Bandit B404 security issue with subprocess import?

Question

According to Bandit's documentation, importing the subprocess module is considered a low security issue (B404). Unfortunately, it does not provide alternatives or explanation why. Thus, I have 2 questions:

1. How could just importing this module be an issue in itself?
2. What alternatives should I use instead? Should I import only a specific function from this library or should I just avoid it?

Answer 1

Our team decided to turn off the B404 warning, because as you pointed out it is not useful.

We have B602: subprocess_popen_with_shell_equals_true and B603: subprocess_without_shell_equals_true both turned on, which are where actual security issues could happen.