fixed issues raised by bandit

docs/openapi_generator/pyopenapi/generator.py

@@ -250,7 +250,9 @@ class ContentBuilder:
             value = sample_transformer(object_to_json(example))
 
             hash_string = (
-                hashlib.md5(json_dump_string(value).encode("utf-8")).digest().hex()
+                hashlib.sha256(json_dump_string(value).encode("utf-8"))
+                .digest()
+                .hex()[:16]
             )
             name = f"ex-{hash_string}"
 

llama_stack/cli/verify_download.py

@@ -50,7 +50,10 @@ def setup_verify_download_parser(parser: argparse.ArgumentParser) -> None:
 
 
 def calculate_md5(filepath: Path, chunk_size: int = 8192) -> str:
-    md5_hash = hashlib.md5()
+    # NOTE: MD5 is used here only for download integrity verification,
+    # not for security purposes
+    # TODO: switch to SHA256
+    md5_hash = hashlib.md5(usedforsecurity=False)
     with open(filepath, "rb") as f:
         for chunk in iter(lambda: f.read(chunk_size), b""):
             md5_hash.update(chunk)

llama_stack/templates/template.py

@@ -137,7 +137,12 @@ class DistributionTemplate(BaseModel):
 
         template = self.template_path.read_text()
         # Render template with rich-generated table
-        env = jinja2.Environment(trim_blocks=True, lstrip_blocks=True)
+        env = jinja2.Environment(
+            trim_blocks=True,
+            lstrip_blocks=True,
+            # NOTE: autoescape is required to prevent XSS attacks
+            autoescape=True,
+        )
         template = env.from_string(template)
         return template.render(
             name=self.name,