Merge "tox: Remove bandit skips, run via pre-commit"
This commit is contained in:
Zuul
@@ -26,7 +26,7 @@ repos:
|
||||
rev: 1.7.8
|
||||
hooks:
|
||||
- id: bandit
|
||||
args: ['-x', 'tests', '-s', 'B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101']
|
||||
args: ['-x', 'tests']
|
||||
- repo: https://opendev.org/openstack/hacking
|
||||
rev: 6.1.0
|
||||
hooks:
|
||||
|
||||
@@ -113,6 +113,6 @@ class ListModule(command.ShowOne):
|
||||
data[k] = mods[k].__version__
|
||||
except Exception:
|
||||
# Catch all exceptions, just skip it
|
||||
pass
|
||||
pass # nosec: B110
|
||||
|
||||
return zip(*sorted(data.items()))
|
||||
|
||||
@@ -2843,11 +2843,12 @@ class ListServer(command.Lister):
|
||||
# there are infra failures
|
||||
if parsed_args.name_lookup_one_by_one or image_id:
|
||||
for image_id in image_ids:
|
||||
# "Image Name" is not crucial, so we swallow any exceptions
|
||||
try:
|
||||
images[image_id] = image_client.get_image(image_id)
|
||||
except Exception:
|
||||
pass
|
||||
# retrieving image names is not crucial, so we swallow
|
||||
# any exceptions
|
||||
pass # nosec: B110
|
||||
else:
|
||||
try:
|
||||
# some deployments can have *loads* of images so we only
|
||||
@@ -2866,7 +2867,9 @@ class ListServer(command.Lister):
|
||||
for i in images_list:
|
||||
images[i.id] = i
|
||||
except Exception:
|
||||
pass
|
||||
# retrieving image names is not crucial, so we swallow any
|
||||
# exceptions
|
||||
pass # nosec: B110
|
||||
|
||||
# create a dict that maps flavor_id to flavor object, which is used
|
||||
# to display the "Flavor Name" column. Note that 'flavor.id' is not
|
||||
@@ -2878,21 +2881,23 @@ class ListServer(command.Lister):
|
||||
for s in data
|
||||
if s.flavor and s.flavor.get('id')
|
||||
):
|
||||
# "Flavor Name" is not crucial, so we swallow any
|
||||
# exceptions
|
||||
try:
|
||||
flavors[f_id] = compute_client.find_flavor(
|
||||
f_id, ignore_missing=False
|
||||
)
|
||||
except Exception:
|
||||
pass
|
||||
# retrieving flavor names is not crucial, so we swallow
|
||||
# any exceptions
|
||||
pass # nosec: B110
|
||||
else:
|
||||
try:
|
||||
flavors_list = compute_client.flavors(is_public=None)
|
||||
for i in flavors_list:
|
||||
flavors[i.id] = i
|
||||
except Exception:
|
||||
pass
|
||||
# retrieving flavor names is not crucial, so we swallow any
|
||||
# exceptions
|
||||
pass # nosec: B110
|
||||
|
||||
# Populate image_name, image_id, flavor_name and flavor_id attributes
|
||||
# of server objects so that we can display those columns.
|
||||
@@ -4805,7 +4810,9 @@ class SshServer(command.Command):
|
||||
|
||||
cmd = ' '.join(['ssh', ip_address] + args)
|
||||
LOG.debug("ssh command: {cmd}".format(cmd=cmd))
|
||||
os.system(cmd)
|
||||
# we intentionally pass through user-provided arguments and run this in
|
||||
# the user's shell
|
||||
os.system(cmd) # nosec: B605
|
||||
|
||||
|
||||
class StartServer(command.Command):
|
||||
|
||||
@@ -182,7 +182,7 @@ class ListUsage(command.Lister):
|
||||
project_cache[p.id] = p
|
||||
except Exception:
|
||||
# Just forget it if there's any trouble
|
||||
pass
|
||||
pass # nosec: B110
|
||||
|
||||
if parsed_args.formatter == 'table' and len(usage_list) > 0:
|
||||
self.app.stdout.write(
|
||||
|
||||
@@ -252,7 +252,7 @@ class ListUser(command.Lister):
|
||||
project_cache[p.id] = p
|
||||
except Exception:
|
||||
# Just forget it if there's any trouble
|
||||
pass
|
||||
pass # nosec: B110
|
||||
formatters['tenantId'] = functools.partial(
|
||||
ProjectColumn, project_cache=project_cache
|
||||
)
|
||||
|
||||
@@ -424,7 +424,7 @@ class ListVolume(command.Lister):
|
||||
server_cache[s.id] = s
|
||||
except Exception:
|
||||
# Just forget it if there's any trouble
|
||||
pass
|
||||
pass # nosec: B110
|
||||
AttachmentsColumnWithCache = functools.partial(
|
||||
AttachmentsColumn, server_cache=server_cache
