From 7082ded8362e01fd6144c064c334789a91b94876 Mon Sep 17 00:00:00 2001 From: Craig Bryant Date: Wed, 8 Feb 2017 08:50:28 -0700 Subject: [PATCH] Turn on bandit check as part of pep8 Add bandit job as part of pep8 in tox.ini Had to fix one issue and mark two instances of try except pass as OK so that bandit will pass Change-Id: Ia1c96e27d1bae360c6ae0d4131665e2b712f573f --- monasca_persister/persister.py | 10 +++++++--- .../repositories/influxdb/__init__.py | 4 ++-- test-requirements.txt | 1 + tox.ini | 14 +++++++++++++- 4 files changed, 23 insertions(+), 6 deletions(-) diff --git a/monasca_persister/persister.py b/monasca_persister/persister.py index c7348028..90123249 100644 --- a/monasca_persister/persister.py +++ b/monasca_persister/persister.py @@ -1,4 +1,4 @@ -# (C) Copyright 2014-2016 Hewlett Packard Enterprise Development Company LP +# (C) Copyright 2014-2017 Hewlett Packard Enterprise Development LP # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -100,7 +100,9 @@ def clean_exit(signum, frame=None): if process.is_alive(): process.terminate() # Sends sigterm which any processes after a notification is sent attempt to handle wait_for_exit = True - except Exception: + except Exception: # nosec + # There is really nothing to do if the kill fails, so just go on. + # The # nosec keeps bandit from reporting this as a security issue pass # wait for a couple seconds to give the subprocesses a chance to shut down correctly. @@ -112,7 +114,9 @@ def clean_exit(signum, frame=None): LOG.debug('Killing pid %s' % child.pid) try: os.kill(child.pid, signal.SIGKILL) - except Exception: + except Exception: # nosec + # There is really nothing to do if the kill fails, so just go on. + # The # nosec keeps bandit from reporting this as a security issue pass if signum == signal.SIGTERM: diff --git a/monasca_persister/repositories/influxdb/__init__.py b/monasca_persister/repositories/influxdb/__init__.py index fc03740b..e0f773a3 100644 --- a/monasca_persister/repositories/influxdb/__init__.py +++ b/monasca_persister/repositories/influxdb/__init__.py @@ -1,4 +1,4 @@ -# (C) Copyright 2016 Hewlett Packard Enterprise Development Company LP +# (C) Copyright 2016-2017 Hewlett Packard Enterprise Development LP # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +18,7 @@ influxdb_opts = [cfg.StrOpt('database_name'), cfg.StrOpt('ip_address'), cfg.StrOpt('port'), cfg.StrOpt('user'), - cfg.StrOpt('password')] + cfg.StrOpt('password', secret=True)] influxdb_group = cfg.OptGroup(name='influxdb', title='influxdb') cfg.CONF.register_group(influxdb_group) diff --git a/test-requirements.txt b/test-requirements.txt index def565af..d5b64cde 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,6 +1,7 @@ # The order of packages is significant, because pip processes them in the order # of appearance. Changing the order has an impact on the overall integration # process, which may cause wedges in the gate later. +bandit>=1.1.0 # Apache-2.0 flake8<2.6.0,>=2.5.4 # MIT hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 coverage>=4.0 # Apache-2.0 diff --git a/tox.ini b/tox.ini index 763a13f3..37413927 100644 --- a/tox.ini +++ b/tox.ini @@ -50,11 +50,19 @@ commands = oslo_debug_helper -t monasca_persister/tests {posargs} [testenv:pep8] -commands = flake8 +deps = + {[testenv]deps} +commands = + {[testenv:flake8]commands} + {[bandit]commands} [testenv:venv] commands = {posargs} +[testenv:flake8] +commands = + flake8 monasca_persister + [flake8] max-line-length = 120 # TODO: ignored checks should be enabled in the future @@ -62,3 +70,7 @@ max-line-length = 120 # H904 Wrap long lines in parentheses instead of a backslash ignore = F821,H405,H904,E126,E125,H306,E302,E122 exclude=.venv,.git,.tox,dist,*egg,build + +[bandit] +commands = + bandit -r monasca_persister -n5 -x monasca_persister/tests