From d765a344ee54b08791ab06149f3e1652e456ac06 Mon Sep 17 00:00:00 2001
From: Yumeng Bao <yumeng_bao@yahoo.com>
Date: Wed, 25 Dec 2019 02:07:23 -0800
Subject: [PATCH] Introduce bandit security linter

Cyborg now does not have a code security check, which may connive at
possible security issues. For example, shell-related operations for drivers
may be insecure. Current "sudo lspci -nnn -D" in huawei ascend driver code[0]
is insecure, but there is no any job/test that can check the potential security
issues. So this patch introduces bandit as a code security check.

[0]:https://github.com/openstack/cyborg/blob/master/cyborg/accelerator/drivers/aichip/huawei/ascend.py#L69

Change-Id: Ia1f9acbbd176180cb5fe97b1a2eee5f98a95dea6
---
 .zuul.yaml                                    | 24 +++++++++++++++++++
 ...ndit-security-linter-339d3f12b6200d64.yaml |  7 ++++++
 test-requirements.txt                         |  1 +
 tox.ini                                       |  3 +++
 4 files changed, 35 insertions(+)
 create mode 100644 releasenotes/notes/introduce-bandit-security-linter-339d3f12b6200d64.yaml

diff --git a/.zuul.yaml b/.zuul.yaml
index 073630ea..ea632164 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -9,7 +9,31 @@
       jobs:
         - cyborg-tempest
         - cyborg-tempest-ipv6-only
+        - cyborg-tox-bandit:
+            voting: false
     gate:
       jobs:
         - cyborg-tempest
 
+- job:
+    name: cyborg-tox-bandit
+    parent: openstack-tox
+    timeout: 2400
+    vars:
+      tox_envlist: bandit
+    required-projects:
+      - openstack/requirements
+    irrelevant-files: &gate-irrelevant-files
+      - ^(test-|)requirements.txt$
+      - ^.*\.rst$
+      - ^api-ref/.*$
+      - ^cyborg/cmd/status\.py$
+      - ^cyborg/hacking/.*$
+      - ^cyborg/tests/functional.*$
+      - ^cyborg/tests/unit.*$
+      - ^doc/.*$
+      - ^etc/.*$
+      - ^releasenotes/.*$
+      - ^setup.cfg$
+      - ^tools/.*$
+      - ^tox.ini$
diff --git a/releasenotes/notes/introduce-bandit-security-linter-339d3f12b6200d64.yaml b/releasenotes/notes/introduce-bandit-security-linter-339d3f12b6200d64.yaml
new file mode 100644
index 00000000..1ae41c3e
--- /dev/null
+++ b/releasenotes/notes/introduce-bandit-security-linter-339d3f12b6200d64.yaml
@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    Introduce bandit check as the code security check, which can help us avoid 
+    possible security issues. For example, shell-related operations for drivers
+    may be insecure. With bandit test, it can check the potential security
+    issues.
diff --git a/test-requirements.txt b/test-requirements.txt
index 2175be94..61d06529 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -4,6 +4,7 @@
 
 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
 
+bandit>=1.6.0 # Apache-2.0
 coverage>=3.6,!=4.4 # Apache-2.0
 fixtures>=3.0.0 # Apache-2.0/BSD
 mock>=2.0.0 # BSD
diff --git a/tox.ini b/tox.ini
index 1850b2a4..c7aced56 100644
--- a/tox.ini
+++ b/tox.ini
@@ -100,5 +100,8 @@ builtins = _
 enable-extensions = H106,H203,H904
 exclude=.venv,.git,.tox,dist,doc,*lib/python*,*egg,build,*sqlalchemy/alembic/versions/*,demo/,releasenotes
 
+[testenv:bandit]
+commands = bandit -r cyborg -x cyborg/tests/* -n 5 -ll
+
 [hacking]
 local-check-factory = cyborg.hacking.checks.factory