fix: improve bandit config

[terriko]

In our bandit config I have a note:

# (optional) list skipped test IDs here, eg '[B101, B406]':
skips: ['B603', 'B607', 'B404', "B608"]
# B603, B607 and B404 are all subprocess-related.
# B608 should be re-enabled when multi-line issues can be marked with nosec

It looks like bandit handles multi-line issues now, so it might be a good time to review our usage here.

Steps:

1. remove B608 from our skips list
2. run bandit with the new config file
3. Review any findings and mark reviewed findings with # nosec as needed (should just be a couple of SQL statements probably all in cvedb.py)
4. Make a PR with the changes to the config and nosec lines.

Bonus: if you want to review our other lines marked as nosec, I always appreciate additional review. They should be correct but there's always the potential that we can improve upon what we were doing thanks to new features in python or our dependencies.

This is probably not a beginner-friendly bug because you do need to be able to read and understand the issues described by bandit to review the code as a potential security risk, so you need at least some experience/training in secure code review. But there's lots of resources and courses available if you want to learn about SQL injection and give it a shot! Bandit itself should have some links for you to learn more about the issues it flags.

[joydeep049]

Hello @terriko , I was having some issues with bandit linter regarding tarfile extraction. While using the tarfile library of python it shows that the severity of the library is high. It would really be helpful if you could review my https://github.com/intel/cve-bin-tool/pull/3543 issue here. I was able to write a code to asynchronously handle the extraction of debian control files, but am having some problems with the tests. So if you could please just give it a look.