Hook bandit security linter to pep8 target

This helps catch a number of potential issues with the neutron code in advance. A false positive can be skipped with #nosec at the offending line, just like #noqa can be added on offending module imports. (cherry picked from commit 85a3e93537) Change-Id: I3e4cbc94539dd2cce61bfa5cd0265e75d7336311
2017-07-28 17:50:41 -07:00 · 2017-07-28 17:50:41 -07:00 · 18fd170927
parent 7a89752e2f
commit 18fd170927
3 changed files with 9 additions and 3 deletions
--- a/neutron/common/rpc.py
+++ b/neutron/common/rpc.py
@ -310,7 +310,7 @@ class Service(service.Service):
        # errors, go ahead and ignore them.. as we're shutting down anyway
        try:
            self.conn.close()
-        except Exception:
+        except Exception:  # nosec
            pass
        super(Service, self).stop()

--- a/neutron/db/migration/init.py
+++ b/neutron/db/migration/init.py
@ -165,7 +165,7 @@ def alter_enum(table, column, enum_type, nullable, do_drop=True,
        op.execute("ALTER TABLE %(table)s RENAME COLUMN %(column)s TO "
                   "old_%(column)s" % values)
        op.add_column(table, sa.Column(column, enum_type, nullable=nullable))
-        op.execute("UPDATE %(table)s SET %(column)s = "
+        op.execute("UPDATE %(table)s SET %(column)s = "  # nosec
                   "old_%(column)s::text::%(name)s" % values)
        op.execute("ALTER TABLE %(table)s DROP COLUMN old_%(column)s" % values)
        if do_drop:
--- a/tox.ini
+++ b/tox.ini
@ -108,6 +108,7 @@ commands=
  python ./tools/list_moved_globals.py
  {[testenv:genconfig]commands}
  {[testenv:bashate]commands}
+  {[testenv:bandit]commands}
 whitelist_externals =
  sh
  bash
@ -152,8 +153,13 @@ import_exceptions = neutron._i18n
 local-check-factory = neutron.hacking.checks.factory

 [testenv:bandit]
+# B101: Use of assert detected
+# B104: Possible binding to all interfaces
+# B108: Probable insecure usage of temp file/directory
+# B111: Execute with run_as_root=True identified, possible security issue
+# B311: Standard pseudo-random generators are not suitable for security/cryptographic purpose
 deps = -r{toxinidir}/test-requirements.txt
-commands = bandit -r neutron -x tests -n5
+commands = bandit -r neutron -x tests -n5 -s B101,B104,B108,B111,B311

 [testenv:bashate]
 commands = bash -c "find {toxinidir}             \