Arm backend: Fixes and ignores for bandit

Added fixes or ignores for bandit, most are for tests that can just be
safely ignored and some are actual good finds like pinning versions
and safe practices.

Signed-off-by: per.held@arm.com
Change-Id: I783676e285f7cb3ad7c8615e8774092dcf4ef559

Author: perheld

backends/arm/_passes/fuse_equal_placeholders_pass.py

@@ -60,7 +60,7 @@ def call(self, graph_module: torch.fx.GraphModule) -> PassResult:
                 is_int48,
                 str(t_cpu.dtype),
                 tuple(t_cpu.shape),
-                hashlib.sha1(data_bytes).hexdigest(),
+                hashlib.sha1(data_bytes, usedforsecurity=False).hexdigest(),
             )
             hash_buckets[key].append((node, t_cpu))
 

backends/arm/test/conftest.py

@@ -40,7 +40,7 @@ def pytest_addoption(parser):
     def try_addoption(*args, **kwargs):
         try:
             parser.addoption(*args, **kwargs)
-        except Exception:
+        except Exception:  # nosec B110 - pytest redefines options, safe to ignore
             pass
 
     try_addoption("--arm_quantize_io", action="store_true", help="Deprecated.")
@@ -85,7 +85,7 @@ def set_random_seed():
 
     if os.environ.get("ARM_TEST_SEED", "RANDOM") == "RANDOM":
         random.seed()  # reset seed, in case any other test has fiddled with it
-        seed = random.randint(0, 2**32 - 1)
+        seed = random.randint(0, 2**32 - 1)  # nosec B311 - non-crypto seed for tests
         torch.manual_seed(seed)
     else:
         seed_str = os.environ.get("ARM_TEST_SEED", "0")

backends/arm/test/misc/test_debug_hook.py

@@ -31,7 +31,7 @@ def _get_action_str() -> str:
         name="convolution",
         target="aten.convolution.default",
         graph_id=6052414368,
-        pass_name="ExportedProgram.module()",
+        pass_name="ExportedProgram.module()",  # nosec B106 - static test string, not a secret
         action="create",
         from_node=[],
         _get_action_string=_get_action_str,
@@ -41,7 +41,7 @@ def _get_action_str() -> str:
         name="convolution",
         target="aten.convolution.default",
         graph_id=5705954832,
-        pass_name="Interpreter_PropagateUnbackedSymInts",
+        pass_name="Interpreter_PropagateUnbackedSymInts",  # nosec B106 - static test string, not a secret
         action="create",
         from_node=[from_node_2],
         _get_action_string=_get_action_str,
@@ -69,7 +69,7 @@ def _get_action_str() -> str:
         name="convolution",
         target="aten.convolution.default",
         graph_id=5705954832,
-        pass_name="Interpreter_PropagateUnbackedSymInts",
+        pass_name="Interpreter_PropagateUnbackedSymInts",  # nosec B106 - static test string, not a secret
         action="create",
         from_node=[],
         _get_action_string=_get_action_str,

backends/arm/test/misc/test_save_exported_model.py

@@ -48,7 +48,9 @@ def test_save_load_exported_int_model():
     torch.export.save(quantized_exported_module, file_path)
 
     # Verify that we can load the model back
-    loaded_model = torch.export.load(file_path)
+    loaded_model = torch.export.load(
+        file_path
+    )  # nosec B614 - loads trusted test artifact
     for original_node, loaded_node in zip(
         quantized_exported_module.graph.nodes, loaded_model.graph.nodes
     ):

backends/arm/test/models/test_nss.py

@@ -36,7 +36,9 @@ def nss() -> AutoEncoderV1:
     """Get an instance of NSS with weights loaded."""
 
     weights = hf_hub_download(
-        repo_id="Arm/neural-super-sampling", filename="nss_v0.1.0_fp32.pt"
+        repo_id="Arm/neural-super-sampling",
+        filename="nss_v0.1.0_fp32.pt",
+        revision="2e9b606acd9fa25071825a12f0764f1c3bef9480",
     )
 
     nss_model = NSS()

backends/arm/test/runner_utils.py

@@ -8,7 +8,7 @@
 import os
 import re
 import shutil
-import subprocess
+import subprocess  # nosec B404 - invoked only for trusted toolchain binaries
 import tempfile
 
