openstack
/
python-openstackclient
Code Issues Proposed changes

tox: Remove bandit skips, run via pre-commit 

Most of these skips were unnecessary. The few that did generate warnings
could be skipped.

We also set 'skip_install' since there's no reason to build the package
for linting purposes.

Change-Id: I9644e5c19720b9c41c60e0a5882b7cd7f6a71f7b
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This commit is contained in:
Stephen Finucane 2024-04-26 12:51:18 +01:00
parent 648d8df578
commit 0646f9b4e4
12 changed files with 32 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.pre-commit-config.yaml
View File

@ -26,7 +26,7 @@ repos:
rev: 1.7.8
hooks:
- id: bandit
args: ['-x', 'tests', '-s', 'B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101']
args: ['-x', 'tests']
- repo: https://opendev.org/openstack/hacking
rev: 6.1.0
hooks:

2
openstackclient/common/module.py
View File

@ -113,6 +113,6 @@ class ListModule(command.ShowOne):
data[k] = mods[k].__version__
except Exception:
# Catch all exceptions, just skip it
pass
pass # nosec: B110
return zip(*sorted(data.items()))

23
openstackclient/compute/v2/server.py
View File

@ -2843,11 +2843,12 @@ class ListServer(command.Lister):
# there are infra failures
if parsed_args.name_lookup_one_by_one or image_id:
for image_id in image_ids:
# "Image Name" is not crucial, so we swallow any exceptions
try:
images[image_id] = image_client.get_image(image_id)
except Exception:
pass
# retrieving image names is not crucial, so we swallow
# any exceptions
pass # nosec: B110
else:
try:
# some deployments can have *loads* of images so we only
@ -2866,7 +2867,9 @@ class ListServer(command.Lister):
for i in images_list:
images[i.id] = i
except Exception:
pass
# retrieving image names is not crucial, so we swallow any
# exceptions
pass # nosec: B110
# create a dict that maps flavor_id to flavor object, which is used
# to display the "Flavor Name" column. Note that 'flavor.id' is not
@ -2878,21 +2881,23 @@ class ListServer(command.Lister):
for s in data
if s.flavor and s.flavor.get('id')
):
# "Flavor Name" is not crucial, so we swallow any
# exceptions
try:
flavors[f_id] = compute_client.find_flavor(
f_id, ignore_missing=False
)
except Exception:
pass
# retrieving flavor names is not crucial, so we swallow
# any exceptions
pass # nosec: B110
else:
try:
flavors_list = compute_client.flavors(is_public=None)
for i in flavors_list:
flavors[i.id] = i
except Exception:
pass
# retrieving flavor names is not crucial, so we swallow any
# exceptions
pass # nosec: B110
# Populate image_name, image_id, flavor_name and flavor_id attributes
# of server objects so that we can display those columns.
@ -4805,7 +4810,9 @@ class SshServer(command.Command):
cmd = ' '.join(['ssh', ip_address] + args)
LOG.debug("ssh command: {cmd}".format(cmd=cmd))
os.system(cmd)
# we intentionally pass through user-provided arguments and run this in
# the user's shell
os.system(cmd) # nosec: B605
class StartServer(command.Command):

2
openstackclient/compute/v2/usage.py
View File

@ -182,7 +182,7 @@ class ListUsage(command.Lister):
project_cache[p.id] = p
except Exception:
# Just forget it if there's any trouble
pass
pass # nosec: B110
if parsed_args.formatter == 'table' and len(usage_list) > 0:
self.app.stdout.write(

2
openstackclient/identity/v2_0/user.py
View File

@ -252,7 +252,7 @@ class ListUser(command.Lister):
project_cache[p.id] = p
except Exception:
# Just forget it if there's any trouble
pass
pass # nosec: B110
formatters['tenantId'] = functools.partial(
ProjectColumn, project_cache=project_cache
)

2
openstackclient/volume/v1/volume.py
View File

@ -424,7 +424,7 @@ class ListVolume(command.Lister):
server_cache[s.id] = s
except Exception:
# Just forget it if there's any trouble
pass
pass # nosec: B110
AttachmentsColumnWithCache = functools.partial(
AttachmentsColumn, server_cache=server_cache
)

2
openstackclient/volume/v1/volume_backup.py
View File

@ -217,7 +217,7 @@ class ListVolumeBackup(command.Lister):
volume_cache[s.id] = s
except Exception:
# Just forget it if there's any trouble
pass
pass # nosec: B110
VolumeIdColumnWithCache = functools.partial(
VolumeIdColumn, volume_cache=volume_cache
)

2
openstackclient/volume/v1/volume_snapshot.py
View File

@ -244,7 +244,7 @@ class ListVolumeSnapshot(command.Lister):
volume_cache[s.id] = s
except Exception:
# Just forget it if there's any trouble
pass
pass # nosec: B110
VolumeIdColumnWithCache = functools.partial(
VolumeIdColumn, volume_cache=volume_cache
)

2
openstackclient/volume/v2/volume.py
View File

@ -537,7 +537,7 @@ class ListVolume(command.Lister):
server_cache[s.id] = s
except Exception:
# Just forget it if there's any trouble
pass
pass # nosec: B110
AttachmentsColumnWithCache = functools.partial(
AttachmentsColumn, server_cache=server_cache
)

2
openstackclient/volume/v2/volume_backup.py
View File

@ -325,7 +325,7 @@ class ListVolumeBackup(command.Lister):
volume_cache[s.id] = s
except Exception:
# Just forget it if there's any trouble
pass
pass # nosec: B110
_VolumeIdColumn = functools.partial(
VolumeIdColumn, volume_cache=volume_cache

2
openstackclient/volume/v2/volume_snapshot.py
View File

@ -289,7 +289,7 @@ class ListVolumeSnapshot(command.Lister):
volume_cache[s.id] = s
except Exception:
# Just forget it if there's any trouble
pass
pass # nosec: B110
_VolumeIdColumn = functools.partial(
VolumeIdColumn, volume_cache=volume_cache
)

33
tox.ini
View File

@ -16,37 +16,18 @@ commands =
stestr run {posargs}
[testenv:pep8]
skip_install = true
deps =
pre-commit
pre-commit
commands =
pre-commit run --all-files --show-diff-on-failure
pre-commit run --all-files --show-diff-on-failure
[testenv:bandit]
# This command runs the bandit security linter against the openstackclient
# codebase minus the tests directory. Some tests are being excluded to
# reduce the number of positives before a team inspection, and to ensure a
# passing gate job for initial addition. The excluded tests are:
# B105-B107: hardcoded password checks - likely to generate false positives
# in a gate environment
# B401: import subprocess - not necessarily a security issue; this plugin is
# mainly used for penetration testing workflow
# B603,B606: process without shell - not necessarily a security issue; this
# plugin is mainly used for penetration testing workflow
# B607: start process with a partial path - this should be a project level
# decision
# NOTE(elmiko): The following tests are being excluded specifically for
# python-openstackclient, they are being excluded to ensure that voting jobs
# in the project and in bandit integration tests continue to pass. These
# tests have generated issue within the project and should be investigated
# by the project.
# B110: try, except, pass detected - possible security issue; this should be
# investigated by the project for possible exploitation
# B605: process with a shell - possible security issue; this should be
# investigated by the project for possible exploitation
# B101: use of assert - this code will be removed when compiling to optimized
# byte code
skip_install = true
deps =
pre-commit
commands =
bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101
pre-commit run --all-files --show-diff-on-failure bandit
[testenv:unit-tips]
commands =