From 85a3e93537fcc2055705cb95a38e88c47ccd500a Mon Sep 17 00:00:00 2001 From: Armando Migliaccio Date: Fri, 28 Jul 2017 17:50:41 -0700 Subject: [PATCH] Hook bandit security linter to pep8 target This helps catch a number of potential issues with the neutron code in advance. A false positive can be skipped with #nosec at the offending line, just like #noqa can be added on offending module imports. Change-Id: I3e4cbc94539dd2cce61bfa5cd0265e75d7336311 --- neutron/common/rpc.py | 2 +- neutron/db/migration/__init__.py | 2 +- tox.ini | 8 +++++++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/neutron/common/rpc.py b/neutron/common/rpc.py index bb9ddcdb8c7..5bf7240cfae 100644 --- a/neutron/common/rpc.py +++ b/neutron/common/rpc.py @@ -296,7 +296,7 @@ class Service(service.Service): # errors, go ahead and ignore them.. as we're shutting down anyway try: self.conn.close() - except Exception: + except Exception: # nosec pass super(Service, self).stop() diff --git a/neutron/db/migration/__init__.py b/neutron/db/migration/__init__.py index d8f29926b2a..ce1f6ba4fd7 100644 --- a/neutron/db/migration/__init__.py +++ b/neutron/db/migration/__init__.py @@ -163,7 +163,7 @@ def alter_enum(table, column, enum_type, nullable, do_drop=True, op.execute("ALTER TABLE %(table)s RENAME COLUMN %(column)s TO " "old_%(column)s" % values) op.add_column(table, sa.Column(column, enum_type, nullable=nullable)) - op.execute("UPDATE %(table)s SET %(column)s = " + op.execute("UPDATE %(table)s SET %(column)s = " # nosec "old_%(column)s::text::%(name)s" % values) op.execute("ALTER TABLE %(table)s DROP COLUMN old_%(column)s" % values) if do_drop: diff --git a/tox.ini b/tox.ini index 7298e32fc74..a555d9090f3 100644 --- a/tox.ini +++ b/tox.ini @@ -108,6 +108,7 @@ commands= python ./tools/list_moved_globals.py {[testenv:genconfig]commands} {[testenv:bashate]commands} + {[testenv:bandit]commands} whitelist_externals = sh bash @@ -152,8 +153,13 @@ import_exceptions = neutron._i18n local-check-factory = neutron.hacking.checks.factory [testenv:bandit] +# B101: Use of assert detected +# B104: Possible binding to all interfaces +# B108: Probable insecure usage of temp file/directory +# B111: Execute with run_as_root=True identified, possible security issue +# B311: Standard pseudo-random generators are not suitable for security/cryptographic purpose deps = -r{toxinidir}/test-requirements.txt -commands = bandit -r neutron -x tests -n5 +commands = bandit -r neutron -x tests -n5 -s B101,B104,B108,B111,B311 [testenv:bashate] commands = bash -c "find {toxinidir} \