Add bandit check to all python code

Bandit was not running in all directories
due missing -r parameter.

Also, this change fix bandit errors.
* Add nosec to subprocess module
* Change /tmp/releases to .releases
* Change /tmp/ to tmp/, tmp/ is not checked
  and in unittest is not an issue, simpler that mocking tempfile
  and make more complex tests.

Change-Id: I42bafa4707a9a4d1faeb01cb9b5a843f56280deb
changes/87/481087/2
Eduardo Gonzalez 6 years ago
parent e5ea8f678c
commit cc7aabc12e

3
.gitignore vendored

@ -45,6 +45,9 @@ releasenotes/build
# Files generated by Ansible
ansible/*.retry
#OpenStack releases repo used by version_check.py.
.releases
# Others
.DS_Store
.vimrc

@ -373,10 +373,10 @@ class KollaWorkerTest(base.TestCase):
@mock.patch('shutil.copytree')
def test_work_dir(self, copytree_mock):
self.conf.set_override('work_dir', '/tmp/foo')
self.conf.set_override('work_dir', 'tmp/foo')
kolla = build.KollaWorker(self.conf)
kolla.setup_working_dir()
self.assertEqual('/tmp/foo/docker', kolla.working_dir)
self.assertEqual('tmp/foo/docker', kolla.working_dir)
class MainTest(base.TestCase):

@ -16,7 +16,7 @@ import argparse
import logging
import os
import re
import subprocess
import subprocess # nosec
import sys
import yaml
@ -38,7 +38,7 @@ logging.basicConfig(level=logging.INFO)
LOG = logging.getLogger(__name__)
RELEASE_REPO = 'https://github.com/openstack/releases'
TARGET = '/tmp/releases'
TARGET = '.releases'
SKIP_PROJECTS = {
'rally': 'Rally is not managed by openstack/releases project',
@ -60,7 +60,7 @@ def update_releases_repo():
else:
cmd = ['git', '--git-dir', os.path.join(TARGET, '.git'), '--work-tree',
TARGET, 'pull']
subprocess.call(cmd)
subprocess.call(cmd) # nosec
def get_default_branch():

@ -36,7 +36,7 @@ commands =
flake8 {posargs}
{toxinidir}/tools/validate-all-dockerfiles.sh
python {toxinidir}/tools/validate-all-file.py
bandit docker kolla tests tools
bandit -r docker kolla tests tools
[testenv:bandit]
commands = bandit -r docker kolla tests tools

Loading…
Cancel
Save