Skip to content

[SDL] Enable Bandit B404 test#3913

Draft
jszczepa wants to merge 3 commits intoopenvinotoolkit:developfrom
jszczepa:enable_bandit_B404_test
Draft

[SDL] Enable Bandit B404 test#3913
jszczepa wants to merge 3 commits intoopenvinotoolkit:developfrom
jszczepa:enable_bandit_B404_test

Conversation

@jszczepa
Copy link

@jszczepa jszczepa commented Feb 10, 2026

Changes

This modification helps to apply SDL policy related to Bandit scans (see: https://github.com/intel-innersource/applications.security.bandit-config/blob/main/ipas_default.config)

Reason for changes

Each use of subprocess module need to be reviewed against cmd injection by potential attacker.

Related tickets

N/A

Tests

N/A

Copilot AI review requested due to automatic review settings February 10, 2026 11:50
@jszczepa jszczepa requested a review from a team as a code owner February 10, 2026 11:50
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Enables Bandit’s B404 (“import subprocess”) check per SDL guidance, while suppressing B404 findings on specific subprocess imports.

Changes:

  • Stop skipping Bandit B404 in pyproject.toml.
  • Add inline # nosec B404 suppressions on subprocess imports in two Python modules.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
src/nncf/torch/quantization/extensions.py Suppresses Bandit B404 on subprocess import to keep scan green while B404 is enabled.
src/custom_version.py Suppresses Bandit B404 on subprocess import to keep scan green while B404 is enabled.
pyproject.toml Enables B404 by removing it from Bandit’s skip list (commented out).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jszczepa jszczepa marked this pull request as draft March 6, 2026 08:12
@jszczepa jszczepa force-pushed the enable_bandit_B404_test branch from 5f6f71b to af07577 Compare March 6, 2026 11:33
@github-actions github-actions bot added NNCF PT Pull requests that updates NNCF PyTorch NNCF OpenVINO Pull requests that updates NNCF OpenVINO NNCF ONNX Pull requests that updates NNCF ONNX labels Mar 6, 2026
@jszczepa jszczepa force-pushed the enable_bandit_B404_test branch 10 times, most recently from a9625a6 to 128854f Compare March 6, 2026 14:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

NNCF ONNX Pull requests that updates NNCF ONNX NNCF OpenVINO Pull requests that updates NNCF OpenVINO NNCF PT Pull requests that updates NNCF PyTorch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jszczepa