Hook bandit security linter to pep8 target
This helps catch a number of potential issues with the neutron code in advance. A false positive can be skipped with #nosec at the offending line, just like #noqa can be added on offending module imports. Change-Id: I3e4cbc94539dd2cce61bfa5cd0265e75d7336311
This commit is contained in:
parent
bd4c2c9760
commit
85a3e93537
@ -296,7 +296,7 @@ class Service(service.Service):
|
||||
# errors, go ahead and ignore them.. as we're shutting down anyway
|
||||
try:
|
||||
self.conn.close()
|
||||
except Exception:
|
||||
except Exception: # nosec
|
||||
pass
|
||||
super(Service, self).stop()
|
||||
|
||||
|
@ -163,7 +163,7 @@ def alter_enum(table, column, enum_type, nullable, do_drop=True,
|
||||
op.execute("ALTER TABLE %(table)s RENAME COLUMN %(column)s TO "
|
||||
"old_%(column)s" % values)
|
||||
op.add_column(table, sa.Column(column, enum_type, nullable=nullable))
|
||||
op.execute("UPDATE %(table)s SET %(column)s = "
|
||||
op.execute("UPDATE %(table)s SET %(column)s = " # nosec
|
||||
"old_%(column)s::text::%(name)s" % values)
|
||||
op.execute("ALTER TABLE %(table)s DROP COLUMN old_%(column)s" % values)
|
||||
if do_drop:
|
||||
|
8
tox.ini
8
tox.ini
@ -108,6 +108,7 @@ commands=
|
||||
python ./tools/list_moved_globals.py
|
||||
{[testenv:genconfig]commands}
|
||||
{[testenv:bashate]commands}
|
||||
{[testenv:bandit]commands}
|
||||
whitelist_externals =
|
||||
sh
|
||||
bash
|
||||
@ -152,8 +153,13 @@ import_exceptions = neutron._i18n
|
||||
local-check-factory = neutron.hacking.checks.factory
|
||||
|
||||
[testenv:bandit]
|
||||
# B101: Use of assert detected
|
||||
# B104: Possible binding to all interfaces
|
||||
# B108: Probable insecure usage of temp file/directory
|
||||
# B111: Execute with run_as_root=True identified, possible security issue
|
||||
# B311: Standard pseudo-random generators are not suitable for security/cryptographic purpose
|
||||
deps = -r{toxinidir}/test-requirements.txt
|
||||
commands = bandit -r neutron -x tests -n5
|
||||
commands = bandit -r neutron -x tests -n5 -s B101,B104,B108,B111,B311
|
||||
|
||||
[testenv:bashate]
|
||||
commands = bash -c "find {toxinidir} \
|
||||
|
Loading…
x
Reference in New Issue
Block a user