From fe4a1f4051ec2bc218ac62db8e8d5a8626761719 Mon Sep 17 00:00:00 2001
From: Ivan Kolodyazhny <e0ne@e0ne.info>
Date: Mon, 21 May 2018 09:33:09 -0700
Subject: [PATCH] Add Bandit non-voting job

This commit adds two new tox environments for bandit scanner. To run any
of them you can use tox commands:

1) 'tox -e bandit' to run bandit scanner against all the code
2) 'tox -e bandit-baseline' to run bandit scanner only against the last
commit or the current changes.

Bandit job uses 'bandit-baseline' tox environment to veryfy that no new
issues were introduced.

Change-Id: I1fc3bb0d5d151f215b9efc916f921fabaa72e7d8
---
 .zuul.yaml            | 17 +++++++++++++++++
 test-requirements.txt |  1 +
 tox.ini               |  7 +++++++
 3 files changed, 25 insertions(+)

diff --git a/.zuul.yaml b/.zuul.yaml
index 822fa1f694..776984deab 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -60,6 +60,21 @@
       tempest_test_regex: horizon
       tox_envlist: all
 
+- job:
+    # Security testing for known issues
+    name: horizon-tox-bandit-baseline
+    parent: openstack-tox
+    timeout: 2400
+    vars:
+      tox_envlist: bandit-baseline
+    irrelevant-files:
+      - ^.*\.rst$
+      - ^.*\locale/.*$
+      - ^doc/.*$
+      - ^releasenotes/.*$
+      - ^setup.cfg$
+      - ^tools/.*$
+
 - project:
     check:
       jobs:
@@ -68,6 +83,8 @@
             voting: false
         - horizon-dsvm-tempest-plugin
         - openstack-tox-lower-constraints
+        - horizon-tox-bandit-baseline:
+            voting: false
     gate:
       jobs:
         - horizon-openstack-tox-python3-django111
diff --git a/test-requirements.txt b/test-requirements.txt
index 5e05bf39ef..e94e6e149f 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -9,6 +9,7 @@
 # Hacking should appear first in case something else depends on pep8
 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
 #
+bandit>=1.4.0 # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
 doc8>=0.6.0 # Apache-2.0
 flake8-import-order==0.12 # LGPLv3
diff --git a/tox.ini b/tox.ini
index 3bc1a4e220..7896d69e86 100644
--- a/tox.ini
+++ b/tox.ini
@@ -176,6 +176,13 @@ application-import-names = horizon,openstack_dashboard
 [hacking]
 local-check-factory = horizon.hacking.checks.factory
 
+[testenv:bandit]
+commands = bandit -r horizon openstack_auth openstack_dashboard -n5 -x tests -ll
+
+[testenv:bandit-baseline]
+envdir = {toxworkdir}/bandit
+commands = bandit-baseline -r horizon  openstack_auth openstack_dashboard -n5 -x tests -ii -ll
+
 [doc8]
 # File extensions to check
 extensions = .rst, .yaml