Enable tox bandit checks for python in update repo
Bandit gate jobs are used by openstack for security checks. Adding a zuul job so that any new bandit failures will be caught. patch-alarm runs cleanly and does not currently suppress any bandit checks. cgcs-patch suppresses several bandit checks which may be updated and enabled by future commits. Change-Id: I01414c48266cfb3cb6df9ef400a350a570938189 Story: 2004515 Task: 37697 Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
This commit is contained in:
parent
bfe2fd5693
commit
e45a758a8a
|
@ -7,6 +7,7 @@
|
||||||
check:
|
check:
|
||||||
jobs:
|
jobs:
|
||||||
- openstack-tox-linters
|
- openstack-tox-linters
|
||||||
|
- py3-bandit
|
||||||
- patch-tox-flake8
|
- patch-tox-flake8
|
||||||
- patch-tox-pylint
|
- patch-tox-pylint
|
||||||
- patch-tox-py27
|
- patch-tox-py27
|
||||||
|
@ -18,6 +19,7 @@
|
||||||
gate:
|
gate:
|
||||||
jobs:
|
jobs:
|
||||||
- openstack-tox-linters
|
- openstack-tox-linters
|
||||||
|
- py3-bandit
|
||||||
- patch-tox-flake8
|
- patch-tox-flake8
|
||||||
- patch-tox-pylint
|
- patch-tox-pylint
|
||||||
- patch-tox-py27
|
- patch-tox-py27
|
||||||
|
@ -27,6 +29,12 @@
|
||||||
- patch-alarm-tox-py27
|
- patch-alarm-tox-py27
|
||||||
- patch-alarm-tox-py36
|
- patch-alarm-tox-py36
|
||||||
|
|
||||||
|
- job:
|
||||||
|
name: py3-bandit
|
||||||
|
parent: tox
|
||||||
|
vars:
|
||||||
|
tox_envlist: bandit
|
||||||
|
|
||||||
- job:
|
- job:
|
||||||
name: patch-tox-flake8
|
name: patch-tox-flake8
|
||||||
parent: tox
|
parent: tox
|
||||||
|
|
|
@ -53,6 +53,31 @@ commands = {[testenv:stestr]commands}
|
||||||
basepython = python3.6
|
basepython = python3.6
|
||||||
commands = {[testenv:stestr]commands}
|
commands = {[testenv:stestr]commands}
|
||||||
|
|
||||||
|
[bandit]
|
||||||
|
# B101: Test for use of assert
|
||||||
|
# B104: Test for binding to all interfaces
|
||||||
|
# B110: Try, Except, Pass detected.
|
||||||
|
# B303: Use of insecure MD2, MD4, MD5, or SHA1 hash function.
|
||||||
|
# B311: Standard pseudo-random generators are not suitable for security/cryptographic purposes
|
||||||
|
# B314: Blacklisted calls to xml.etree.ElementTree
|
||||||
|
# B318: Blacklisted calls to xml.dom.minidom
|
||||||
|
# B404: Import of subprocess module
|
||||||
|
# B405: import xml.etree
|
||||||
|
# B408: import xml.minidom
|
||||||
|
# B413: import pyCrypto
|
||||||
|
# B506: Test for use of yaml load
|
||||||
|
# B602: Test for use of popen with shell equals true
|
||||||
|
# B603: Test for use of subprocess without shell equals true
|
||||||
|
# B607: Test for starting a process with a partial path
|
||||||
|
skips = B101,B104,B110,B303,B311,B314,B318,B404,B405,B408,B413,B506,B602,B603,B607
|
||||||
|
exclude = tests
|
||||||
|
|
||||||
|
[testenv:bandit]
|
||||||
|
basepython = python3
|
||||||
|
deps = -r{toxinidir}/test-requirements.txt
|
||||||
|
bandit
|
||||||
|
commands = bandit --ini tox.ini -n 5 -r cgcs_patch
|
||||||
|
|
||||||
[flake8]
|
[flake8]
|
||||||
# ignore below errors , will fix flake8 errors in future
|
# ignore below errors , will fix flake8 errors in future
|
||||||
# H101 Use TODO(NAME)
|
# H101 Use TODO(NAME)
|
||||||
|
|
|
@ -54,6 +54,15 @@ commands = {[testenv:stestr]commands}
|
||||||
basepython = python3.6
|
basepython = python3.6
|
||||||
commands = {[testenv:stestr]commands}
|
commands = {[testenv:stestr]commands}
|
||||||
|
|
||||||
|
[bandit]
|
||||||
|
exclude = tests
|
||||||
|
|
||||||
|
[testenv:bandit]
|
||||||
|
basepython = python3
|
||||||
|
deps = -r{toxinidir}/test-requirements.txt
|
||||||
|
bandit
|
||||||
|
commands = bandit --ini tox.ini -n 5 -r patch_alarm
|
||||||
|
|
||||||
[flake8]
|
[flake8]
|
||||||
# ignore below errors , will fix flake8 errors in future
|
# ignore below errors , will fix flake8 errors in future
|
||||||
# H102 Apache 2.0 license header not found
|
# H102 Apache 2.0 license header not found
|
||||||
|
|
10
tox.ini
10
tox.ini
|
@ -90,6 +90,16 @@ commands = {[testenv]commands}
|
||||||
tox -c cgcs-patch/cgcs-patch -e py36
|
tox -c cgcs-patch/cgcs-patch -e py36
|
||||||
tox -c patch-alarm/patch-alarm -e py36
|
tox -c patch-alarm/patch-alarm -e py36
|
||||||
|
|
||||||
|
[testenv:bandit]
|
||||||
|
basepython = python3
|
||||||
|
commands = {[testenv]commands}
|
||||||
|
tox -c cgcs-patch/cgcs-patch -e bandit
|
||||||
|
tox -c patch-alarm/patch-alarm -e bandit
|
||||||
|
deps = {[testenv]deps}
|
||||||
|
recreate = True
|
||||||
|
whitelist_externals = find
|
||||||
|
tox
|
||||||
|
|
||||||
[testenv:pylint]
|
[testenv:pylint]
|
||||||
basepython = python2.7
|
basepython = python2.7
|
||||||
deps = {[testenv]deps}
|
deps = {[testenv]deps}
|
||||||
|
|
Loading…
Reference in New Issue