From ef9db227440c4c1396fdf9ddc61576dc44806be9 Mon Sep 17 00:00:00 2001
From: Craig Bryant <craig.bryant@hpe.com>
Date: Mon, 6 Feb 2017 12:45:23 -0700
Subject: [PATCH] Turn on bandit check as part of pep8

Add bandit job as part of pep8 in tox.ini

Had to mark two instances of try except pass as OK so that bandit
will pass

Change-Id: If3b78e9dcbfc65c232a6ba35665430a6463841e6
---
 monasca_notification/main.py | 10 +++++++---
 test-requirements.txt        |  1 +
 tox.ini                      | 14 +++++++++++++-
 3 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/monasca_notification/main.py b/monasca_notification/main.py
index bc86265..0d8b232 100644
--- a/monasca_notification/main.py
+++ b/monasca_notification/main.py
@@ -1,4 +1,4 @@
-# (C) Copyright 2014-2016 Hewlett Packard Enterprise Development Company LP
+# (C) Copyright 2014-2017 Hewlett Packard Enterprise Development LP
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -56,7 +56,9 @@ def clean_exit(signum, frame=None):
             if process.is_alive():
                 process.terminate()  # Sends sigterm which any processes after a notification is sent attempt to handle
                 wait_for_exit = True
-        except Exception:
+        except Exception:  # nosec
+            # There is really nothing to do if the kill fails, so just go on.
+            # The # nosec keeps bandit from reporting this as a security issue
             pass
 
     # wait for a couple seconds to give the subprocesses a chance to shut down correctly.
@@ -68,7 +70,9 @@ def clean_exit(signum, frame=None):
         log.debug('Killing pid %s' % child.pid)
         try:
             os.kill(child.pid, signal.SIGKILL)
-        except Exception:
+        except Exception:  # nosec
+            # There is really nothing to do if the kill fails, so just go on.
+            # The # nosec keeps bandit from reporting this as a security issue
             pass
 
     if signum == signal.SIGTERM:
diff --git a/test-requirements.txt b/test-requirements.txt
index 18a38c7..5ff92f1 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -2,6 +2,7 @@
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
 # Hacking already pins down pep8, pyflakes and flake8
+bandit>=1.1.0  # Apache-2.0
 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
 coverage>=4.0 # Apache-2.0
 mock>=2.0 # BSD
diff --git a/tox.ini b/tox.ini
index 6fc407c..a9976c0 100644
--- a/tox.ini
+++ b/tox.ini
@@ -56,11 +56,19 @@ commands =
   oslo_debug_helper -t ./monasca_notification/tests {posargs}
 
 [testenv:pep8]
-commands = flake8
+deps =
+  {[testenv]deps}
+commands =
+  {[testenv:flake8]commands}
+  {[bandit]commands}
 
 [testenv:venv]
 commands = {posargs}
 
+[testenv:flake8]
+commands =
+    flake8 monasca_notification
+
 [flake8]
 max-line-length = 120
 # TODO: ignored checks should be enabled in the future
@@ -68,3 +76,7 @@ max-line-length = 120
 # H405  multi line docstring summary not separated with an empty line
 ignore = F821,H201,H405
 exclude=.venv,.git,.tox,dist,*egg,build
+
+[bandit]
+commands =
+  bandit -r monasca_notification -n5 -x monasca_notification/tests