Merge "Add bandit check to all python code"

.gitignore

@@ -45,6 +45,9 @@ releasenotes/build
 # Files generated by Ansible
 ansible/*.retry
 
+#OpenStack releases repo used by version_check.py.
+.releases
+
 # Others
 .DS_Store
 .vimrc

kolla/tests/test_build.py

@@ -376,10 +376,10 @@ class KollaWorkerTest(base.TestCase):
 
     @mock.patch('shutil.copytree')
     def test_work_dir(self, copytree_mock):
-        self.conf.set_override('work_dir', '/tmp/foo')
+        self.conf.set_override('work_dir', 'tmp/foo')
         kolla = build.KollaWorker(self.conf)
         kolla.setup_working_dir()
-        self.assertEqual('/tmp/foo/docker', kolla.working_dir)
+        self.assertEqual('tmp/foo/docker', kolla.working_dir)
 
 
 class MainTest(base.TestCase):

tools/version-check.py

@@ -16,7 +16,7 @@ import argparse
 import logging
 import os
 import re
-import subprocess
+import subprocess  # nosec
 import sys
 
 import yaml
@@ -38,7 +38,7 @@ logging.basicConfig(level=logging.INFO)
 LOG = logging.getLogger(__name__)
 
 RELEASE_REPO = 'https://github.com/openstack/releases'
-TARGET = '/tmp/releases'
+TARGET = '.releases'
 
 SKIP_PROJECTS = {
     'gnocchi-base': 'Gnocchi is not managed by openstack/releases project',
@@ -60,7 +60,7 @@ def update_releases_repo():
     else:
         cmd = ['git', '--git-dir', os.path.join(TARGET, '.git'), '--work-tree',
                TARGET, 'pull']
-    subprocess.call(cmd)
+    subprocess.call(cmd)  # nosec
 
 
 def get_default_branch():

tox.ini

@@ -36,7 +36,7 @@ commands =
   flake8 {posargs}
   {toxinidir}/tools/validate-all-dockerfiles.sh
   python {toxinidir}/tools/validate-all-file.py
-  bandit docker kolla tests tools
+  bandit -r docker kolla tests tools
 
 [testenv:bandit]
 commands = bandit -r docker kolla tests tools