Convert yaml.load to yaml.safe_load

yaml.load is considered unsafe. yaml.safe_load is the recommended method to use. The yaml.load is only being called from scenario tests, and from a forensic tool that is unused. Therefore this code change has no runtime impact. This allow unsuppressing the following pylint error E1120 no-value-for-parameter This allow unsuppressing the following bandit error B506: Test for use of yaml load Adding a new bandit zuul job, and removing the pinning of the version of bandit for this repo. Test Plan: PASS: tox -e pylint PASS: tox -e bandit PASS: build-pkgs -p nfv Story: 2010531 Task: 47174 Signed-off-by: Al Bailey <al.bailey@windriver.com> Change-Id: Ie60dcf98425c95e103d22e7be4212de1954550bf
2023-01-19 19:45:19 +00:00 · 2023-01-19 19:45:19 +00:00 · d87462c851
parent e6114addac
commit d87462c851
7 changed files with 24 additions and 11 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -43,6 +43,18 @@
    vars:
      tox_extra_args: -c nfv/tox.ini

+- job:
+    name: nfv-tox-bandit
+    parent: tox
+    description: Run bandit for nfv
+    nodeset: debian-bullseye
+    required-projects:
+      - starlingx/root
+    vars:
+      tox_envlist: bandit
+      tox_extra_args: -c nfv/tox.ini
+      tox_constraints_file: '{{ ansible_user_dir }}/src/opendev.org/starlingx/root/build-tools/requirements/debian/upper-constraints.txt'
+
 - job:
    name: nfv-tox-pylint
    parent: tox
--- a/nfv/nfv-common/nfv_common/forensic/_nfv_vim_parser.py
+++ b/nfv/nfv-common/nfv_common/forensic/_nfv_vim_parser.py
@ -108,7 +108,7 @@ def parser_initialize():
    path = os.path.abspath(__file__)
    config_file = os.path.dirname(path) + "/config/nfv-vim.yaml"
    if os.path.isfile(config_file):
-        config_data = yaml.load(open(config_file))
+        config_data = yaml.safe_load(open(config_file))
        return NfvVimParser(config_data)
    return None

--- a/nfv/nfv-tests/nfv_scenario_tests/main.py
+++ b/nfv/nfv-tests/nfv_scenario_tests/main.py
@ -622,7 +622,7 @@ def process_main():
            sys.exit(1)

        if args.data:
-            data_fill = yaml.load(open(data_dir + '/data/' + args.data + '.yaml'))
+            data_fill = yaml.safe_load(open(data_dir + '/data/' + args.data + '.yaml'))
        else:
            print("No data file given.")
            sys.exit(1)
@ -630,7 +630,7 @@ def process_main():
        if args.setup:
            setup_template = j2_env.get_template(args.setup + '.template')
            setup_yaml = setup_template.render(data_fill)
-            setup_data = yaml.load(setup_yaml)
+            setup_data = yaml.safe_load(setup_yaml)
        else:
            print("No setup file given.")
            sys.exit(1)
@ -638,7 +638,7 @@ def process_main():
        if args.tests:
            tests_template = j2_env.get_template(args.tests + '.template')
            tests_yaml = tests_template.render(data_fill)
-            test_data = yaml.load(tests_yaml)
+            test_data = yaml.safe_load(tests_yaml)
        else:
            print("No tests given.")
            sys.exit(1)
--- a/nfv/pylint.rc
+++ b/nfv/pylint.rc
@ -135,15 +135,15 @@ enable=E1603,E1609,E1610,E1602,E1606,E1608,E1607,E1605,E1604,E1601,E1611,W1652,
 # W0237 arguments-renamed
 # W4904 deprecated-class
 # W4905 deprecated-decorator
+
 # E0012 pylint for python3 does not support inline deprecation
 # E1101 no-member
 # E1111 assignment-from-no-return
-# E1120 no-value-for-parameter
 # E1121 too-many-function-args
 disable=C, R, W0120, W0125, W0212, W0221, W0223, W0231, W0235,
    W0401, W0404, W0511, W0602, W0603, W0612, W0613, W0621, W0622, W0703, W1401,
    W0107, W0706, W0707, W1310, W1406, W1505, W1514, W1618, W0237, W4904, W4905,
-    E0012, E1101, E1111, E1120, E1121
+    E0012, E1101, E1111, E1121

 [REPORTS]
 # Set the output format. Available formats are text, parseable, colorized, msvs
--- a/nfv/test-requirements.txt
+++ b/nfv/test-requirements.txt
@ -2,7 +2,7 @@
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
 hacking>=1.1.0,<=2.0.0 # Apache-2.0
-bandit<1.6.0
+bandit
 coverage>=3.6
 fixtures>=3.0.0 # Apache-2.0/BSD
 mock>=2.0.0 # BSD
--- a/nfv/tox.ini
+++ b/nfv/tox.ini
@ -116,14 +116,12 @@ commands = pylint {[nfv]nfv_client_src_dir}  \
 # B108: Probable insecure usage of temp file/directory
 # B110: Try, Except, Pass detected.
 # B310: Audit url open for permitted schemes
-# B506: Test for use of yaml load
-skips = B104,B108,B110,B310,B506
+skips = B104,B108,B110,B310
 exclude = ./nfv-docs,./nfv-tests,./nfv-debug-tools,unit_test


 [testenv:bandit]
-deps = {[nfv]deps}
-       -r{toxinidir}/test-requirements.txt
+deps = -r{toxinidir}/test-requirements.txt
 commands = bandit --ini tox.ini -f txt -r {[nfv]nfv_base_dir}

 [testenv:py39]
--- a/tox.ini
+++ b/tox.ini
@ -20,6 +20,9 @@ setenv = VIRTUAL_ENV={envdir}
 [testenv:venv]
 commands = {posargs}

+[testenv:bandit]
+description = Dummy environment to allow bandit to be run in subdir tox
+
 [testenv:flake8]
 description = Dummy environment to allow flake8 to be run in subdir tox