Bandit Scans for the ranger-agent

Change-Id: I03093f8e525a08f4c30c943164fa194e506c832f

bandit.yaml

@@ -86,7 +86,7 @@
 tests:
 
 # (optional) list skipped test IDs here, eg '[B101, B406]':
-skips:
+skips: [B101, B404, B603, B606]
 
 # globs of files which should be analyzed
 include:

ord/api/__init__.py

@@ -22,7 +22,7 @@ OPTS = [
                help='The port for the ORD API server.',
                ),
     cfg.StrOpt('host',
-               default='0.0.0.0',
+               default='0.0.0.0',  # nosec
                help='The listen IP for the ORD API server.',
                ),
 ]

ord/api/app.py

@@ -134,7 +134,7 @@ def build_server():
     LOG.info(_("Configuration:"))
     cfg.CONF.log_opt_values(LOG, logging.INFO)
 
-    if host == '0.0.0.0':
+    if host == '0.0.0.0':  # nosec
         LOG.info(_(
             'serving on 0.0.0.0:%(sport)s, view at http://127.0.0.1:%(vport)s')
             % ({'sport': port, 'vport': port}))

ord/api/config.py

@@ -16,7 +16,7 @@
 # Server Specific Configurations
 server = {
     'port': '9010',
-    'host': '0.0.0.0'
+    'host': '0.0.0.0'  # nosec
 }
 
 # Pecan Application Configurations

ord/api/controllers/v1/api.py

@@ -69,7 +69,7 @@ class ListenerQueueHandler(object):
             LOG.debug(" Payload to RDS Listener %s " % listener_response_body)
             headers = {'Content-type': 'application/json'}
             rds_url = CONF.orm.rds_listener_endpoint
-            req = urllib2.Request(rds_url,
+            req = urllib2.Request(rds_url,  # nosec
                                   json.dumps(listener_response_body),
                                   headers,
                                   unverifiable=False)
@@ -87,7 +87,7 @@ class ListenerQueueHandler(object):
             status_code = None
             try:
                 LOG.info('Connecting to RDS at %s' % rds_url)
-                resp = urllib2.urlopen(req)
+                resp = urllib2.urlopen(req)  # nosec
                 status = utils.STATUS_RDS_SUCCESS
                 if resp is not None:
                     status_code = resp.getcode()

ord/api/middleware.py

@@ -20,7 +20,7 @@ Based on pecan.middleware.errordocument
 
 import json
 
-from lxml import etree
+from lxml import etree  # nosec
 import webob
 
 from ord import i18n

ord/client/getrepo.py

@@ -75,7 +75,7 @@ class TemplateRepoClient(object):
                     repopath, repo)
                 self.run_git('GitRepoInit', cmd, workdir=repopath)
             except Exception as repoexp:
-                pass
+                LOG.warning(repoexp)
             # fetch origin
             rem_lock_file = '{0}/.git/refs/remotes/origin/master.lock'\
                 .format(repopath)
@@ -182,8 +182,8 @@ class TemplateRepoClient(object):
                             [stdout, stderr] = fetch_process.communicate()
                             LOG.info("Run command '%s' to syncup"
                                      " repo after error", fetch)
-                        except Exception:
-                            pass
+                        except Exception as exp:
+                            LOG.warning(exp)
 
         if process.returncode != 0:
             self.check_git_errors(label, proc_result)

test-requirements.txt

@@ -3,6 +3,7 @@
 # process, which may cause wedges in the gate later.
 
 hacking>=0.12.0,!=0.13.0,<0.14  # Apache-2.0
+bandit>=1.5.1
 coverage>=4.0
 python-subunit>=0.0.18
 sphinx>>=1.2.1,!=1.3b1,<1.4  # BSD

tox.ini

@@ -14,8 +14,14 @@ deps = -r{toxinidir}/requirements.txt
        -r{toxinidir}/test-requirements.txt
 commands = python setup.py test --slowest --testr-args='{posargs}'
 
+[testenv:bandit]
+deps = .[bandit]
+commands = bandit -r ord -n5 -c bandit.yaml
+
 [testenv:pep8]
-commands = flake8 {posargs}
+commands =
+  flake8 {posargs}
+  {[testenv:bandit]commands}
 
 [testenv:venv]
 commands = {posargs}