[SDL] Enable Bandit B404 test

[jszczepa]

Changes

This modification helps to apply SDL policy related to Bandit scans (see: https://github.com/intel-innersource/applications.security.bandit-config/blob/main/ipas_default.config)

Reason for changes

Each use of subprocess module need to be reviewed against cmd injection by potential attacker.

Related tickets

N/A

Tests

N/A

[Copilot]

Pull request overview

Enables Bandit’s B404 (“import subprocess”) check per SDL guidance, while suppressing B404 findings on specific subprocess imports.

Changes:

• Stop skipping Bandit B404 in pyproject.toml.
• Add inline # nosec B404 suppressions on subprocess imports in two Python modules.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
src/nncf/torch/quantization/extensions.py	Suppresses Bandit B404 on subprocess import to keep scan green while B404 is enabled.
src/custom_version.py	Suppresses Bandit B404 on subprocess import to keep scan green while B404 is enabled.
pyproject.toml	Enables B404 by removing it from Bandit’s skip list (commented out).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Using # nosec B404 without any justification defeats the intent of enabling B404 for SDL review. Prefer adding a brief rationale (e.g., # nosec B404: <reason this import/use is safe>) and/or scoping the suppression as narrowly as possible to the specific safe call site(s) rather than suppressing at import.

Suggested change

	import subprocess # nosec B404
	import subprocess # nosec B404: imported only for CalledProcessError exception handling; no subprocess commands are executed in this module

[Copilot]

Same concern as above: suppressing B404 at the import level with no explanation makes it hard to audit why subprocess is safe here. Add a short rationale to the # nosec comment and consider limiting suppression to the specific safe usage instead of the module import.