Enable tox bandit checks for python in update repo

Bandit gate jobs are used by openstack for security checks. Adding a zuul job so that any new bandit failures will be caught. patch-alarm runs cleanly and does not currently suppress any bandit checks. cgcs-patch suppresses several bandit checks which may be updated and enabled by future commits. Change-Id: I01414c48266cfb3cb6df9ef400a350a570938189 Story: 2004515 Task: 37697 Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
2019-11-26 15:52:12 -06:00 · 2019-11-26 15:52:12 -06:00 · e45a758a8a
parent bfe2fd5693
commit e45a758a8a
4 changed files with 52 additions and 0 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -7,6 +7,7 @@
    check:
      jobs:
        - openstack-tox-linters
+        - py3-bandit
        - patch-tox-flake8
        - patch-tox-pylint
        - patch-tox-py27
@ -18,6 +19,7 @@
    gate:
      jobs:
        - openstack-tox-linters
+        - py3-bandit
        - patch-tox-flake8
        - patch-tox-pylint
        - patch-tox-py27
@ -27,6 +29,12 @@
        - patch-alarm-tox-py27
        - patch-alarm-tox-py36

+- job:
+    name: py3-bandit
+    parent: tox
+    vars:
+      tox_envlist: bandit
+
 - job:
    name: patch-tox-flake8
    parent: tox
--- a/cgcs-patch/cgcs-patch/tox.ini
+++ b/cgcs-patch/cgcs-patch/tox.ini
@ -53,6 +53,31 @@ commands = {[testenv:stestr]commands}
 basepython = python3.6
 commands = {[testenv:stestr]commands}

+[bandit]
+# B101: Test for use of assert
+# B104: Test for binding to all interfaces
+# B110: Try, Except, Pass detected.
+# B303: Use of insecure MD2, MD4, MD5, or SHA1 hash function.
+# B311: Standard pseudo-random generators are not suitable for security/cryptographic purposes
+# B314: Blacklisted calls to xml.etree.ElementTree
+# B318: Blacklisted calls to xml.dom.minidom
+# B404: Import of subprocess module
+# B405: import xml.etree
+# B408: import xml.minidom
+# B413: import pyCrypto
+# B506: Test for use of yaml load
+# B602: Test for use of popen with shell equals true
+# B603: Test for use of subprocess without shell equals true
+# B607: Test for starting a process with a partial path
+skips = B101,B104,B110,B303,B311,B314,B318,B404,B405,B408,B413,B506,B602,B603,B607
+exclude = tests
+
+[testenv:bandit]
+basepython = python3
+deps = -r{toxinidir}/test-requirements.txt
+        bandit
+commands = bandit --ini tox.ini -n 5 -r cgcs_patch
+
 [flake8]
 # ignore below errors , will fix flake8 errors in future
 # H101  Use TODO(NAME)
--- a/patch-alarm/patch-alarm/tox.ini
+++ b/patch-alarm/patch-alarm/tox.ini
@ -54,6 +54,15 @@ commands = {[testenv:stestr]commands}
 basepython = python3.6
 commands = {[testenv:stestr]commands}

+[bandit]
+exclude = tests
+
+[testenv:bandit]
+basepython = python3
+deps = -r{toxinidir}/test-requirements.txt
+        bandit
+commands = bandit --ini tox.ini -n 5 -r patch_alarm
+
 [flake8]
 # ignore below errors , will fix flake8 errors in future
 # H102  Apache 2.0 license header not found
--- a/tox.ini
+++ b/tox.ini
@ -90,6 +90,16 @@ commands = {[testenv]commands}
           tox -c cgcs-patch/cgcs-patch -e py36
           tox -c patch-alarm/patch-alarm -e py36

+[testenv:bandit]
+basepython = python3
+commands = {[testenv]commands}
+           tox -c cgcs-patch/cgcs-patch -e bandit
+           tox -c patch-alarm/patch-alarm -e bandit
+deps = {[testenv]deps}
+recreate = True
+whitelist_externals = find
+                      tox
+
 [testenv:pylint]
 basepython = python2.7
 deps = {[testenv]deps}