From 505659b0aabe95ee659370fab92e8cb7bd9dc430 Mon Sep 17 00:00:00 2001 From: Michael McCune Date: Thu, 28 Apr 2016 11:38:38 -0400 Subject: [PATCH] add a bandit environment to tox This change is being proposed as part of the OpenStack Security Project working session at the Austin 2016 summit. It adds support for running the bandit[1] security linting tool against the python-openstackclient codebase. This change adds a targetted environment for bandit and also adds bandit as part of the pep8 job. The bandit configuration has been tailored to exclude tests that are currently producing warning against the codebase. These issues will be followed up with bug reports and patches. [1]: https://wiki.openstack.org/wiki/Security/Projects/Bandit Depends-On: Iccd81c17e84df03d249c1012277dad9cb68c5845 Change-Id: I691829c1224557d1d239c9f665ac539d0f13c4d3 --- test-requirements.txt | 1 + tox.ini | 33 +++++++++++++++++++++++++++++++-- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/test-requirements.txt b/test-requirements.txt index 5694550a8..26de9fd22 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -17,6 +17,7 @@ testrepository>=0.0.18 # Apache-2.0/BSD testtools>=1.4.0 # MIT tempest-lib>=0.14.0 # Apache-2.0 osprofiler>=1.3.0 # Apache-2.0 +bandit>=1.0.1 # Apache-2.0 # Install these to generate sphinx autodocs python-barbicanclient>=4.0.0 # Apache-2.0 diff --git a/tox.ini b/tox.ini index 15f623636..ced4dc95f 100644 --- a/tox.ini +++ b/tox.ini @@ -12,7 +12,36 @@ commands = ostestr {posargs} whitelist_externals = ostestr [testenv:pep8] -commands = flake8 +commands = + flake8 + bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101 + +[testenv:bandit] +# This command runs the bandit security linter against the openstackclient +# codebase minus the tests directory. Some tests are being excluded to +# reduce the number of positives before a team inspection, and to ensure a +# passing gate job for initial addition. The excluded tests are: +# B105-B107: hardcoded password checks - likely to generate false positives +# in a gate environment +# B401: import subprocess - not necessarily a security issue; this plugin is +# mainly used for penetration testing workflow +# B603,B606: process without shell - not necessarily a security issue; this +# plugin is mainly used for penetration testing workflow +# B607: start process with a partial path - this should be a project level +# decision +# NOTE(elmiko): The following tests are being excluded specifically for +# python-openstackclient, they are being excluded to ensure that voting jobs +# in the project and in bandit integration tests continue to pass. These +# tests have generated issue within the project and should be investigated +# by the project. +# B110: try, except, pass detected - possible security issue; this should be +# investigated by the project for possible exploitation +# B605: process with a shell - possible security issue; this should be +# investigated by the project for possible exploitation +# B101: use of assert - this code will be removed when compiling to optimized +# byte code +commands = + bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101 [testenv:functional] setenv = OS_TEST_PATH=./functional/tests @@ -40,4 +69,4 @@ show-source = True exclude = .git,.tox,dist,doc,*openstack/common*,*lib/python*,*egg,build,tools # If 'ignore' is not set there are default errors and warnings that are set # Doc: http://flake8.readthedocs.org/en/latest/config.html#default -ignore = __ \ No newline at end of file +ignore = __