Introduce bandit security linter
Cyborg now does not have a code security check, which may connive at possible security issues. For example, shell-related operations for drivers may be insecure. Current "sudo lspci -nnn -D" in huawei ascend driver code[0] is insecure, but there is no any job/test that can check the potential security issues. So this patch introduces bandit as a code security check. [0]:https://github.com/openstack/cyborg/blob/master/cyborg/accelerator/drivers/aichip/huawei/ascend.py#L69 Change-Id: Ia1f9acbbd176180cb5fe97b1a2eee5f98a95dea6
This commit is contained in:
parent
7fd8aac788
commit
d765a344ee
24
.zuul.yaml
24
.zuul.yaml
|
@ -9,7 +9,31 @@
|
||||||
jobs:
|
jobs:
|
||||||
- cyborg-tempest
|
- cyborg-tempest
|
||||||
- cyborg-tempest-ipv6-only
|
- cyborg-tempest-ipv6-only
|
||||||
|
- cyborg-tox-bandit:
|
||||||
|
voting: false
|
||||||
gate:
|
gate:
|
||||||
jobs:
|
jobs:
|
||||||
- cyborg-tempest
|
- cyborg-tempest
|
||||||
|
|
||||||
|
- job:
|
||||||
|
name: cyborg-tox-bandit
|
||||||
|
parent: openstack-tox
|
||||||
|
timeout: 2400
|
||||||
|
vars:
|
||||||
|
tox_envlist: bandit
|
||||||
|
required-projects:
|
||||||
|
- openstack/requirements
|
||||||
|
irrelevant-files: &gate-irrelevant-files
|
||||||
|
- ^(test-|)requirements.txt$
|
||||||
|
- ^.*\.rst$
|
||||||
|
- ^api-ref/.*$
|
||||||
|
- ^cyborg/cmd/status\.py$
|
||||||
|
- ^cyborg/hacking/.*$
|
||||||
|
- ^cyborg/tests/functional.*$
|
||||||
|
- ^cyborg/tests/unit.*$
|
||||||
|
- ^doc/.*$
|
||||||
|
- ^etc/.*$
|
||||||
|
- ^releasenotes/.*$
|
||||||
|
- ^setup.cfg$
|
||||||
|
- ^tools/.*$
|
||||||
|
- ^tox.ini$
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
Introduce bandit check as the code security check, which can help us avoid
|
||||||
|
possible security issues. For example, shell-related operations for drivers
|
||||||
|
may be insecure. With bandit test, it can check the potential security
|
||||||
|
issues.
|
|
@ -4,6 +4,7 @@
|
||||||
|
|
||||||
hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
|
hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
|
||||||
|
|
||||||
|
bandit>=1.6.0 # Apache-2.0
|
||||||
coverage>=3.6,!=4.4 # Apache-2.0
|
coverage>=3.6,!=4.4 # Apache-2.0
|
||||||
fixtures>=3.0.0 # Apache-2.0/BSD
|
fixtures>=3.0.0 # Apache-2.0/BSD
|
||||||
mock>=2.0.0 # BSD
|
mock>=2.0.0 # BSD
|
||||||
|
|
3
tox.ini
3
tox.ini
|
@ -100,5 +100,8 @@ builtins = _
|
||||||
enable-extensions = H106,H203,H904
|
enable-extensions = H106,H203,H904
|
||||||
exclude=.venv,.git,.tox,dist,doc,*lib/python*,*egg,build,*sqlalchemy/alembic/versions/*,demo/,releasenotes
|
exclude=.venv,.git,.tox,dist,doc,*lib/python*,*egg,build,*sqlalchemy/alembic/versions/*,demo/,releasenotes
|
||||||
|
|
||||||
|
[testenv:bandit]
|
||||||
|
commands = bandit -r cyborg -x cyborg/tests/* -n 5 -ll
|
||||||
|
|
||||||
[hacking]
|
[hacking]
|
||||||
local-check-factory = cyborg.hacking.checks.factory
|
local-check-factory = cyborg.hacking.checks.factory
|
||||||
|
|
Loading…
Reference in New Issue