fdb2d16236
This change is being proposed as part of the OpenStack Security Project working session at the Austin 2016 summit. It adds support for running the bandit[1] security linting tool against the python-openstackclient codebase. This change adds a targetted environment for bandit and also adds bandit as part of the pep8 job. The bandit configuration has been tailored to exclude tests that are currently producing warning against the codebase. These issues will be followed up with bug reports and patches. [1]: https://wiki.openstack.org/wiki/Security/Projects/Bandit Depends-On: Iccd81c17e84df03d249c1012277dad9cb68c5845 Change-Id: I691829c1224557d1d239c9f665ac539d0f13c4d3
73 lines
2.7 KiB
INI
73 lines
2.7 KiB
INI
[tox]
|
|
minversion = 1.6
|
|
envlist = py34,py27,pep8
|
|
skipdist = True
|
|
|
|
[testenv]
|
|
usedevelop = True
|
|
install_command = pip install -U {opts} {packages}
|
|
setenv = VIRTUAL_ENV={envdir}
|
|
deps = -r{toxinidir}/test-requirements.txt
|
|
commands = ostestr {posargs}
|
|
whitelist_externals = ostestr
|
|
|
|
[testenv:pep8]
|
|
commands =
|
|
flake8
|
|
bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101
|
|
|
|
[testenv:bandit]
|
|
# This command runs the bandit security linter against the openstackclient
|
|
# codebase minus the tests directory. Some tests are being excluded to
|
|
# reduce the number of positives before a team inspection, and to ensure a
|
|
# passing gate job for initial addition. The excluded tests are:
|
|
# B105-B107: hardcoded password checks - likely to generate false positives
|
|
# in a gate environment
|
|
# B401: import subprocess - not necessarily a security issue; this plugin is
|
|
# mainly used for penetration testing workflow
|
|
# B603,B606: process without shell - not necessarily a security issue; this
|
|
# plugin is mainly used for penetration testing workflow
|
|
# B607: start process with a partial path - this should be a project level
|
|
# decision
|
|
# NOTE(elmiko): The following tests are being excluded specifically for
|
|
# python-openstackclient, they are being excluded to ensure that voting jobs
|
|
# in the project and in bandit integration tests continue to pass. These
|
|
# tests have generated issue within the project and should be investigated
|
|
# by the project.
|
|
# B110: try, except, pass detected - possible security issue; this should be
|
|
# investigated by the project for possible exploitation
|
|
# B605: process with a shell - possible security issue; this should be
|
|
# investigated by the project for possible exploitation
|
|
# B101: use of assert - this code will be removed when compiling to optimized
|
|
# byte code
|
|
commands =
|
|
bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101
|
|
|
|
[testenv:functional]
|
|
setenv = OS_TEST_PATH=./functional/tests
|
|
passenv = OS_*
|
|
|
|
[testenv:venv]
|
|
commands = {posargs}
|
|
|
|
[testenv:cover]
|
|
commands =
|
|
python setup.py test --coverage --testr-args='{posargs}'
|
|
coverage report
|
|
|
|
[testenv:debug]
|
|
commands = oslo_debug_helper -t openstackclient/tests {posargs}
|
|
|
|
[testenv:docs]
|
|
commands = python setup.py build_sphinx
|
|
|
|
[testenv:releasenotes]
|
|
commands = sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html
|
|
|
|
[flake8]
|
|
show-source = True
|
|
exclude = .git,.tox,dist,doc,*openstack/common*,*lib/python*,*egg,build,tools
|
|
# If 'ignore' is not set there are default errors and warnings that are set
|
|
# Doc: http://flake8.readthedocs.org/en/latest/config.html#default
|
|
ignore = __
|