From c751b31c0fe339ad906cfc81f6c4949d2c31abc0 Mon Sep 17 00:00:00 2001
From: Ed Baker <edward.baker@intel.com>
Date: Fri, 3 May 2024 11:14:51 -0700
Subject: [PATCH 1/2] metric.py: Ignore eval() usage

Bandit is flagging eval() as a possible issue [1]. In this instance, usage is
already ignored for pylint.

[1] https://github.com/intel/perfmon/security/code-scanning/7
---
 scripts/metric.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/metric.py b/scripts/metric.py
index b1774ff1..f8c73a88 100644
--- a/scripts/metric.py
+++ b/scripts/metric.py
@@ -562,7 +562,7 @@ def ParsePerfJson(orig: str) -> Expression:
     raise SyntaxError(f'Parsing expression:\n{orig}') from e
   _RewriteIfExpToSelect().visit(parsed)
   parsed = ast.fix_missing_locations(parsed)
-  return _Constify(eval(compile(parsed, orig, 'eval')))
+  return _Constify(eval(compile(parsed, orig, 'eval'))) #nosec B307
 
 
 def RewriteMetricsInTermsOfOthers(metrics: list[Tuple[str, Expression]]

From 313d60b0c64e0d2f939a4fdabd14de2733093fb8 Mon Sep 17 00:00:00 2001
From: Ed Baker <edward.baker@intel.com>
Date: Fri, 3 May 2024 12:12:44 -0700
Subject: [PATCH 2/2] Pin Python requirements

Automated scanning is recommending pinning requirements.txt packages
to a specific version [1].

[1] https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
---
 requirements.txt                           | 2 +-
 scripts/ci/verify_mapfile/requirements.txt | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 77d999bc..0700f779 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1 +1 @@
-bandit[sarif]
+bandit[sarif]==1.7.9
diff --git a/scripts/ci/verify_mapfile/requirements.txt b/scripts/ci/verify_mapfile/requirements.txt
index d89304b1..89099e36 100644
--- a/scripts/ci/verify_mapfile/requirements.txt
+++ b/scripts/ci/verify_mapfile/requirements.txt
@@ -1 +1 @@
-jsonschema
+jsonschema==4.23.0