Merge "add a bandit environment to tox"

2016-05-02 14:03:29 +00:00 · 2016-05-02 14:03:29 +00:00 · 1ccb26b5c9
commit 1ccb26b5c9
parent 9ec41c0397 505659b0aa
2 changed files with 32 additions and 2 deletions
--- a/test-requirements.txt
+++ b/test-requirements.txt
@ -17,6 +17,7 @@ testrepository>=0.0.18 # Apache-2.0/BSD
 testtools>=1.4.0 # MIT
 tempest>=11.0.0 # Apache-2.0
 osprofiler>=1.3.0 # Apache-2.0
+bandit>=1.0.1 # Apache-2.0

 # Install these to generate sphinx autodocs
 python-barbicanclient>=4.0.0 # Apache-2.0
--- a/tox.ini
+++ b/tox.ini
@ -12,7 +12,36 @@ commands = ostestr {posargs}
 whitelist_externals = ostestr

 [testenv:pep8]
-commands = flake8
+commands =
+    flake8
+    bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101
+
+[testenv:bandit]
+# This command runs the bandit security linter against the openstackclient
+# codebase minus the tests directory. Some tests are being excluded to
+# reduce the number of positives before a team inspection, and to ensure a
+# passing gate job for initial addition. The excluded tests are:
+# B105-B107: hardcoded password checks - likely to generate false positives
+#            in a gate environment
+# B401: import subprocess - not necessarily a security issue; this plugin is
+#       mainly used for penetration testing workflow
+# B603,B606: process without shell - not necessarily a security issue; this
+#            plugin is mainly used for penetration testing workflow
+# B607: start process with a partial path - this should be a project level
+#       decision
+# NOTE(elmiko): The following tests are being excluded specifically for
+# python-openstackclient, they are being excluded to ensure that voting jobs
+# in the project and in bandit integration tests continue to pass. These
+# tests have generated issue within the project and should be investigated
+# by the project.
+# B110: try, except, pass detected - possible security issue; this should be
+#       investigated by the project for possible exploitation
+# B605: process with a shell - possible security issue; this should be
+#       investigated by the project for possible exploitation
+# B101: use of assert - this code will be removed when compiling to optimized
+#       byte code
+commands =
+    bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101

 [testenv:functional]
 setenv = OS_TEST_PATH=./functional/tests
@ -40,4 +69,4 @@ show-source = True
 exclude = .git,.tox,dist,doc,*openstack/common*,*lib/python*,*egg,build,tools
 # If 'ignore' is not set there are default errors and warnings that are set
 # Doc: http://flake8.readthedocs.org/en/latest/config.html#default
-ignore = __
+ignore = __