Skip to content

chore(bandit): address false positives and other warnings #1502

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 9 commits into
base: main
Choose a base branch
from
Draft

chore(bandit): address false positives and other warnings #1502

wants to merge 9 commits into from

Conversation

krokoko
Copy link
Contributor

@krokoko krokoko commented Oct 10, 2025

Fixes

Summary

Changes

Please provide a summary of what's being changed

User experience

Please share what the user experience looks like before and after this change

Checklist

If your change doesn't seem to apply, please leave them unchecked.

  • I have reviewed the contributing guidelines
  • I have performed a self-review of this change
  • Changes have been tested
  • Changes are documented

Is this a breaking change? (Y/N)

RFC issue number:

Checklist:

  • Migration process documented
  • Implement warnings (if it can live side by side)

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

@krokoko krokoko requested a review from juntinyeh as a code owner October 10, 2025 19:56
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 10, 2025
View reviewed changes
src/aws-iot-sitewise-mcp-server/awslabs/aws_iot_sitewise_mcp_server/prompts/asset_hierarchy.py
validate_asset_id(asset_id)
return f"""
query = ( # nosec B608 - safe: asset_id is validated, length limit, no direct execution
f"""

Check warning

Code scanning / Bandit

Possible SQL injection vector through string-based query construction. Warning

Possible SQL injection vector through string-based query construction.
src/aws-iot-sitewise-mcp-server/awslabs/aws_iot_sitewise_mcp_server/prompts/data_exploration.py
validate_string_for_injection(time_range)
return f"""
query = ( # nosec B608 - safe: exploration_goal, time_range are validated
f"""

Check warning

Code scanning / Bandit

Possible SQL injection vector through string-based query construction. Warning

Possible SQL injection vector through string-based query construction.
...nagement-mcp-server/awslabs/billing_cost_management_mcp_server/tools/ri_performance_tools.py

# Use the paginate_aws_response utility for consistent pagination
all_coverages, pagination_metadata = await paginate_aws_response(
all_coverages, pagination_metadata = await paginate_aws_response( # nosec B105: paginate_aws_response is used for pagination

Check notice

Code scanning / Bandit

Possible hardcoded password: 'NextPageToken' Note

Possible hardcoded password: 'NextPageToken'
...nagement-mcp-server/awslabs/billing_cost_management_mcp_server/tools/ri_performance_tools.py

# Use the paginate_aws_response utility for consistent pagination
all_utilizations, pagination_metadata = await paginate_aws_response(
all_utilizations, pagination_metadata = await paginate_aws_response( # nosec B105: paginate_aws_response is used for pagination

Check notice

Code scanning / Bandit

Possible hardcoded password: 'NextPageToken' Note

Possible hardcoded password: 'NextPageToken'
...nagement-mcp-server/awslabs/billing_cost_management_mcp_server/tools/sp_performance_tools.py

# Use the paginate_aws_response utility for consistent pagination
all_coverages, pagination_metadata = await paginate_aws_response(
all_coverages, pagination_metadata = await paginate_aws_response( # nosec B105: paginate_aws_response is used for pagination

Check notice

Code scanning / Bandit

Possible hardcoded password: 'NextToken' Note

Possible hardcoded password: 'NextToken'
...nagement-mcp-server/awslabs/billing_cost_management_mcp_server/tools/sp_performance_tools.py

# Use the paginate_aws_response utility for consistent pagination
all_utilizations, pagination_metadata = await paginate_aws_response(
all_utilizations, pagination_metadata = await paginate_aws_response( # nosec B105: paginate_aws_response is used for pagination

Check notice

Code scanning / Bandit

Possible hardcoded password: 'NextToken' Note

Possible hardcoded password: 'NextToken'
...nagement-mcp-server/awslabs/billing_cost_management_mcp_server/tools/sp_performance_tools.py

# Use the paginate_aws_response utility for consistent pagination
all_details, pagination_metadata = await paginate_aws_response(
all_details, pagination_metadata = await paginate_aws_response( # nosec B105: paginate_aws_response is used for pagination

Check notice

Code scanning / Bandit

Possible hardcoded password: 'NextToken' Note

Possible hardcoded password: 'NextToken'
src/ccapi-mcp-server/awslabs/ccapi_mcp_server/impl/tools/security_scanning.py
try:
# Check if Checkov is available
subprocess.run(
subprocess.run( # nosec B603: uses shell=False, inputs are validated, safe file operations, only subprocess calls

Check notice

Code scanning / Bandit

Starting a process with a partial executable path Note

Starting a process with a partial executable path
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 10, 2025
View reviewed changes
src/aws-diagram-mcp-server/awslabs/aws_diagram_mcp_server/diagrams_tools.py
Comment on lines +120 to +122
exec( # nosec B102 - These exec calls are necessary to import modules in the namespace
'from diagrams import Diagram, Cluster, Edge', namespace
) # nosem: python.lang.security.audit.exec-detected.exec-detected
# nosec B102 - These exec calls are necessary to import modules in the namespace
exec( # nosem: python.lang.security.audit.exec-detected.exec-detected
)

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: python.lang.security.audit.exec-detected.exec-detected Warning

Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
src/aws-diagram-mcp-server/awslabs/aws_diagram_mcp_server/diagrams_tools.py Outdated
Comment on lines +247 to +249

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: python.lang.security.audit.exec-detected.exec-detected Warning

Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
src/aws-diagram-mcp-server/awslabs/aws_diagram_mcp_server/diagrams_tools.py Outdated

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: python.lang.security.audit.exec-detected.exec-detected Warning

Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
@krokoko krokoko marked this pull request as draft October 10, 2025 20:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juntinyeh juntinyeh Awaiting requested review from juntinyeh juntinyeh is a code owner

@alexa-perlov alexa-perlov Awaiting requested review from alexa-perlov alexa-perlov is a code owner

@scottschreckengaust scottschreckengaust Awaiting requested review from scottschreckengaust scottschreckengaust is a code owner

@patrick-yu-amzn patrick-yu-amzn Awaiting requested review from patrick-yu-amzn patrick-yu-amzn is a code owner

@srhsrhsrhsrh srhsrhsrhsrh Awaiting requested review from srhsrhsrhsrh srhsrhsrhsrh is a code owner

@novekm novekm Awaiting requested review from novekm novekm is a code owner

@chittev chittev Awaiting requested review from chittev chittev is a code owner

@Rahul-1404 Rahul-1404 Awaiting requested review from Rahul-1404 Rahul-1404 is a code owner

@ychamare ychamare Awaiting requested review from ychamare ychamare is a code owner

@MichaelWalker-git MichaelWalker-git Awaiting requested review from MichaelWalker-git MichaelWalker-git is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

awslabs/mcp Project
Status: To triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@krokoko