Summary

I found this while working on #18972

paramiko-call (S601) only checks for a paramiko.exec_command, as seen in the test case:

And the given example code does not raise: https://play.ruff.rs/6b4aa322-f3b1-49cd-997d-f14b5c1bac41

However, as both the example in S601's docs show, and on paramiko's docs, this call can also be done through an intermediary client object:

client = SSHClient()
client.load_system_host_keys()
client.connect('ssh.example.com')
stdin, stdout, stderr = client.exec_command('ls -l')

The rule needs to either be more general like how suspicious-subprocess-import (S404) is a blanket search for importing subprocess, or have additional cases added, since reading through the paramiko docs it looks like exec_command is just a convenience wrapper around functionality provided in the Client object, which would share the same security concerns. I'm also not certain paramiko.exec_command is even valid code using paramiko, as a github search for "paramiko.exec_command" only returned it in flake8-bandit/ruff test cases.

Version

playground