Removing bandit.yaml in favor of defaults

Removing old configuration options for build-in defaults of latest
bandit functionality. Also, marking flagged items with _# nosec_
with a descriptive comment on why the code is acceptable as is.

Co-Authored-By: Christopher J Schaefer <cjschaef@us.ibm.com>
Co-Authored-By: Tom Cocozzello <tjcocozz@us.ibm.com>

Change-Id: I138ebd46a8be195177361a9c3306bb70423b639d

1 files changed, 8 insertions, 2 deletions

diff --git a/keystoneclient/common/cms.py b/keystoneclient/common/cms.py
index 715aa10..704b645 100644
--- a/keystoneclient/common/cms.py
+++ b/keystoneclient/common/cms.py
@@ -60,9 +60,15 @@ def _ensure_subprocess():
             if patcher.already_patched:
                 from eventlet.green import subprocess
             else:
-                import subprocess
+                import subprocess  # nosec(cjschaef): we must be careful when
+                # using subprocess.Popen with possibly untrusted data,
+                # assumption is that the certificate/key files provided are
+                # trustworthy
         except ImportError:
-            import subprocess  # noqa
+            import subprocess  # noqa # nosec(cjschaef): we must be careful
+            # when using subprocess.Popen with possibly untrusted data,
+            # assumption is that the certificate/key files provided are
+            # trustworthy
 
 
 def set_subprocess(_subprocess=None):