Add bandit to pep8 gate

Neutron uses bandit to detect security issues. This patch adds bandit to the pep8 gate to automatically lint for security issues in neutron-lib. Fixed two B101 errors it spotted. Change-Id: I39d713d0d230b5ae759daa6bc1be9794e6fe2a32
2018-06-14 11:38:33 -04:00 · 2018-06-14 11:38:33 -04:00 · 7ce2f557c6
commit 7ce2f557c6
parent c3fcdeb0f9
4 changed files with 15 additions and 2 deletions
--- a/neutron_lib/callbacks/registry.py
+++ b/neutron_lib/callbacks/registry.py
@ -13,6 +13,7 @@
 import collections
 import inspect

+from neutron_lib._i18n import _
 from neutron_lib.callbacks import manager
 from neutron_lib.callbacks import priority_group

@ -70,7 +71,9 @@ def receives(resource, events, priority=priority_group.PRIORITY_DEFAULT):
    @has_registry_receivers decorator to setup the __new__ method to
    actually register the instance methods after initialization.
    """
-    assert isinstance(events, (list, tuple, set)), 'events must be collection'
+    if not isinstance(events, (list, tuple, set)):
+        msg = _("'events' must be a collection (list, tuple, set)")
+        raise AssertionError(msg)

    def decorator(f):
        for e in events:
--- a/neutron_lib/db/api.py
+++ b/neutron_lib/db/api.py
@ -345,4 +345,7 @@ def _load_one_to_manys(session):
                continue
            if relationship_attr.key not in state.dict:
                getattr(new_object, relationship_attr.key)
-                assert relationship_attr.key in state.dict
+                if relationship_attr.key not in state.dict:
+                    msg = ("Relationship %s attributes must be loaded in db "
+                           "object %s" % (relationship_attr.key, state.dict))
+                    raise AssertionError(msg)
--- a/test-requirements.txt
+++ b/test-requirements.txt
@ -4,6 +4,7 @@

 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0

+bandit>=1.1.0 # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
 fixtures>=3.0.0 # Apache-2.0/BSD
 flake8-import-order==0.12 # LGPLv3
--- a/tox.ini
+++ b/tox.ini
@ -24,6 +24,7 @@ basepython = python3
 commands =
  flake8
  {toxinidir}/tools/check_samples.sh
+  {[testenv:bandit]commands}

 [testenv:releasenotes]
 basepython = python3
@ -96,6 +97,11 @@ show-source = True
 exclude=.venv,.git,.tox,dist,doc,*lib/python*,*egg,build,tools
 import-order-style = pep8

+[testenv:bandit]
+# B104: Possible binding to all interfaces
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r neutron_lib -x tests -n5 -s B104
+
 [hacking]
 import_exceptions = neutron_lib._i18n
 local-check-factory = neutron_lib.hacking.checks._neutron_lib_factory