sbp commented on issue #365:
URL:
https://github.com/apache/tooling-trusted-releases/issues/365#issuecomment-3590166984
Maybe, but we're getting a lot of false positives and some of them are very
noisy indeed:
```
>> Issue: [B404:blacklist] Consider possible security implications
associated with the subprocess module.
Severity: Low Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info:
https://bandit.readthedocs.io/en/1.9.2/blacklists/blacklist_imports.html#b404-import-subprocess
Location: atr/sbom/cyclonedx.py:20:0
```
```
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
More Info:
https://bandit.readthedocs.io/en/1.9.2/plugins/b110_try_except_pass.html
Location: atr/sbom/maven.py:40:4
```
So it would probably be better to review all of the options and pick ones
that we opt in to. Do you have any existing configurations that may be useful
as a starting point, or any of your own preferred options?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
