diff --git a/.zuul.yaml b/.zuul.yaml index 2e5e1a1c..17d73dd3 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -7,8 +7,8 @@ check: jobs: - openstack-tox-linters - # - py3-bandit - # - py3-flake8 + - py3-bandit + - py3-flake8 - patch-tox-pylint - patch-tox-py27 - patch-tox-py36 @@ -18,8 +18,8 @@ gate: jobs: - openstack-tox-linters - # - py3-bandit - # - py3-flake8 + - py3-bandit + - py3-flake8 - patch-tox-pylint - patch-tox-py27 - patch-tox-py36 diff --git a/test-requirements.txt b/test-requirements.txt index fd1d9d87..5bdc3b28 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -2,6 +2,7 @@ hacking>=2.0<2.1 pycodestyle>=2.0.0 # MIT License mock>=2.0.0 # BSD +bandit!=1.6.0,>=1.1.0,<2.0.0 bashate >= 0.2 PyYAML >= 3.1.0 yamllint >= 0.5.2 diff --git a/tox.ini b/tox.ini index 62dfc2ee..4d62b3e7 100644 --- a/tox.ini +++ b/tox.ini @@ -67,6 +67,29 @@ commands = filename= *.preapply *.preremove + *.py +# ignore below errors , will fix flake8 errors in future +# H101 Use TODO(NAME) +# H102 Apache 2.0 license header not found +# H105 Don't use author tags +# H306 imports not in alphabetical order +# H401 docstring should not start with a space +# H404 multi line docstring should start without a leading new line +# H405 multi line docstring summary not separated with an empty line +# Note: W503 and W504 are mutually exclusive. Must select one of them to suppress. +# W504 line break after binary operator +# E501 line too long. skipped because some of the code files include templates +# that end up quite wide +# F401 'XXXXX' imported but unused +show-source = True +ignore = H101,H102,H105,H306,H401,H404,H405, + W504,E501,F401 +exclude = .venv,.git,.tox,dist,doc,*lib/python*,*egg,build,release-tag-* +# H106: Don't put vim configuration in source files (off by default). +# H203: Use assertIs(Not)None to check for None (off by default). +# enable: H904 Delay string interpolations at logging calls (off by default). +enable-extensions = H106 H203 H904 +max-line-length = 120 [testenv:flake8] basepython = python3 @@ -75,8 +98,8 @@ whitelist_externals = cp tox recreate = True commands = {[testenv]commands} - tox -c cgcs-patch/cgcs-patch -e flake8 - tox -c patch-alarm/patch-alarm -e flake8 + flake8 cgcs-patch/cgcs-patch/cgcs_patch + flake8 patch-alarm/patch-alarm/patch_alarm flake8 {toxinidir}/patch-scripts/kube-upgrade [testenv:venv] @@ -108,15 +131,31 @@ commands = {[testenv]commands} tox -c cgcs-patch/cgcs-patch -e py36 tox -c patch-alarm/patch-alarm -e py36 + +[bandit] +# B101: Test for use of assert +# B104: Test for binding to all interfaces +# B110: Try, Except, Pass detected. +# B303: Use of insecure MD2, MD4, MD5, or SHA1 hash function. +# B311: Standard pseudo-random generators are not suitable for security/cryptographic purposes +# B314: Blacklisted calls to xml.etree.ElementTree +# B318: Blacklisted calls to xml.dom.minidom +# B404: Import of subprocess module +# B405: import xml.etree +# B408: import xml.minidom +# B413: import pyCrypto +# B506: Test for use of yaml load +# B602: Test for use of popen with shell equals true +# B603: Test for use of subprocess without shell equals true +# B607: Test for starting a process with a partial path +skips = B101,B104,B110,B303,B311,B314,B318,B404,B405,B408,B413,B506,B602,B603,B607 +exclude = tests + [testenv:bandit] basepython = python3 -commands = {[testenv]commands} - tox -c cgcs-patch/cgcs-patch -e bandit - tox -c patch-alarm/patch-alarm -e bandit -deps = {[testenv]deps} -recreate = True -whitelist_externals = find - tox +description = Bandit code scan for *.py files source code folders +deps = -r{toxinidir}/test-requirements.txt +commands = bandit --ini tox.ini -r {toxinidir}/ -x '**/.tox/**,**/.eggs/**' -lll [testenv:pylint] basepython = python2.7