add a bandit environment to tox

This change is being proposed as part of the OpenStack Security Project working session at the Austin 2016 summit. It adds support for running the bandit[1] security linting tool against the python-openstackclient codebase. This change adds a targetted environment for bandit and also adds bandit as part of the pep8 job. The bandit configuration has been tailored to exclude tests that are currently producing warning against the codebase. These issues will be followed up with bug reports and patches. [1]: https://wiki.openstack.org/wiki/Security/Projects/Bandit Depends-On: Iccd81c17e84df03d249c1012277dad9cb68c5845 Change-Id: I691829c1224557d1d239c9f665ac539d0f13c4d3
2016-04-28 11:38:38 -04:00 · 2016-04-28 11:38:38 -04:00 · 505659b0aa
parent 74162fa31a
commit 505659b0aa
2 changed files with 32 additions and 2 deletions
--- a/test-requirements.txt
+++ b/test-requirements.txt
@ -17,6 +17,7 @@ testrepository>=0.0.18 # Apache-2.0/BSD
 testtools>=1.4.0 # MIT
 tempest-lib>=0.14.0 # Apache-2.0
 osprofiler>=1.3.0 # Apache-2.0
+bandit>=1.0.1 # Apache-2.0

 # Install these to generate sphinx autodocs
 python-barbicanclient>=4.0.0 # Apache-2.0
--- a/tox.ini
+++ b/tox.ini
@ -12,7 +12,36 @@ commands = ostestr {posargs}
 whitelist_externals = ostestr

 [testenv:pep8]
-commands = flake8
+commands =
+    flake8
+    bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101
+
+[testenv:bandit]
+# This command runs the bandit security linter against the openstackclient
+# codebase minus the tests directory. Some tests are being excluded to
+# reduce the number of positives before a team inspection, and to ensure a
+# passing gate job for initial addition. The excluded tests are:
+# B105-B107: hardcoded password checks - likely to generate false positives
+#            in a gate environment
+# B401: import subprocess - not necessarily a security issue; this plugin is
+#       mainly used for penetration testing workflow
+# B603,B606: process without shell - not necessarily a security issue; this
+#            plugin is mainly used for penetration testing workflow
+# B607: start process with a partial path - this should be a project level
+#       decision
+# NOTE(elmiko): The following tests are being excluded specifically for
+# python-openstackclient, they are being excluded to ensure that voting jobs
+# in the project and in bandit integration tests continue to pass. These
+# tests have generated issue within the project and should be investigated
+# by the project.
+# B110: try, except, pass detected - possible security issue; this should be
+#       investigated by the project for possible exploitation
+# B605: process with a shell - possible security issue; this should be
+#       investigated by the project for possible exploitation
+# B101: use of assert - this code will be removed when compiling to optimized
+#       byte code
+commands =
+    bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101

 [testenv:functional]
 setenv = OS_TEST_PATH=./functional/tests
@ -40,4 +69,4 @@ show-source = True
 exclude = .git,.tox,dist,doc,*openstack/common*,*lib/python*,*egg,build,tools
 # If 'ignore' is not set there are default errors and warnings that are set
 # Doc: http://flake8.readthedocs.org/en/latest/config.html#default
-ignore = __
+ignore = __