The following issues were found

buildscripts/resmokelib/core/redirect.py
3 issues
Consider possible security implications associated with subprocess module.
Security blacklist

Line: 3
Suggestion: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 

              """Helper classes for chaining process output."""

import subprocess
import sys


class StdoutRewrite(object):
    """A helper class that will overwrite `sys.stdout` and write incoming data to an underlying stream.

Reported by Bandit.

subprocess call - check for execution of untrusted input.
Security injection

Line: 55
Suggestion: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 

                      if read_from == sys.__stdout__:
            # sys.stdout does not implement a `read` method so it cannot be passed as a `stdin`
            # variable. Use a `StdoutRewrite` object to write the spawned `stdin`.
            self.proc = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=write_to)
            self.rewrite = StdoutRewrite(self.proc.stdin)
        else:
            self.proc = subprocess.Popen(cmd, stdin=read_from, stdout=write_to)

    def get_stdin(self):

Reported by Bandit.

subprocess call - check for execution of untrusted input.
Security injection

Line: 58
Suggestion: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 

                          self.proc = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=write_to)
            self.rewrite = StdoutRewrite(self.proc.stdin)
        else:
            self.proc = subprocess.Popen(cmd, stdin=read_from, stdout=write_to)

    def get_stdin(self):
        """Return the stdin stream from the spawned process."""

        return self.proc.stdin

Reported by Bandit.

src/third_party/wiredtiger/dist/docs_data.py
3 issues
Missing module docstring
Error

Line: 1 Column: 1 

              # Create entries used by our doxygen filter to expand the arch_page
# macros in the documentation.

class ArchDocPage:
    def __init__(self, doxygen_name, data_structures, files):
        self.doxygen_name = doxygen_name
        self.data_structures = data_structures
        self.files = files

Reported by Pylint.

Too few public methods (0/2)
Error

Line: 4 Column: 1 

              # Create entries used by our doxygen filter to expand the arch_page
# macros in the documentation.

class ArchDocPage:
    def __init__(self, doxygen_name, data_structures, files):
        self.doxygen_name = doxygen_name
        self.data_structures = data_structures
        self.files = files

Reported by Pylint.

Missing class docstring
Error

Line: 4 Column: 1 

              # Create entries used by our doxygen filter to expand the arch_page
# macros in the documentation.

class ArchDocPage:
    def __init__(self, doxygen_name, data_structures, files):
        self.doxygen_name = doxygen_name
        self.data_structures = data_structures
        self.files = files

Reported by Pylint.

src/mongo/crypto/sha512_block_test.cpp
3 issues
syntax error
Error

Line: 77 

              
};

TEST(CryptoVectors, SHA512) {
    size_t numTests = sizeof(sha512Tests) / sizeof(sha512Tests[0]);
    for (size_t i = 0; i < numTests; i++) {
        SHA512Block result = SHA512Block::computeHash(sha512Tests[i].msg);
        ASSERT(sha512Tests[i].hash == result) << "Failed SHA512 iteration " << i;
    }

Reported by Cppcheck.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 89 Column: 14 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              const int maxDataSize = 54;
// HMAC-SHA-512 test vectors from https://tools.ietf.org/html/rfc4231#section-4.2
const struct {
    unsigned char key[maxKeySize];
    int keyLen;
    unsigned char data[maxDataSize];
    int dataLen;
    SHA512Block hash;
} hmacSha512Tests[] = {

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 91 Column: 14 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              const struct {
    unsigned char key[maxKeySize];
    int keyLen;
    unsigned char data[maxDataSize];
    int dataLen;
    SHA512Block hash;
} hmacSha512Tests[] = {
    // RFC test case 1
    {{0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,

Reported by FlawFinder.

src/mongo/db/fts/generate_stop_words.py
3 issues
Missing module docstring
Error

Line: 1 Column: 1 

              import sys

def generate( header, source, language_files ):
    out = open( header, "w" )
    out.write( """
#pragma once
#include <set>
#include <string>
#include "mongo/util/string_map.h"

Reported by Pylint.

Missing function or method docstring
Error

Line: 3 Column: 1 

              import sys

def generate( header, source, language_files ):
    out = open( header, "w" )
    out.write( """
#pragma once
#include <set>
#include <string>
#include "mongo/util/string_map.h"

Reported by Pylint.

Variable name "l" doesn't conform to snake_case naming style
Error

Line: 33 Column: 9 

              """ )

    for l_file in language_files:
        l = l_file.rpartition( "_" )[2].partition( "." )[0]

        out.write( '  // %s\n' % l_file )
        out.write( '  {\n' )
        out.write( '    "%s", {\n' % l )
        for word in open( l_file, "rb" ):

Reported by Pylint.

buildscripts/resmokelib/core/process.py
3 issues
Consider possible security implications associated with subprocess module.
Security blacklist

Line: 11
Suggestion: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 

              import logging
import os
import os.path
import subprocess
import sys
import threading
from datetime import datetime
from shlex import quote

Reported by Bandit.

subprocess call - check for execution of untrusted input.
Security injection

Line: 132
Suggestion: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 

                                  process=os.path.basename(self.args[0]), t=now_str)
                recorder_args = [_config.UNDO_RECORDER_PATH, "-o", recorder_output_file]

            self._process = subprocess.Popen(recorder_args + self.args, bufsize=buffer_size,
                                             stdout=subprocess.PIPE, stderr=subprocess.PIPE,
                                             close_fds=close_fds, env=self.env,
                                             creationflags=creation_flags, cwd=self._cwd)
            self.pid = self._process.pid

Reported by Bandit.

subprocess call - check for execution of untrusted input.
Security injection

Line: 148
Suggestion: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 

                                  _config.UNDO_RECORDER_PATH, "-p",
                    str(self.pid), "-o", recorder_output_file
                ]
                self._recorder = subprocess.Popen(recorder_args, bufsize=buffer_size, env=self.env,
                                                  creationflags=creation_flags)

        self._stdout_pipe = pipe.LoggerPipe(self.logger, logging.INFO, self._process.stdout)
        self._stderr_pipe = pipe.LoggerPipe(self.logger, logging.ERROR, self._process.stderr)

Reported by Bandit.

src/third_party/wiredtiger/dist/api_config_gen.py
3 issues
Missing module docstring
Error

Line: 1 Column: 1 

              #!/usr/bin/env python
import os
os.system("./api_config.py")
os.system("./api_config.py -t")

Reported by Pylint.

Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Security injection

Line: 3
Suggestion: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html 

              #!/usr/bin/env python
import os
os.system("./api_config.py")
os.system("./api_config.py -t")

Reported by Bandit.

Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Security injection

Line: 4
Suggestion: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html 

              #!/usr/bin/env python
import os
os.system("./api_config.py")
os.system("./api_config.py -t")

Reported by Bandit.

src/mongo/crypto/sha1_block_test.cpp
3 issues
syntax error
Error

Line: 62 

                   SHA1Block::HashType{0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
                         0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1}}};

TEST(CryptoVectors, SHA1) {
    size_t numTests = sizeof(sha1Tests) / sizeof(sha1Tests[0]);
    for (size_t i = 0; i < numTests; i++) {
        SHA1Block result = SHA1Block::computeHash(sha1Tests[i].msg);
        ASSERT(sha1Tests[i].hash == result) << "Failed SHA1 iteration " << i;
    }

Reported by Cppcheck.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 74 Column: 14 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              const int maxDataSize = 54;
// HMAC-SHA-1 test vectors from http://tools.ietf.org/html/rfc2202.html
const struct {
    unsigned char key[maxKeySize];
    int keyLen;
    unsigned char data[maxDataSize];
    int dataLen;
    SHA1Block hash;
} hmacSha1Tests[] = {

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 76 Column: 14 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              const struct {
    unsigned char key[maxKeySize];
    int keyLen;
    unsigned char data[maxDataSize];
    int dataLen;
    SHA1Block hash;
} hmacSha1Tests[] = {
    // RFC test case 1
    {{0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,

Reported by FlawFinder.

src/third_party/wiredtiger/bench/workgen/workgen_func.c
3 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 103 Column: 18 CWE codes: 126 

              {
    size_t prefix_len;

    prefix_len = strlen(WORKGEN_VERSION_PREFIX);
    (void)strncpy(buf, WORKGEN_VERSION_PREFIX, len);
    if (len > prefix_len)
        (void)strncpy(&buf[prefix_len], WIREDTIGER_VERSION_STRING, len - prefix_len);
}

Reported by FlawFinder.

strncpy - Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned]
Security

Line: 104 Column: 11 CWE codes: 120 

                  size_t prefix_len;

    prefix_len = strlen(WORKGEN_VERSION_PREFIX);
    (void)strncpy(buf, WORKGEN_VERSION_PREFIX, len);
    if (len > prefix_len)
        (void)strncpy(&buf[prefix_len], WIREDTIGER_VERSION_STRING, len - prefix_len);
}

Reported by FlawFinder.

strncpy - Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned]
Security

Line: 106 Column: 15 CWE codes: 120 

                  prefix_len = strlen(WORKGEN_VERSION_PREFIX);
    (void)strncpy(buf, WORKGEN_VERSION_PREFIX, len);
    if (len > prefix_len)
        (void)strncpy(&buf[prefix_len], WIREDTIGER_VERSION_STRING, len - prefix_len);
}

Reported by FlawFinder.

src/third_party/wiredtiger/ext/encryptors/nop/nop_encrypt.c
3 issues
Memory leak: new
Error

Line: 209 CWE codes: 401 

              
    /* Return the new encryptor. */
    *customp = (WT_ENCRYPTOR *)new;
    return (0);

err:
    free(new);
    return (ret);
}

Reported by Cppcheck.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 81 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  if (dst_len < src_len)
        return (nop_error(nop_encryptor, session, ENOMEM, "encrypt buffer not big enough"));

    memcpy(dst, src, src_len);
    *result_lenp = src_len;

    return (0);
}
/*! [WT_ENCRYPTOR encrypt] */

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 107 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  /*
     * The destination length is the number of unencrypted bytes we're expected to return.
     */
    memcpy(dst, src, dst_len);
    *result_lenp = dst_len;
    return (0);
}
/*! [WT_ENCRYPTOR decrypt] */

Reported by FlawFinder.

src/mongo/crypto/hash_block.h
3 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 123 Column: 9 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                      }

        HashType newHash;
        memcpy(newHash.data(), input, inputLen);
        return HashBlock(newHash);
    }

    static StatusWith<HashBlock> fromHexStringNoThrow(StringData hex) {
        if (!hexblob::validate(hex)) {

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 232 Column: 9 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                      }

        HashType newHash;
        memcpy(newHash.data(), binData.data, binData.length);
        return HashBlock(newHash);
    }

    /**
     * Make a new HashBlock from a vector of bytes representing bindata. For IDL.

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 244 Column: 9 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                      uassert(ErrorCodes::UnsupportedFormat,
                str::stream() << "Unsupported " << Traits::name << " hash length: " << bytes.size(),
                bytes.size() == kHashLength);
        memcpy(newHash.data(), bytes.data(), bytes.size());
        return HashBlock(newHash);
    }

    /**
     * Append this to a builder using the given name as a BSON BinData type value.

Reported by FlawFinder.