From c914eb14d7699aacd135199913b9540065fdcf7b Mon Sep 17 00:00:00 2001
From: Jeremy Liu <liujiong@gohighsec.com>
Date: Sun, 30 Oct 2016 15:06:45 +0800
Subject: [PATCH] Add a bandit environment to tox

This change is being proposed as part of the OpenStack Security Project
working session at the Austin 2016 summit. It adds support for running
the bandit[1] security linting tool against the Senlin codebase.
This change adds a targeted environment for bandit.

The bandit configuration has been tailored to exclude tests that are
currently producing warning against the codebase. These issues will be
followed up with bug reports and patches.

At the time of submission, Senlin passes all Bandit tests configured
in tox.

[1]: https://wiki.openstack.org/wiki/Security/Projects/Bandit

Change-Id: I54ef7329b9d6f6429838afdc5319f48bcc2e9f33
---
 test-requirements.txt | 3 +++
 tox.ini               | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/test-requirements.txt b/test-requirements.txt
index 975f9f228..0ef7dc029 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -21,3 +21,6 @@ os-api-ref>=1.0.0 # Apache-2.0
 oslosphinx>=4.7.0 # Apache-2.0
 sphinx!=1.3b1,<1.4,>=1.2.1 # BSD
 reno>=1.8.0 # Apache2
+
+# Bandit build requirements
+bandit>=1.1.0 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index 258d53620..d4ff0ffd7 100644
--- a/tox.ini
+++ b/tox.ini
@@ -101,3 +101,7 @@ max-complexity=20
 [hacking]
 local-check-factory = senlin.hacking.checks.factory
 import_exceptions = senlin.common.i18n
+
+[testenv:bandit]
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r senlin -x tests -s B101,B104,B110,B310,B311,B506