpoint_client = azure_endpoint_client
 
         try:
-            self.root = ElementTree.fromstring(unparsed_xml)
+            self.root = ElementTree.fromstring(unparsed_xml)  # nosec B314
         except ElementTree.ParseError as e:
             report_diagnostic_event(
                 "Failed to parse GoalState XML: %s" % e,
@@ -493,7 +493,9 @@ def _decrypt_certs_from_xml(self, certificates_xml):
         """Decrypt the certificates XML document using the our private key;
         return the list of certs and private keys contained in the doc.
         """
-        tag = ElementTree.fromstring(certificates_xml).find(".//Data")
+        tag = ElementTree.fromstring(certificates_xml).find(  # nosec B314
+            ".//Data"
+        )
         certificates_content = tag.text
         lines = [
             b"MIME-Version: 1.0",
@@ -1001,7 +1003,7 @@ def parse_text(cls, ovf_env_xml: str) -> "OvfEnvXml":
                 unparsable or invalid.
         """
         try:
-            root = ElementTree.fromstring(ovf_env_xml)
+            root = ElementTree.fromstring(ovf_env_xml)  # nosec B314
         except ElementTree.ParseError as e:
             raise errors.ReportableErrorOvfParsingException(exception=e) from e
 

setup.py

@@ -82,7 +82,7 @@ def render_tmpl(template, mode=None, is_yaml=False):
         cmd_variant = ["--variant", VARIANT]
     if PREFIX:
         cmd_prefix = ["--prefix", PREFIX]
-    subprocess.run(
+    subprocess.run(  # nosec B603
         [
             sys.executable,
             "./tools/render-template",

setup_utils.py

@@ -25,7 +25,7 @@ def pkg_config_read(library: str, var: str) -> str:
     }
     cmd = ["pkg-config", f"--variable={var}", library]
     try:
-        path = subprocess.check_output(cmd).decode("utf-8")
+        path = subprocess.check_output(cmd).decode("utf-8")  # nosec B603
         path = path.strip()
     except Exception:
         path = fallbacks[library][var]
@@ -53,12 +53,12 @@ def version_to_pep440(version: str) -> str:
 
 def get_version() -> str:
     cmd = [sys.executable, "tools/read-version"]
-    ver = subprocess.check_output(cmd)
+    ver = subprocess.check_output(cmd)  # B603
     version = ver.decode("utf-8").strip()
     return version_to_pep440(version)
 
 
 def read_requires() -> List[str]:
     cmd = [sys.executable, "tools/read-dependencies"]
-    deps = subprocess.check_output(cmd)
+    deps = subprocess.check_output(cmd)  # nosec B603
     return deps.decode("utf-8").splitlines()