Enable Bandit testing in Manila

Adds a Bandit testing environment to the tox.ini file and adds a job to project.yaml Zuul CI file to run the Bandit test environment. Also includes a nosec comment to ignore a hardbinding to 0.0.0.0 in service.py Depends-On: I78a5b708cd970dcb60f480d8e6a201d0768645fc Depends-On: I27d1204ec7dafd3b578d1261c3fd2e371ae405fb Depends-On: I2a913f3b87e16554b1bd68543fcf254cc4226031 Depends-On: I46ad1a7ca723157488525ca7239cbd0ef421b975 Depends-On: Ib5404d9e165be5879f5351c3f0952648ae702b2d Depends-On: Id71c0ee4138b695ff19085a284ccced6b1a9dbba Depends-On: I33bbb7070ada5509ca05c90d7a38077d38f54a1f Depends-On: I3e974a2113b29af1111f27ca1afeb78091a0ec75 Depends-On: I0e686c91ce02ea42719d00d17f6ed659e97470ac Depends-On: I171c90a281c7b62c2601131293f9f00a926641e2 Change-Id: I8eb93cdcd5d47a6a5495ee7277c72d5f028cb412
2024-02-06 19:26:59 +00:00 · 2024-02-06 19:26:59 +00:00 · 333e6aee90
commit 333e6aee90
parent 36549c8b97
3 changed files with 19 additions and 1 deletions
--- a/manila/service.py
+++ b/manila/service.py
@ -352,7 +352,7 @@ class WSGIService(service.ServiceBase):
        if not rpc.initialized():
            rpc.init(CONF)
        self.app = self.loader.load_app(name)
-        self.host = getattr(CONF, '%s_listen' % name, "0.0.0.0")
+        self.host = getattr(CONF, '%s_listen' % name, "0.0.0.0")  # nosec B104
        self.port = getattr(CONF, '%s_listen_port' % name, 0)
        self.workers = getattr(CONF, '%s_workers' % name, None)
        self.use_ssl = getattr(CONF, '%s_use_ssl' % name, False)
--- a/tox.ini
+++ b/tox.ini
@ -64,6 +64,13 @@ commands = oslopolicy-sample-generator --config-file=etc/manila/manila-policy-ge
 [testenv:venv]
 commands = {posargs}

+[testenv:bandit]
+deps = bandit
+commands = bandit -r manila --ini tox.ini -n5 -ll
+
+[bandit]
+exclude = tests,tegile,hitachi,glusterfs,vnx,ssh_utils.py
+
 [testenv:docs]
 # NOTE(elod.illes): requirements.txt is needed because otherwise
 # dependencies are installed during 'develop-inst' tox phase without
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@ -28,6 +28,8 @@
            voting: false
        - manila-rally-ss:
            voting: false
+        - manila-tox-bandit:
+            voting: false
    gate:
      jobs:
        - manila-tempest-plugin-dummy-no-dhss
@ -78,3 +80,12 @@
        GLOBAL_VENV: false
    required-projects:
      - openstack/rally-openstack
+
+- job:
+  # Security testing for known issues
+    name: manila-tox-bandit
+    parent: openstack-tox
+    timeout: 2400
+    vars:
+      tox_envlist: bandit
+    irrelevant-files: *irrelevant-files