Move bandit into pep8

Run security linter bandit as part of pep8. Pep8 is the usual linter target and thus let's use it there instead of starting another node for this short-running job. Move bandit requirement to test-requirements. Disable temporarily some tests in bandit.yaml since they advocate using defusedxml which is not in global-requirements.txt and thus cannot be used inside bandit (bug#1550161). Change-Id: Ie3c9f4ee6e061ea090fa882f4f029f2761706951
2016-02-21 18:33:40 +01:00 · 2016-02-21 18:33:40 +01:00 · e09c00d44f
commit e09c00d44f
parent 6c64bc1b6a
4 changed files with 16 additions and 17 deletions
--- a/bandit.yaml
+++ b/bandit.yaml
@ -122,18 +122,19 @@ blacklist_calls:
        # Most of this is based off of Christian Heimes' work on defusedxml:
        #   https://pypi.python.org/pypi/defusedxml/#defusedxml-sax

-        - xml_bad_cElementTree:
-            qualnames: [xml.etree.cElementTree.parse,
-                        xml.etree.cElementTree.iterparse,
-                        xml.etree.cElementTree.fromstring,
-                        xml.etree.cElementTree.XMLParser]
-            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
-        - xml_bad_ElementTree:
-            qualnames: [xml.etree.ElementTree.parse,
-                        xml.etree.ElementTree.iterparse,
-                        xml.etree.ElementTree.fromstring,
-                        xml.etree.ElementTree.XMLParser]
-            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
+        # TODO(jaegerandi): Enable once defusedxml is in global requirements.
+        #- xml_bad_cElementTree:
+        #    qualnames: [xml.etree.cElementTree.parse,
+        #                xml.etree.cElementTree.iterparse,
+        #                xml.etree.cElementTree.fromstring,
+        #                xml.etree.cElementTree.XMLParser]
+        #    message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
+        #- xml_bad_ElementTree:
+        #    qualnames: [xml.etree.ElementTree.parse,
+        #                xml.etree.ElementTree.iterparse,
+        #                xml.etree.ElementTree.fromstring,
+        #                xml.etree.ElementTree.XMLParser]
+        #    message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
        - xml_bad_expatreader:
            qualnames: [xml.sax.expatreader.create_parser]
            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
--- a/setup.cfg
+++ b/setup.cfg
@ -86,7 +86,3 @@ output_file = glance/locale/glance.pot

 [pbr]
 warnerrors = True
-
-[extras]
-bandit =
-  bandit>=0.17.3 # Apache-2.0
--- a/test-requirements.txt
+++ b/test-requirements.txt
@ -9,6 +9,7 @@ hacking<0.11,>=0.10.0
 Babel>=1.3 # BSD

 # Needed for testing
+bandit>=0.17.3  # Apache-2.0
 coverage>=3.6 # Apache-2.0
 fixtures>=1.3.1 # Apache-2.0/BSD
 mox3>=0.7.0 # Apache-2.0
--- a/tox.ini
+++ b/tox.ini
@ -30,6 +30,8 @@ commands =
 [testenv:pep8]
 commands =
  flake8 {posargs}
+  # Run security linter
+  bandit -c bandit.yaml -r glance -n5 -p gate
  # Check that .po and .pot files are valid:
  bash -c "find glance -type f -regex '.*\.pot?' -print0|xargs -0 -n 1 msgfmt --check-format -o /dev/null"

@ -57,7 +59,6 @@ commands =
 commands = python setup.py build_sphinx

 [testenv:bandit]
-deps = .[bandit]
 commands = bandit -c bandit.yaml -r glance -n5 -p gate

 [flake8]