Minor vulnerabilities in python linter action

[Rebits]

Description

Regarding https://github.com/wazuh/wazuh-jenkins/issues/6364 it has been detected minor vulnerabilities in python linter script.

Test python flaws

{
    "new_flaws": [
        {
            "code": " \n import subprocess\n import random\n",
            "filename": "./deployability/modules/workflow_engine/task.py",
            "issue_confidence": "HIGH",
            "issue_severity": "LOW",
            "issue_text": "Consider possible security implications associated with subprocess module.",
            "line_number": 5,
            "line_range": [
                5
            ],
            "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess",
            "test_id": "B404",
            "test_name": "blacklist"
        },
        {
            "code": "         try:\n             result = subprocess.run(\n                 [self.task_parameters['path']] + task_args,\n                 check=True,\n                 capture_output=True,\n                 text=True,\n             )\n",
            "filename": "./deployability/modules/workflow_engine/task.py",
            "issue_confidence": "HIGH",
            "issue_severity": "LOW",
            "issue_text": "subprocess call - check for execution of untrusted input.",
            "line_number": 59,
            "line_range": [
                59,
                63
            ],
            "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html",
            "test_id": "B603",
            "test_name": "subprocess_without_shell_equals_true"
        },
        {
            "code": "         time_interval = self.task_parameters.get('time-seconds', [1, 5])\n         sleep_time = random.uniform(time_interval[0], time_interval[1])\n \n",
            "filename": "./deployability/modules/workflow_engine/task.py",
            "issue_confidence": "HIGH",
            "issue_severity": "LOW",
            "issue_text": "Standard pseudo-random generators are not suitable for security/cryptographic purposes.",
            "line_number": 91,
            "line_range": [
                91
            ],
            "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random",
            "test_id": "B311",
            "test_name": "blacklist"
        },
        {
            "code": "     # assure there must be at least one character from each group\n     random_pass = random_pass + ''.join([random.choice(chars) for chars in [string.ascii_lowercase, string.digits, string.ascii_uppercase, SPECIAL_CHARS]])\n     random_pass = ''.join(random.sample(random_pass,len(random_pass)))\n",
            "filename": "./provisioning/roles/wazuh/ansible-wazuh-manager/files/create_user.py",
            "issue_confidence": "HIGH",
            "issue_severity": "LOW",
            "issue_text": "Standard pseudo-random generators are not suitable for security/cryptographic purposes.",
            "line_number": 55,
            "line_range": [
                55
            ],
            "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random",
            "test_id": "B311",
            "test_name": "blacklist"
        }
    ]
}

[pro-akim]

Update

Added: Standard pseudo-random generators are not suitable for security/cryptographic purposes in Weekly 46

[pro-akim]

Update

New findings were added in the Weekly ## 11 scan

[juliamagan]

With all the migration of the repository, the dependencies are already being updated. Also, once the entire migration is complete in 4.10.0, security scans will be re-enabled to check this.