Erroneous "no test failure on line" warning from plugin alert nosec?

[fiendish]

Describe the bug

It looks like bandit warns about "no test failure on line" for a nosec where there definitely would be a test failure without the nosec.

Reproduction steps

1. I start with a line that does foo = hashlib.md5(buffer.read()).digest().
2. bandit -ll rightly complains about the use of MD5 with a B324 error from the hashlib plugin.
3. I add #nosec B324 like this: foo = hashlib.md5(buffer.read()).digest() # nosec B324
4. Bandit now says [tester] WARNING nosec encountered (B324), but no failed test on line 85

Seems a bit weird.

Expected behavior

Don't warn at me for this.

Bandit version

1.7.4 (Default)

Python version

3.9

Additional context

No response

[hrantzsch]

I'm facing the same issue using Bandit 1.7.4 with Python 3.10.4. Here's another minimal example for repro:

import os
cmd = "df -h"
os.popen(cmd).read()  # nosec B605

bandit -v test.py says WARNING nosec encountered (B605), but no failed test on line 3 while it will report B605 if I remove the # nosec.

full log

[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.10.4
[node_visitor]	WARNING	Unable to find qualified name for module: test.py
[tester]	WARNING	nosec encountered (B605), but no failed test on line 3
Run started:2022-09-06 09:31:19.271042
Files in scope (1):
	test.py (score: {SEVERITY: 0, CONFIDENCE: 0})
Files excluded (0):

Test results:
	No issues identified.

Code scanned:
	Total lines of code: 3
	Total lines skipped (#nosec): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0
		Low: 0
		Medium: 0
		High: 0
	Total issues (by confidence):
		Undefined: 0
		Low: 0
		Medium: 0
		High: 0
Files skipped (0):

However, the problem does not occur if I remove .read(). (It continues to claim Total lines skipped (#nosec): 0 though, as long as the B605 is specified.)

[creideiki]

I'm still seeing the same thing with Bandit 1.7.5 on Python 3.11.4. Yet another minimal example:

import os
import subprocess  # nosec B404

subprocess.run([os.getenv("SHELL")], check=False)  # nosec B603

Bandit says:

[tester]        WARNING nosec encountered (B603), but no failed test on line 4

but if I remove the # nosec B603, I get a test failure:

>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.5/plugins/b603_subprocess_without_shell_equals_true.html
   Location: bandit.py:4:0
3
4       subprocess.run([os.getenv("SHELL")], check=False)

[fiendish]

However, the problem does not occur if I remove .read(). (It continues to claim Total lines skipped (#nosec): 0 though, as long as the B605 is specified.)

The problem appears to be related to how bandit observes "lines" where multiple function calls occur on the same line?

I get the warning if I do

return requests.get(url).json()  # nosec B113

or

requests.get(CARRIER_URL) and print("hello") # nosec B113

But I do not get the warning if I do

foo = requests.get(url)  # nosec B113
return foo.json()