Address bandit-flagged security issues.

[hjoliver]

Codacy runs the bandit static analysis tool to flag potential security issues. Most - maybe all - of these need to be ignored non-gratuitously. Bandit supports a special #nosec in-source comment for this purpose.

We should:

• check that codacy respects the #nosec comment

and if it does:

• analyze each flagged security issue and add an appropriate #nosec comment

@jarich also suggested, in some cases we may also be able to add a regex character-range test (say) to enforce the presumed content of subprocess (say) string arguments, e.g. to disallow shell $ chars etc.

[hjoliver]

@MartinRyan - please assign yourself to this issue once you've accepted the Cylc org invite.

[MartinRyan]

I've accepted the invite Hilary, but it looks like I don't have permissions to assign myself to the issue

[hjoliver]

OK, not sure why that is, but I've assigned you now! (And thanks for taking this on).

[hjoliver]

(note that to play around with this stuff you can tell codacy to analyze your own cylc fork ... as well as use bandit yourself, of course).

[kinow]

FWIW, I tried something similar some time ago, but I think I never got to wait for Codacy's feedback (which may take several minutes or hours depending on their resources available I think).

https://github.com/kinow/cylc/commits/codacy-exclusions

It was tricky finding where the # nosec had to go when you had commands in multiple lines (e.g. line too long for pep8/pycodestyle, so we break line and use \).

Using Codacy from your own branch is definitely the way to go, as you can log in to Codacy and poke around in your own account/space too.

[matthewrmshin]

Fixed by #2998.

[kinow]

Thanks @matthewrmshin !