diff --git a/.zuul.yaml b/.zuul.yaml index b507299514..9cfeb6e61f 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -12,6 +12,7 @@ - sysinv-tox-py35 - sysinv-tox-flake8 - sysinv-tox-pylint + - sysinv-tox-bandit - controllerconfig-tox-flake8 - controllerconfig-tox-py27 - controllerconfig-tox-pylint @@ -25,6 +26,7 @@ - sysinv-tox-py35 - sysinv-tox-flake8 - sysinv-tox-pylint + - sysinv-tox-bandit - controllerconfig-tox-flake8 - controllerconfig-tox-py27 - controllerconfig-tox-pylint @@ -90,6 +92,17 @@ tox_envlist: pylint tox_extra_args: -c sysinv/sysinv/sysinv/tox.ini +- job: + name: sysinv-tox-bandit + parent: tox + description: | + Run bandit test for sysinv + files: + - sysinv/sysinv/* + vars: + tox_envlist: bandit + tox_extra_args: -c sysinv/sysinv/sysinv/tox.ini + - job: name: controllerconfig-tox-flake8 parent: tox diff --git a/sysinv/sysinv/sysinv/tox.ini b/sysinv/sysinv/sysinv/tox.ini index 5a1a5185ac..d7da909426 100644 --- a/sysinv/sysinv/sysinv/tox.ini +++ b/sysinv/sysinv/sysinv/tox.ini @@ -111,29 +111,39 @@ commands = {posargs} [bandit] # The following bandit tests are being skipped: # B101: Test for use of assert +# B103: Test for setting permissive file permissions # B104: Test for binding to all interfaces -# B107: Test for use of hard-coded password argument defaults -# B108: Probable insecure usage of temp file/directory +# B105: Test for use of hard-coded password strings +# B108: Test for insecure usage of tmp file/directory # B110: Try, Except, Pass detected. -# B111: Execute with run_as_root=True identified, possible security issue +# B303: Use of insecure MD2, MD4, MD5, or SHA1 hash function. +# B307: Blacklisted call to eval. # B310: Audit url open for permitted schemes # B311: Standard pseudo-random generators are not suitable for security/cryptographic purposes +# B314: Blacklisted calls to xml.etree.ElementTree +# B318: Blacklisted calls to xml.dom.minidom +# B320: Blacklisted calls to lxml.etree # B404: Import of subprocess module -# B410: Import of lxml module -# B504: Test for SSL use with no version specified +# B405: import xml.etree +# B408: import xml.minidom +# B410: import lxml # B506: Test for use of yaml load -# B603: Test for use of subprocess with shell equals true +# B602: Test for use of popen with shell equals true +# B603: Test for use of subprocess without shell equals true +# B604: Test for any function with shell equals true +# B605: Test for starting a process with a shell # B607: Test for starting a process with a partial path -skips = B101,B104,B107,B108,B110,B111,B310,B311,B404,B410,B504,B506,B603,B607 +# +# Note: 'skips' entry cannot be split across multiple lines +# +skips = B101,B103,B104,B105,B108,B110,B303,B307,B310,B311,B314,B318,B320,B404,B405,B408,B410,B506,B602,B603,B604,B605,B607 exclude = tests [testenv:bandit] -basepython = python2.7 - -deps = {[testenv]deps} +basepython = python3 +deps = -r{toxinidir}/test-requirements.txt bandit - -commands = bandit --ini tox.ini -n 5 -f xml -o bandit.xml -r sysinv +commands = bandit --ini tox.ini -n 5 -r sysinv [testenv:pylint] basepython = python2.7 diff --git a/tox.ini b/tox.ini index 912018edf8..85966a0477 100644 --- a/tox.ini +++ b/tox.ini @@ -53,6 +53,10 @@ description = Dummy environment to allow flake8 to be run in subdir tox basepython = python3 description = Dummy environment to allow pylint to be run in subdir tox +[testenv:bandit] +basepython = python3 +description = Dummy environment to allow bandit to be run in subdir tox + [testenv:api-ref] basepython = python3 install_command = pip install -U {opts} {packages}