Merge "Enable Bandit testing in Manila"

manila/service.py

@@ -352,7 +352,7 @@ class WSGIService(service.ServiceBase):
         if not rpc.initialized():
             rpc.init(CONF)
         self.app = self.loader.load_app(name)
-        self.host = getattr(CONF, '%s_listen' % name, "0.0.0.0")
+        self.host = getattr(CONF, '%s_listen' % name, "0.0.0.0")  # nosec B104
         self.port = getattr(CONF, '%s_listen_port' % name, 0)
         self.workers = getattr(CONF, '%s_workers' % name, None)
         self.use_ssl = getattr(CONF, '%s_use_ssl' % name, False)

tox.ini

@@ -64,6 +64,13 @@ commands = oslopolicy-sample-generator --config-file=etc/manila/manila-policy-ge
 [testenv:venv]
 commands = {posargs}
 
+[testenv:bandit]
+deps = bandit
+commands = bandit -r manila --ini tox.ini -n5 -ll
+
+[bandit]
+exclude = tests,tegile,hitachi,glusterfs,vnx,ssh_utils.py
+
 [testenv:docs]
 # NOTE(elod.illes): requirements.txt is needed because otherwise
 # dependencies are installed during 'develop-inst' tox phase without

zuul.d/project.yaml

@@ -31,6 +31,8 @@
             voting: false
         - manila-rally-ss:
             voting: false
+        - manila-tox-bandit:
+            voting: false
     gate:
       jobs:
         - manila-tox-py311-with-sqlalchemy-2x
@@ -98,3 +100,12 @@
         GLOBAL_VENV: false
     required-projects:
       - openstack/rally-openstack
+
+- job:
+  # Security testing for known issues
+    name: manila-tox-bandit
+    parent: openstack-tox
+    timeout: 2400
+    vars:
+      tox_envlist: bandit
+    irrelevant-files: *irrelevant-files