Fix bandit gate jobs

* Inspected each error and fixed / added nosec where appropriate.
* build-swift-ring.py which was throwing sec errors is no longer used so
  removed it.
* Removed the dev/ directory from being checked.

Closes-Bug: #1617713
Change-Id: I25664cabca4137e5c9f499c1af3f5ce78b86fb56
This commit is contained in:
Paul Bourke 2016-08-11 09:48:21 +00:00 committed by Dave Walker
parent f2a2b69c6a
commit fc30d583f9
8 changed files with 26 additions and 17 deletions

@ -67,7 +67,7 @@ EXAMPLES = '''
import json
import pyudev
import re
import subprocess
import subprocess # nosec
def get_id_part_entry_name(dev):
@ -84,7 +84,10 @@ def get_id_part_entry_name(dev):
part = re.sub(r'.*[^\d]', '', dev.device_node)
parent = dev.find_parent('block').device_node
# NOTE(Mech422): Need to use -i as -p truncates the partition name
out = subprocess.Popen(['/usr/sbin/sgdisk', '-i', part, parent],
# TODO(pbourke): Consider some form of validation to be performed on
# part/parent [0]
out = subprocess.Popen(['/usr/sbin/sgdisk', '-i', part, # nosec [0]
parent],
stdout=subprocess.PIPE).communicate()
match = re.search(r'Partition name: \'(\w+)\'', out[0])
if match:

@ -22,6 +22,7 @@
# in upstream shade we will be able to use more of the shade module. Until then
# if we want to be 'stable' we really need to be using it as a passthrough
import tempfile
import traceback
import shade
@ -34,8 +35,8 @@ class SanityChecks(object):
@staticmethod
def glance(cloud):
open("/tmp/blank.qcow2", 'a').close()
cloud.create_image("test", filename="/tmp/blank.qcow2",
with tempfile.NamedTemporaryfile(suffix='qcow2') as image:
cloud.create_image("test", filename=image.name,
disk_format="qcow2", container_format="bare")
testid = cloud.get_image_id("test")
cloud.delete_image(testid)

@ -24,7 +24,7 @@
# at this time. Once Docker updates with this feature we will usre this again.
import nsenter
import subprocess
import subprocess # nosec
import sys
@ -36,7 +36,7 @@ def host_mnt_exec(cmd):
'1',
'mnt',
proc='/var/lib/kolla/host_proc/'))
process_ = subprocess.Popen(cmd)
process_ = subprocess.Popen(cmd) # nosec
except Exception as e:
print(
@ -64,5 +64,5 @@ else:
if len(sys.argv) == 2:
cmd = cmd + sys.argv[1:]
process_ = subprocess.Popen(cmd)
process_ = subprocess.Popen(cmd) # nosec
sys.exit(process_.returncode)

@ -13,7 +13,7 @@
# limitations under the License.
import json
import subprocess
import subprocess # nosec
import traceback
@ -23,9 +23,11 @@ def extract_gospel_node(term):
def main():
try:
# TODO(pbourke): see if can get gospel node without requiring shell
raw_status = subprocess.check_output(
"rabbitmqctl eval 'rabbit_clusterer:status().'",
shell=True, stderr=subprocess.STDOUT
"/usr/sbin/rabbitmqctl eval 'rabbit_clusterer:status().'",
shell=True, stderr=subprocess.STDOUT # nosec: this command appears
# to require a shell to work
)
if "Rabbit is running in cluster configuration" not in raw_status:
raise AttributeError

@ -19,7 +19,7 @@ This script is a simple wrapper used to create and rebalance Swift ring files.
"""
import argparse
import subprocess
import subprocess # nosec
import sys
@ -54,7 +54,10 @@ def setup_args():
def run_cmd(cmd):
print(' '.join(cmd))
subprocess.call(cmd)
# NOTE(sdake): [0] we expect Operators to run this command and for their
# environment to be properly secured. Since this is not a network
# facing tool, there is no risk of untrusted input.
subprocess.call(cmd) # nosec [0]
def run(args):

@ -22,7 +22,7 @@ import yaml
from Crypto.PublicKey import RSA
def generate_RSA(bits=2048):
def generate_RSA(bits=4096):
new_key = RSA.generate(bits, os.urandom)
private_key = new_key.exportKey("PEM")
public_key = new_key.publickey().exportKey("OpenSSH")
@ -52,7 +52,7 @@ def main():
length = 40
with open(passwords_file, 'r') as f:
passwords = yaml.load(f.read())
passwords = yaml.safe_load(f.read())
for k, v in passwords.items():
if (k in ssh_keys and

@ -32,7 +32,7 @@ def main():
for filename in args.input:
with open(filename) as fd:
try:
yaml.load(fd)
yaml.safe_load(fd)
except yaml.error.YAMLError as error:
res = 1
logging.error('%s failed validation: %s',

@ -26,7 +26,7 @@ commands =
{toxinidir}/tools/validate-all-dockerfiles.sh
[testenv:bandit]
commands = bandit -r ansible/library dev docker kolla tests tools
commands = bandit -r ansible/library docker kolla tests tools
[testenv:venv]
commands = {posargs}