Use of exec() in setup.py

[Pascal-0x90]

Proposal

The use of exec can be dangerous potentially allowing execution of python code on a system.

Motivation

The codebase should more strictly follow Python convention to hopefully improve maintainability.

Details

Since this is the setup.py script, it may not need to be addressed as we assume this is something that will be deployed by the user and does not pose an immediate risk to the operation of the tool. This could/should be mitigated at some point to not use exec. The specific code is mentioned below:

findcdn/setup.py

Line 29 in 46073ff

exec(f.read(), pkg_vars) # nosec # pylint: disable=exec-used

[mcdonnnj]

This is inherited from cisagov/skeleton-python-library, so I would kick the issue up the chain.

[S4lt5]

https://github.com/cisagov/skeleton-python-library/blob/develop/setup.py has indeed updated and removed this truly bizarre way to read a version string

[Pascal-0x90]

Closing since this has been fixed!