From 8770955b4c5aa293f24597ffc4325d6c2b9d415e Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 12 Apr 2026 17:34:52 +1000 Subject: [PATCH 1/3] fix: annotate 5 bandit security false positives with nosec MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit B310 (x4): urlopen calls in transition_messages.py are localhost-only (http://127.0.0.1) — scheme is hardcoded, not user-controlled. B311: random.choice() in dev.py selects a test model for switching, not used for any cryptographic or security purpose. B404: subprocess import in codex_batch.py is required for CLI runner operation — subprocess use is intentional and bounded. The T2 insecure_random false positive in cxx/detectors/security.py (a dict key in a remediation message map) is suppressed via desloppify state rather than a nosec annotation since it is a desloppify-native detector, not bandit. --- desloppify/app/commands/dev.py | 2 +- desloppify/app/commands/helpers/transition_messages.py | 8 ++++---- desloppify/app/commands/runner/codex_batch.py | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/desloppify/app/commands/dev.py b/desloppify/app/commands/dev.py index 96940a860..9b520cb74 100644 --- a/desloppify/app/commands/dev.py +++ b/desloppify/app/commands/dev.py @@ -201,7 +201,7 @@ def _cmd_test_hermes() -> None: ("openrouter", "meta-llama/llama-4-scout"), ("openrouter", "mistralai/mistral-medium-3"), ] - test_provider, test_model = random.choice(test_models) + test_provider, test_model = random.choice(test_models) # nosec B311 — non-security use # Switch to test model print(f" Switching to: {test_provider}:{test_model}") diff --git a/desloppify/app/commands/helpers/transition_messages.py b/desloppify/app/commands/helpers/transition_messages.py index 573ca9061..83344d1e9 100644 --- a/desloppify/app/commands/helpers/transition_messages.py +++ b/desloppify/app/commands/helpers/transition_messages.py @@ -43,11 +43,11 @@ def _hermes_port() -> int: def _hermes_get(path: str) -> dict: """GET a Hermes control API endpoint. Stdlib-only, no deps.""" - url = f"http://127.0.0.1:{_hermes_port()}{path}" + url = f"http://127.0.0.1:{_hermes_port()}{path}" # nosec B310 — localhost only req = _urlreq.Request(url, method="GET", headers={"X-Hermes-Control": "1"}) try: - with _urlreq.urlopen(req, timeout=5) as resp: + with _urlreq.urlopen(req, timeout=5) as resp: # nosec B310 — localhost only return _json.loads(resp.read()) except _urlerr.HTTPError as e: return _json.loads(e.read()) @@ -57,13 +57,13 @@ def _hermes_get(path: str) -> dict: def _hermes_send_message(text: str, mode: str = "queue") -> dict: """Send a message/command to the running Hermes agent. Stdlib-only, no deps.""" - url = f"http://127.0.0.1:{_hermes_port()}/sessions/_any/message" + url = f"http://127.0.0.1:{_hermes_port()}/sessions/_any/message" # nosec B310 — localhost only data = _json.dumps({"text": text, "mode": mode}).encode() req = _urlreq.Request(url, data=data, method="POST", headers={"Content-Type": "application/json", "X-Hermes-Control": "1"}) try: - with _urlreq.urlopen(req, timeout=5) as resp: + with _urlreq.urlopen(req, timeout=5) as resp: # nosec B310 — localhost only return _json.loads(resp.read()) except _urlerr.HTTPError as e: return _json.loads(e.read()) diff --git a/desloppify/app/commands/runner/codex_batch.py b/desloppify/app/commands/runner/codex_batch.py index bcf3bc63c..4d5bd251c 100644 --- a/desloppify/app/commands/runner/codex_batch.py +++ b/desloppify/app/commands/runner/codex_batch.py @@ -4,7 +4,7 @@ import os import shutil -import subprocess +import subprocess # nosec B404 — subprocess required for CLI runner import sys from pathlib import Path From be57057960f573fc72f6095c3b7d9723facb8beb Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 12 Apr 2026 17:55:18 +1000 Subject: [PATCH 2/3] chore: trigger CR review From 8d2f0b4a272528f38802de2837f4303bc964abbd Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 12 Apr 2026 19:18:25 +1000 Subject: [PATCH 3/3] fix: add bandit rule IDs to bare nosec annotations in review runners MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bare `# nosec` suppresses all bandit rules without explanation. Replace with `# nosec B404 — subprocess required for CLI runner` for consistency with the rest of the codebase. --- desloppify/app/commands/review/coordinator.py | 2 +- desloppify/app/commands/review/runner_parallel/progress.py | 2 +- desloppify/app/commands/review/runner_process_impl/attempts.py | 2 +- desloppify/app/commands/review/runner_process_impl/io.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/desloppify/app/commands/review/coordinator.py b/desloppify/app/commands/review/coordinator.py index f7c4bed28..d6c142807 100644 --- a/desloppify/app/commands/review/coordinator.py +++ b/desloppify/app/commands/review/coordinator.py @@ -3,7 +3,7 @@ from __future__ import annotations import json -import subprocess # nosec +import subprocess # nosec B404 — subprocess required for CLI runner from collections.abc import Mapping from hashlib import sha256 from pathlib import Path diff --git a/desloppify/app/commands/review/runner_parallel/progress.py b/desloppify/app/commands/review/runner_parallel/progress.py index 6a3d60714..cf7f2dd81 100644 --- a/desloppify/app/commands/review/runner_parallel/progress.py +++ b/desloppify/app/commands/review/runner_parallel/progress.py @@ -3,7 +3,7 @@ from __future__ import annotations import logging -import subprocess # nosec +import subprocess # nosec B404 — subprocess required for CLI runner import time from typing import Any diff --git a/desloppify/app/commands/review/runner_process_impl/attempts.py b/desloppify/app/commands/review/runner_process_impl/attempts.py index 27ee175e7..d7265144c 100644 --- a/desloppify/app/commands/review/runner_process_impl/attempts.py +++ b/desloppify/app/commands/review/runner_process_impl/attempts.py @@ -2,7 +2,7 @@ from __future__ import annotations -import subprocess # nosec +import subprocess # nosec B404 — subprocess required for CLI runner import threading import time from contextlib import contextmanager diff --git a/desloppify/app/commands/review/runner_process_impl/io.py b/desloppify/app/commands/review/runner_process_impl/io.py index 9a4b03f97..659bebec7 100644 --- a/desloppify/app/commands/review/runner_process_impl/io.py +++ b/desloppify/app/commands/review/runner_process_impl/io.py @@ -4,7 +4,7 @@ import json import logging -import subprocess # nosec +import subprocess # nosec B404 — subprocess required for CLI runner import threading import time from datetime import UTC, datetime