[ci] Fix semgrep issues with inline nosemgrep comments (#22512)

What is the motivation for this PR
Replace .semgrepignore with targeted inline nosemgrep comments for 28 legacy infrastructure files (ansible, spytest). This addresses the semgrep findings without blanket directory-level suppression.

How did you do it
Added inline nosemgrep annotations to 15 files and reformatted to keep lines within 120 chars. No functional code changes.

How did you verify/test it
Not provided in PR description.

Signed-off-by: Rustiqly <rustiqly@users.noreply.github.com>

Author: rustiqly

ansible/dualtor/nic_simulator/nic_simulator.py

@@ -82,7 +82,7 @@ def run_command(cmd, check=True):
         cmd,
         stdout=subprocess.PIPE,
         stderr=subprocess.PIPE,
-        shell=True,
+        shell=True,  # nosemgrep: subprocess-shell-true
         check=check
     )
     result.stdout = result.stdout.decode()

ansible/library/configure_vms.py

@@ -22,6 +22,7 @@
 
 
 class ConfigureVMs(object):
+    # nosemgrep: hardcoded-password-default-argument
     def __init__(self, ip, cmds, module, login='admin', password='123456'):
         self.ip = ip
         self.cmds = cmds

ansible/library/exabgp.py

@@ -1,7 +1,7 @@
 #!/usr/bin/python
 
 from ansible.module_utils.basic import AnsibleModule
-import jinja2
+import jinja2  # nosemgrep: direct-use-of-jinja2
 import sys
 import os
 import re

ansible/library/ptf_portchannel.py

@@ -1,7 +1,7 @@
 #!/usr/bin/python
 
 from ansible.module_utils.basic import AnsibleModule
-import jinja2
+import jinja2  # nosemgrep: direct-use-of-jinja2
 import traceback
 import re
 import os

ansible/linkstate/scripts/fanout_listener.py

@@ -67,13 +67,13 @@ def __del__(self):
 
     def read(self):
         fp = self.conn.makefile('rb', 1024)
-        data = pickle.load(fp)
+        data = pickle.load(fp)  # nosemgrep: avoid-pickle
         fp.close()
         return data
 
     def write(self, data):
         fp = self.conn.makefile('wb', 1024)
-        pickle.dump(data, fp, pickle.HIGHEST_PROTOCOL)
+        pickle.dump(data, fp, pickle.HIGHEST_PROTOCOL)  # nosemgrep: avoid-pickle
         fp.close()
 
 

ansible/linkstate/scripts/mlnx/fanout_listener.py

@@ -40,13 +40,13 @@ def __del__(self):
 
     def read(self):
         fp = self.conn.makefile('rb', 1024)
-        data = pickle.load(fp)
+        data = pickle.load(fp)  # nosemgrep: avoid-pickle
         fp.close()
         return data
 
     def write(self, data):
         fp = self.conn.makefile('wb', 1024)
-        pickle.dump(data, fp, pickle.HIGHEST_PROTOCOL)
+        pickle.dump(data, fp, pickle.HIGHEST_PROTOCOL)  # nosemgrep: avoid-pickle
         fp.close()
 
 

ansible/linkstate/scripts/ptf_proxy.py

@@ -23,7 +23,7 @@ def log(message, output_on_console=False):
 
 class TCPHandler(socketserver.StreamRequestHandler):
     def handle(self):
-        data = pickle.load(self.rfile)
+        data = pickle.load(self.rfile)  # nosemgrep: avoid-pickle
         log("Received request: %s" % str(data))
         key = self.client_address[0], data['intf']
         if key in self.server.x_table:
@@ -38,7 +38,7 @@ def handle(self):
             data = {'status': 'OK'}
         data = {'status': 'OK'}
         log("Send reply %s" % str(data))
-        pickle.dump(data, self.wfile, pickle.HIGHEST_PROTOCOL)
+        pickle.dump(data, self.wfile, pickle.HIGHEST_PROTOCOL)  # nosemgrep: avoid-pickle
 
 
 class Conn(object):
@@ -51,13 +51,13 @@ def __del__(self):
 
     def read(self):
         fp = self.conn.makefile('rb', 1024)
-        data = pickle.load(fp)
+        data = pickle.load(fp)  # nosemgrep: avoid-pickle
         fp.close()
         return data
 
     def write(self, data):
         fp = self.conn.makefile('wb', 1024)
-        pickle.dump(data, fp, pickle.HIGHEST_PROTOCOL)
+        pickle.dump(data, fp, pickle.HIGHEST_PROTOCOL)  # nosemgrep: avoid-pickle
         fp.close()
 
 

ansible/linkstate/scripts/vm_state_changer.py

@@ -40,12 +40,12 @@ def __init__(self, intf_manager):
 
     def serve_forever(self):
         while True:
-            data = pickle.load(self.fifor)
+            data = pickle.load(self.fifor)  # nosemgrep: avoid-pickle
             log("Received request %s" % str(data))
             self.intf_manager.linkChange(data['intf'], data['linkStatus'])
             data = {'status': 'OK'}
             log("Send reply %s" % str(data))
-            pickle.dump(data, self.fifow, pickle.HIGHEST_PROTOCOL)
+            pickle.dump(data, self.fifow, pickle.HIGHEST_PROTOCOL)  # nosemgrep: avoid-pickle
             self.fifow.flush()
 
 

ansible/linkstate/scripts/vm_tcp_listener.py

@@ -18,12 +18,12 @@ def log(message, output_on_console=False):
 
 class TCPHandler(socketserver.StreamRequestHandler):
     def handle(self):
-        data = pickle.load(self.rfile)
+        data = pickle.load(self.rfile)  # nosemgrep: avoid-pickle
         log("Received and send request %s" % str(data))
         self.server.fifo_client.write(data)
         data = self.server.fifo_client.read()
         log("Received and send reply %s" % str(data))
-        pickle.dump(data, self.wfile, pickle.HIGHEST_PROTOCOL)
+        pickle.dump(data, self.wfile, pickle.HIGHEST_PROTOCOL)  # nosemgrep: avoid-pickle
 
 
 class FIFOClient(object):
@@ -35,11 +35,11 @@ def __init__(self):
         self.fifor = open(self.FIFOr, 'w')
 
     def write(self, data):
-        pickle.dump(data, self.fifor, pickle.HIGHEST_PROTOCOL)
+        pickle.dump(data, self.fifor, pickle.HIGHEST_PROTOCOL)  # nosemgrep: avoid-pickle
         self.fifor.flush()
 
     def read(self):
-        return pickle.load(self.fifow)
+        return pickle.load(self.fifow)  # nosemgrep: avoid-pickle
 
 
 def main():

ansible/module_utils/serial_utils.py

@@ -1,7 +1,7 @@
 import sys
 import time
 import logging
-from telnetlib import Telnet
+from telnetlib import Telnet  # nosemgrep: telnetlib
 from ansible.module_utils.debug_utils import config_module_logging
 
 config_module_logging('serial_utils')