diff options
| -rw-r--r-- | test-requirements.txt | 1 | ||||
| -rw-r--r-- | tox.ini | 33 |
2 files changed, 32 insertions, 2 deletions
diff --git a/test-requirements.txt b/test-requirements.txt index f39b86bb..39d250ee 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -17,6 +17,7 @@ testrepository>=0.0.18 # Apache-2.0/BSD testtools>=1.4.0 # MIT tempest>=11.0.0 # Apache-2.0 osprofiler>=1.3.0 # Apache-2.0 +bandit>=1.0.1 # Apache-2.0 # Install these to generate sphinx autodocs python-barbicanclient>=4.0.0 # Apache-2.0 @@ -12,7 +12,36 @@ commands = ostestr {posargs} whitelist_externals = ostestr [testenv:pep8] -commands = flake8 +commands = + flake8 + bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101 + +[testenv:bandit] +# This command runs the bandit security linter against the openstackclient +# codebase minus the tests directory. Some tests are being excluded to +# reduce the number of positives before a team inspection, and to ensure a +# passing gate job for initial addition. The excluded tests are: +# B105-B107: hardcoded password checks - likely to generate false positives +# in a gate environment +# B401: import subprocess - not necessarily a security issue; this plugin is +# mainly used for penetration testing workflow +# B603,B606: process without shell - not necessarily a security issue; this +# plugin is mainly used for penetration testing workflow +# B607: start process with a partial path - this should be a project level +# decision +# NOTE(elmiko): The following tests are being excluded specifically for +# python-openstackclient, they are being excluded to ensure that voting jobs +# in the project and in bandit integration tests continue to pass. These +# tests have generated issue within the project and should be investigated +# by the project. +# B110: try, except, pass detected - possible security issue; this should be +# investigated by the project for possible exploitation +# B605: process with a shell - possible security issue; this should be +# investigated by the project for possible exploitation +# B101: use of assert - this code will be removed when compiling to optimized +# byte code +commands = + bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101 [testenv:functional] setenv = OS_TEST_PATH=./functional/tests @@ -40,4 +69,4 @@ show-source = True exclude = .git,.tox,dist,doc,*openstack/common*,*lib/python*,*egg,build,tools # If 'ignore' is not set there are default errors and warnings that are set # Doc: http://flake8.readthedocs.org/en/latest/config.html#default -ignore = __
\ No newline at end of file +ignore = __ |