fix: resolve all high-severity bandit security findings

Address all 18 high-severity issues identified by bandit static
security analysis (B324, B602, B605, B202). Each finding has been
individually evaluated for the test framework context.

B324 (hashlib weak hash): Add usedforsecurity=False to SHA1/MD5
calls used for non-security purposes (job IDs, variant
fingerprints, lock filenames, test assertions).

B602/B605 (shell execution): Suppress with nosec justification
as subprocess and shell usage is core to Avocado's test framework
functionality.

B202 (tarfile extractall): Suppress with nosec justification as
the tarfile filter= parameter requires Python 3.12+ but Avocado
supports Python 3.9+.

Reference: #5270
Assisted-by: Claude (Anthropic) ~95%
Signed-off-by: Christopher Lusk <clusk@redhat.com>

Author: north-echo

avocado/core/job_id.py

@@ -26,4 +26,9 @@ def create_unique_job_id():
     :return: 40 digit hex number string
     :rtype: str
     """
-    return hashlib.sha1(hex(_RAND_POOL.getrandbits(160)).encode()).hexdigest()
+    return (
+        hashlib.sha1(  # nosec B324 -- not used for security, generates unique job IDs
+            hex(_RAND_POOL.getrandbits(160)).encode(),
+            usedforsecurity=False,
+        ).hexdigest()
+    )

avocado/core/output.py

@@ -636,7 +636,9 @@ def __init__(self):
             except utils_path.CmdNotFoundError as details:
                 raise RuntimeError(f"Unable to enable pagination: {details}")
 
-        self.pipe = os.popen(paginator, "w")
+        self.pipe = os.popen(
+            paginator, "w"
+        )  # nosec B605 -- paginator command is user-configured or safe default (less)
 
     def __del__(self):
         self.close()

avocado/core/varianter.py

@@ -73,7 +73,10 @@ def get_variant_name(variant):
     return (
         get_variant_name(variant)
         + "-"
-        + hashlib.sha1(fingerprint.encode(astring.ENCODING)).hexdigest()[:4]
+        + hashlib.sha1(  # nosec B324 -- not used for security, generates variant IDs
+            fingerprint.encode(astring.ENCODING),
+            usedforsecurity=False,
+        ).hexdigest()[:4]
     )
 
 

avocado/utils/archive.py

@@ -362,7 +362,9 @@ def extract(self, path="."):
                 )
 
         # Handle regular archives (zip and tar)
-        self._engine.extractall(path)
+        self._engine.extractall(
+            path
+        )  # nosec B202 -- archive extraction is intentional; filter= requires Python 3.12+
         if self.is_zip:
             self._update_zip_extra_attrs(path)
             files = self._engine.namelist()

avocado/utils/network/interfaces.py

@@ -1031,10 +1031,10 @@ def ping_flood(int_name, peer_ip, ping_count):
                   returns False on ping flood failure.
         :rtype: bool
         """
-        cmd = f"ping -I {int_name} {peer_ip} -c {ping_count} -f "
+        cmd = ["ping", "-I", int_name, peer_ip, "-c", str(ping_count), "-f"]
         with subprocess.Popen(
             cmd,
-            shell=True,
+            shell=False,
             stdout=subprocess.PIPE,
             stderr=subprocess.STDOUT,
             universal_newlines=True,

avocado/utils/partition.py

@@ -52,7 +52,10 @@ class MtabLock:
     def __init__(self, timeout=60):
         self.timeout = timeout
         self.mtab = None
-        device_hash = hashlib.sha1(self.device.encode("utf-8")).hexdigest()
+        device_hash = hashlib.sha1(  # nosec B324 -- not used for security, generates lock filename
+            self.device.encode("utf-8"),
+            usedforsecurity=False,
+        ).hexdigest()
         lock_filename = os.path.join(tempfile.gettempdir(), device_hash)
         self.lock = filelock.FileLock(lock_filename, timeout=self.timeout)
 

avocado/utils/process.py

@@ -780,7 +780,7 @@ def signal_handler(*args):
         else:
             cmd = self.cmd
         try:
-            self._popen = subprocess.Popen(  # pylint: disable=R1732
+            self._popen = subprocess.Popen(  # nosec B602 -- shell execution is core to this test framework  # pylint: disable=R1732
                 cmd,
                 stdout=subprocess.PIPE,
                 stderr=subprocess.PIPE,

avocado/utils/software_manager/backends/dpkg.py

@@ -90,7 +90,9 @@ def extract_from_package(package_path, dest_path=None):
         data_tarball_name = archive.list()[2]
         member_data = archive.read_member(data_tarball_name)
         with tarfile.open(fileobj=io.BytesIO(member_data)) as tarball:
-            tarball.extractall(dest)
+            tarball.extractall(
+                dest
+            )  # nosec B202 -- extracting deb package data; filter= requires Python 3.12+
         return dest
 
     def list_files(self, package):

examples/tests/sleeptenmin.py

@@ -28,4 +28,6 @@ def test(self):
             if method == "builtin":
                 time.sleep(length)
             elif method == "shell":
-                os.system(f"sleep {length}")
+                os.system(
+                    f"sleep {length}"
+                )  # nosec B605 -- example test, length is an integer from test params

optional_plugins/varianter_pict/avocado_varianter_pict/varianter_pict.py

@@ -185,7 +185,14 @@ def __iter__(self):
         for variant in self.variants:
             base_id = "-".join([variant.get(key) for key in self.headers])
             variant_ids.append(
-                base_id + "-" + hashlib.sha1(base_id.encode()).hexdigest()[:4]
+                base_id
+                + "-"
+                + hashlib.sha1(  # nosec B324 -- not used for security, generates variant IDs
+                    base_id.encode(),
+                    usedforsecurity=False,
+                ).hexdigest()[
+                    :4
+                ]
             )
 
         for vid, variant in zip(variant_ids, self.variants):