From 21d601f3f568f2a8b1b6447931a73554eb60703a Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Sun, 11 Feb 2024 02:56:42 +0900
Subject: [PATCH] pre-commit: Integrate bandit

Co-Authored-By: Stephen Finucane <sfinucan@redhat.com>
Change-Id: I4698730bddf343c9699beb0c6389e38ba15794d2
---
 .pre-commit-config.yaml | 5 +++++
 requirements.txt        | 4 ----
 stevedore/_cache.py     | 2 +-
 test-requirements.txt   | 7 -------
 tox.ini                 | 4 ++--
 5 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 07917d3..10f19c5 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -23,3 +23,8 @@ repos:
     hooks:
       - id: hacking
         additional_dependencies: []
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.7.6
+    hooks:
+      - id: bandit
+        args: ['-x', 'tests']
diff --git a/requirements.txt b/requirements.txt
index 6de9f4e..7deef88 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1 @@
-# The order of packages is significant, because pip processes them in the order
-# of appearance. Changing the order has an impact on the overall integration
-# process, which may cause wedges in the gate later.
-
 pbr!=2.1.0,>=2.0.0 # Apache-2.0
diff --git a/stevedore/_cache.py b/stevedore/_cache.py
index d1aaaf8..fd703af 100644
--- a/stevedore/_cache.py
+++ b/stevedore/_cache.py
@@ -144,7 +144,7 @@ class Cache:
         # target directory or when python executable is under /tmp (this is the
         # case when executed from ansible)
         if any([os.path.isfile(os.path.join(self._dir, '.disable')),
-                sys.executable[0:4] == '/tmp']):
+                sys.executable[0:4] == '/tmp']):  # nosec B108
             self._disable_caching = True
 
     def _get_data_for_path(self, path):
diff --git a/test-requirements.txt b/test-requirements.txt
index 1964dd1..5d08445 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1,11 +1,4 @@
-# The order of packages is significant, because pip processes them in the order
-# of appearance. Changing the order has an impact on the overall integration
-# process, which may cause wedges in the gate later.
-
 coverage!=4.4,>=4.0 # Apache-2.0
 stestr>=2.0.0 # Apache-2.0
 # sphinx is needed for testing the sphinxext module
 sphinx>=2.0.0,!=2.1.0 # BSD
-
-bandit>=1.6.0,<1.7.0 # Apache-2.0
-pre-commit>=2.6.0 # MIT
diff --git a/tox.ini b/tox.ini
index 415bf26..325d8b3 100644
--- a/tox.ini
+++ b/tox.ini
@@ -21,10 +21,10 @@ commands = {posargs}
 
 [testenv:pep8]
 ignore = E251
+deps =
+  pre-commit
 commands =
   pre-commit run -a
-  # Run security linter
-  bandit -r stevedore -x tests -n5
 
 [flake8]
 ignore = E251,H405