Add bandit to pep8 and bandit testenv

This patch adds bandit security linter to tox jobs. It ignores
files in the 'tests' directory.

This patch will also fix or exclude any issues as a result from
scan.

Change-Id: I9caa41f596a17a8b961a542d4bc6bb121e7a147f
This commit is contained in:
Eric Brown 2016-04-28 07:46:57 -07:00
parent 7207ffaf61
commit 79532ea599
3 changed files with 18 additions and 2 deletions

View File

@ -72,7 +72,7 @@ class SheepdogImage(object):
try:
return processutils.execute(
cmd, process_input=data, shell=True)[0]
cmd, process_input=data)[0]
except processutils.ProcessExecutionError as exc:
LOG.error(exc)
raise glance_store.BackendException(exc)
@ -231,7 +231,7 @@ class Store(glance_store.driver.Store):
reason=reason)
try:
processutils.execute("collie", shell=True)
processutils.execute("collie")
except processutils.ProcessExecutionError as exc:
reason = _("Error in store configuration: %s") % exc
LOG.error(reason)

View File

@ -17,6 +17,7 @@ testscenarios>=0.4 # Apache-2.0/BSD
testtools>=1.4.0 # MIT
oslotest>=1.10.0 # Apache-2.0
os-testr>=0.7.0 # Apache-2.0
bandit>=1.0.1 # Apache-2.0
# this is required for the docs build jobs
sphinx!=1.3b1,<1.3,>=1.2.1 # BSD

15
tox.ini
View File

@ -25,6 +25,21 @@ commands = sphinx-build -a -E -W -d releasenotes/build/.doctrees -b html release
[testenv:pep8]
commands =
flake8 {posargs}
# Run security linter
# The following bandit tests are being skipped:
# B101 - Use of assert detected.
# B110 - Try, Except, Pass detected.
# B303 - Use of insecure MD2, MD4, or MD5 hash function.
bandit -r glance_store -x tests --skip B101,B110,B303
[testenv:bandit]
# NOTE(browne): This is required for the integration test job of the bandit
# project. Please do not remove.
# The following bandit tests are being skipped:
# B101 - Use of assert detected.
# B110 - Try, Except, Pass detected.
# B303 - Use of insecure MD2, MD4, or MD5 hash function.
commands = bandit -r glance_store -x tests --skip B101,B110,B303
[testenv:cover]
# NOTE(nikhil): this target does not use constraints because upstream infra