 from pathlib import Path
@@ -572,7 +572,9 @@ def _run_cmd(cmd: List[str], check=True) -> subprocess.CompletedProcess[bytes]:
     cmd (List[str]): The command to run as a list.
     """
     try:
-        result = subprocess.run(cmd, check=check, capture_output=True)
+        result = subprocess.run(  # nosec B603 - cmd constructed from trusted inputs
+            cmd, check=check, capture_output=True
+        )
         return result
     except subprocess.CalledProcessError as e:
         arg_string = " ".join(cmd)
@@ -637,8 +639,7 @@ def dbg_tosa_fb_to_json(tosa_fb: bytes) -> Dict:
                             data = np.frombuffer(data, dtype=np.float32)
                         data = data.reshape(tensor["shape"])
                         tensor["data"] = data
-    except Exception:
-        # This is just nice-to-have if it works, don't care if it fails.
+    except Exception:  # nosec B110 - best-effort casting for debug output only
         pass
 
     return json_out

backends/arm/test/test_model.py

@@ -5,7 +5,7 @@
 
 import argparse
 import os
-import subprocess
+import subprocess  # nosec B404 - launches trusted build/test scripts
 import sys
 import time
 from typing import Sequence
@@ -106,7 +106,9 @@ def get_args():
 def run_external_cmd(cmd: Sequence[str]) -> None:
     print("CALL:", *cmd, sep=" ")
     try:
-        subprocess.check_call(cmd)
+        subprocess.check_call(
+            cmd
+        )  # nosec B603 - cmd assembled from vetted scripts/flags
     except subprocess.CalledProcessError as err:
         print("ERROR called: ", *cmd, sep=" ")
         print(f"Failed with: {err.returncode}")

backends/arm/util/arm_model_evaluator.py

@@ -65,7 +65,9 @@ def _build_calibration_loader(
             seed = default_seed
     else:
         seed = default_seed
-    rng = random.Random(seed)
+    rng = random.Random(
+        seed
+    )  # nosec B311 - deterministic shuffling for evaluation only
     indices = list(range(len(dataset)))
     rng.shuffle(indices)
     selected = sorted(indices[:k])

backends/arm/vgf/backend.py

@@ -13,8 +13,8 @@
 """Ahead-of-time Arm VGF backend built on the shared TOSA pipeline."""
 
 import logging
-import os
-import subprocess
+import os  # nosec B404 - used alongside subprocess for tool invocation
+import subprocess  # nosec B404 - required to drive external converter CLI
 import tempfile
 from typing import final, List
 
@@ -150,7 +150,7 @@ def vgf_compile(
             f"{converter_binary} {additional_flags} -i {tosa_path} -o {vgf_path}"
         )
         try:
-            subprocess.run(
+            subprocess.run(  # nosec B602 - shell invocation constrained to trusted converter binary
                 [conversion_command], shell=True, check=True, capture_output=True
             )
         except subprocess.CalledProcessError as process_error:
@@ -164,7 +164,9 @@ def vgf_compile(
             logger.info(f"Emitting debug output to: {vgf_path=}")
             os.makedirs(artifact_path, exist_ok=True)
             cp = f"cp {vgf_path} {artifact_path}"
-            subprocess.run(cp, shell=True, check=True, capture_output=False)
+            subprocess.run(  # nosec B602 - shell copy of trusted artifact for debugging
+                cp, shell=True, check=True, capture_output=False
+            )
 
         vgf_bytes = open(vgf_path, "rb").read()
         return vgf_bytes

examples/arm/aot_arm_compiler.py

@@ -74,15 +74,17 @@
 logging.basicConfig(level=logging.WARNING, format=FORMAT)
 
 
-def _load_example_inputs(model_input: str | None) -> Any:
+def _load_example_inputs(model_input: str | None) -> Any:  # nosec B614
     """Load example inputs from a `.pt` file when a path is provided."""
     if model_input is None:
         return None
 
     logging.info(f"Load model input from {model_input}")
 
     if model_input.endswith(".pt"):
-        return torch.load(model_input, weights_only=False)
+        return torch.load(
+            model_input, weights_only=False
+        )  # nosec B614 trusted artifacts
 
     raise RuntimeError(
         f"Model input data '{model_input}' is not a valid name. Use --model_input "
@@ -167,14 +169,14 @@ def _load_python_module_model(
 
 def _load_serialized_model(
     model_name: str, example_inputs: Any
-) -> Optional[Tuple[torch.nn.Module, Any]]:
+) -> Optional[Tuple[torch.nn.Module, Any]]:  # nosec B614
     """Load a serialized Torch model saved via `torch.save`."""
     if not model_name.endswith((".pth", ".pt")):
         return None
 
     logging.info(f"Load model file {model_name}")
 
-    model = torch.load(model_name, weights_only=False)
+    model = torch.load(model_name, weights_only=False)  # nosec B614 trusted inputs
     if example_inputs is None:
         raise RuntimeError(
             f"Model '{model_name}' requires input data specify --model_input <FILE>.pt"