|
||||
)
|
||||
|
||||
@@ -217,7 +217,7 @@ class ListVolumeBackup(command.Lister):
|
||||
volume_cache[s.id] = s
|
||||
except Exception:
|
||||
# Just forget it if there's any trouble
|
||||
pass
|
||||
pass # nosec: B110
|
||||
VolumeIdColumnWithCache = functools.partial(
|
||||
VolumeIdColumn, volume_cache=volume_cache
|
||||
)
|
||||
|
||||
@@ -244,7 +244,7 @@ class ListVolumeSnapshot(command.Lister):
|
||||
volume_cache[s.id] = s
|
||||
except Exception:
|
||||
# Just forget it if there's any trouble
|
||||
pass
|
||||
pass # nosec: B110
|
||||
VolumeIdColumnWithCache = functools.partial(
|
||||
VolumeIdColumn, volume_cache=volume_cache
|
||||
)
|
||||
|
||||
@@ -537,7 +537,7 @@ class ListVolume(command.Lister):
|
||||
server_cache[s.id] = s
|
||||
except Exception:
|
||||
# Just forget it if there's any trouble
|
||||
pass
|
||||
pass # nosec: B110
|
||||
AttachmentsColumnWithCache = functools.partial(
|
||||
AttachmentsColumn, server_cache=server_cache
|
||||
)
|
||||
|
||||
@@ -325,7 +325,7 @@ class ListVolumeBackup(command.Lister):
|
||||
volume_cache[s.id] = s
|
||||
except Exception:
|
||||
# Just forget it if there's any trouble
|
||||
pass
|
||||
pass # nosec: B110
|
||||
|
||||
_VolumeIdColumn = functools.partial(
|
||||
VolumeIdColumn, volume_cache=volume_cache
|
||||
|
||||
@@ -289,7 +289,7 @@ class ListVolumeSnapshot(command.Lister):
|
||||
volume_cache[s.id] = s
|
||||
except Exception:
|
||||
# Just forget it if there's any trouble
|
||||
pass
|
||||
pass # nosec: B110
|
||||
_VolumeIdColumn = functools.partial(
|
||||
VolumeIdColumn, volume_cache=volume_cache
|
||||
)
|
||||
|
||||
33
tox.ini
33
tox.ini
@@ -16,37 +16,18 @@ commands =
|
||||
stestr run {posargs}
|
||||
|
||||
[testenv:pep8]
|
||||
skip_install = true
|
||||
deps =
|
||||
pre-commit
|
||||
pre-commit
|
||||
commands =
|
||||
pre-commit run --all-files --show-diff-on-failure
|
||||
pre-commit run --all-files --show-diff-on-failure
|
||||
|
||||
[testenv:bandit]
|
||||
# This command runs the bandit security linter against the openstackclient
|
||||
# codebase minus the tests directory. Some tests are being excluded to
|
||||
# reduce the number of positives before a team inspection, and to ensure a
|
||||
# passing gate job for initial addition. The excluded tests are:
|
||||
# B105-B107: hardcoded password checks - likely to generate false positives
|
||||
# in a gate environment
|
||||
# B401: import subprocess - not necessarily a security issue; this plugin is
|
||||
# mainly used for penetration testing workflow
|
||||
# B603,B606: process without shell - not necessarily a security issue; this
|
||||
# plugin is mainly used for penetration testing workflow
|
||||
# B607: start process with a partial path - this should be a project level
|
||||
# decision
|
||||
# NOTE(elmiko): The following tests are being excluded specifically for
|
||||
# python-openstackclient, they are being excluded to ensure that voting jobs
|
||||
# in the project and in bandit integration tests continue to pass. These
|
||||
# tests have generated issue within the project and should be investigated
|
||||
# by the project.
|
||||
# B110: try, except, pass detected - possible security issue; this should be
|
||||
# investigated by the project for possible exploitation
|
||||
# B605: process with a shell - possible security issue; this should be
|
||||
# investigated by the project for possible exploitation
|
||||
# B101: use of assert - this code will be removed when compiling to optimized
|
||||
# byte code
|
||||
skip_install = true
|
||||
deps =
|
||||
pre-commit
|
||||
commands =
|
||||
bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101
|
||||
pre-commit run --all-files --show-diff-on-failure bandit
|
||||
|
||||
[testenv:unit-tips]
|
||||
commands =
|
||||
|
||||
Reference in New Issue
Block a user