rick/LEDMatrix
1
0
Fork 0
mirror of https://github.com/ChuckBuilds/LEDMatrix.git synced 2026-06-19 11:08:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(install): suppress remaining Codacy subprocess false-positive

Browse Source 
Codacy's Semgrep-based check still flagged the cmd-built subprocess.run
call as "without a static string" even with the Bandit nosec applied.
Add a nosemgrep marker alongside it - cmd is always a hardcoded
apt/pip argument list, never user input.
This commit is contained in:
Chuck
2026-06-11 13:01:33 -04:00
parent 5a1a095e16
commit 60b64144a5
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
scripts/install_dependencies_apt.py
View File

@@ -25,7 +25,7 @@ def _run(cmd):
chatty commands (e.g. pip build logs) don't get buffered in memory. chatty commands (e.g. pip build logs) don't get buffered in memory.
""" """
with tempfile.TemporaryFile(mode='w+b') as f: with tempfile.TemporaryFile(mode='w+b') as f:
result = subprocess.run(cmd, stdout=f, stderr=subprocess.STDOUT) # nosec B603 B607 - hardcoded apt/pip args, not user input result = subprocess.run(cmd, stdout=f, stderr=subprocess.STDOUT) # nosec B603 B607 - hardcoded apt/pip args # nosemgrep
f.seek(0) f.seek(0)
lines = f.read().decode('utf-8', errors='replace').splitlines() lines = f.read().decode('utf-8', errors='replace').splitlines()
return result.returncode == 0, '\n'.join(lines[-ERROR_TAIL_LINES:]) return result.returncode == 0, '\n'.join(lines[-ERROR_TAIL_LINES:])