Update list of skipped bandit plugins.

Adding a zuul job so that any new bandit failures
will be caught.

Switching bandit to run in python3.

B111 plugin was removed from bandit by:
PyCQA/bandit@d93eed5

Cleanup the list of bandit checks that need to be skipped
in order for this tox job to pass. Those checks can be
removed when the code is updated by future commits.

Story: 2004515
Task: 37744
Change-Id: I1809b1124a5a693d288fb7ea893f30c24487af36
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>

.zuul.yaml

@@ -12,6 +12,7 @@
         - sysinv-tox-py35
         - sysinv-tox-flake8
         - sysinv-tox-pylint
+        - sysinv-tox-bandit
         - controllerconfig-tox-flake8
         - controllerconfig-tox-py27
         - controllerconfig-tox-pylint
@@ -25,6 +26,7 @@
         - sysinv-tox-py35
         - sysinv-tox-flake8
         - sysinv-tox-pylint
+        - sysinv-tox-bandit
         - controllerconfig-tox-flake8
         - controllerconfig-tox-py27
         - controllerconfig-tox-pylint
@@ -90,6 +92,17 @@
       tox_envlist: pylint
       tox_extra_args: -c sysinv/sysinv/sysinv/tox.ini
 
+- job:
+    name: sysinv-tox-bandit
+    parent: tox
+    description: |
+      Run bandit test for sysinv
+    files:
+      - sysinv/sysinv/*
+    vars:
+      tox_envlist: bandit
+      tox_extra_args: -c sysinv/sysinv/sysinv/tox.ini
+
 - job:
     name: controllerconfig-tox-flake8
     parent: tox

sysinv/sysinv/sysinv/tox.ini

@@ -111,29 +111,39 @@ commands = {posargs}
 [bandit]
 # The following bandit tests are being skipped:
 # B101: Test for use of assert
+# B103: Test for setting permissive file permissions
 # B104: Test for binding to all interfaces
-# B107: Test for use of hard-coded password argument defaults
+# B105: Test for use of hard-coded password strings
-# B108: Probable insecure usage of temp file/directory
+# B108: Test for insecure usage of tmp file/directory
 # B110: Try, Except, Pass detected.
-# B111: Execute with run_as_root=True identified, possible security issue
+# B303: Use of insecure MD2, MD4, MD5, or SHA1 hash function.
+# B307: Blacklisted call to eval.
 # B310: Audit url open for permitted schemes
 # B311: Standard pseudo-random generators are not suitable for security/cryptographic purposes
+# B314: Blacklisted calls to xml.etree.ElementTree
+# B318: Blacklisted calls to xml.dom.minidom
+# B320: Blacklisted calls to lxml.etree
 # B404: Import of subprocess module
-# B410: Import of lxml module
+# B405: import xml.etree
-# B504: Test for SSL use with no version specified
+# B408: import xml.minidom
+# B410: import lxml
 # B506: Test for use of yaml load
-# B603: Test for use of subprocess with shell equals true
+# B602: Test for use of popen with shell equals true
+# B603: Test for use of subprocess without shell equals true
+# B604: Test for any function with shell equals true
+# B605: Test for starting a process with a shell
 # B607: Test for starting a process with a partial path
-skips =  B101,B104,B107,B108,B110,B111,B310,B311,B404,B410,B504,B506,B603,B607
+#
+# Note: 'skips' entry cannot be split across multiple lines
+#
+skips = B101,B103,B104,B105,B108,B110,B303,B307,B310,B311,B314,B318,B320,B404,B405,B408,B410,B506,B602,B603,B604,B605,B607
 exclude = tests
 
 [testenv:bandit]
-basepython = python2.7
+basepython = python3
-
+deps = -r{toxinidir}/test-requirements.txt
-deps = {[testenv]deps}
         bandit
-
+commands = bandit --ini tox.ini -n 5 -r sysinv
-commands = bandit --ini tox.ini -n 5 -f xml -o bandit.xml -r sysinv
 
 [testenv:pylint]
 basepython = python2.7

tox.ini

@@ -53,6 +53,10 @@ description = Dummy environment to allow flake8 to be run in subdir tox
 basepython = python3
 description = Dummy environment to allow pylint to be run in subdir tox
 
+[testenv:bandit]
+basepython = python3
+description = Dummy environment to allow bandit to be run in subdir tox
+
 [testenv:api-ref]
 basepython = python3
 install_command = pip install -U {opts} {packages}