Merge branch 'master' into add-metadata-docadd-metadata-doc

5 files changed, 62 insertions, 6 deletions

diff --git a/.travis.yml b/.travis.yml
index e304ce6..c7978d7 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,6 +15,8 @@ matrix:
     env: TOXENV=py36
   - python: 3.7
     env: TOXENV=py37
+  - python: 3.7
+    env: TOXENV=bandit
   - python: pypy3.5
     env: TOXENV=pypy3
 install:
diff --git a/bandit.json b/bandit.json
new file mode 100644
index 0000000..02e15a8
--- /dev/null
+++ b/bandit.json
@@ -0,0 +1,48 @@
+{
+  "errors": [],
+  "generated_at": "2018-12-13T10:39:37Z",
+  "results": [
+    {
+      "code": "182         if request.body is not None and content_type_eligible:\n183             params.append(('oauth_body_hash', base64.b64encode(hashlib.sha1(request.body.encode('utf-8')).digest()).decode('utf-8')))\n184 \n",
+      "filename": "oauthlib/oauth1/rfc5849/__init__.py",
+      "issue_confidence": "HIGH",
+      "issue_severity": "MEDIUM",
+      "issue_text": "Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
+      "line_number": 183,
+      "line_range": [
+        183
+      ],
+      "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5",
+      "test_id": "B303",
+      "test_name": "blacklist"
+    },
+    {
+      "code": "45     def __init__(self, endpoints, claims={}, raise_errors=True):\n46         assert isinstance(claims, dict)\n47         for endpoint in endpoints:\n",
+      "filename": "oauthlib/oauth2/rfc6749/endpoints/metadata.py",
+      "issue_confidence": "HIGH",
+      "issue_severity": "LOW",
+      "issue_text": "Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.",
+      "line_number": 46,
+      "line_range": [
+        46
+      ],
+      "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html",
+      "test_id": "B101",
+      "test_name": "assert_used"
+    },
+    {
+      "code": "47         for endpoint in endpoints:\n48             assert isinstance(endpoint, BaseEndpoint)\n49 \n",
+      "filename": "oauthlib/oauth2/rfc6749/endpoints/metadata.py",
+      "issue_confidence": "HIGH",
+      "issue_severity": "LOW",
+      "issue_text": "Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.",
+      "line_number": 48,
+      "line_range": [
+        48
+      ],
+      "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html",
+      "test_id": "B101",
+      "test_name": "assert_used"
+    }
+  ]
+}
diff --git a/docs/contributing.rst b/docs/contributing.rst
index 771262d..e101f70 100644
--- a/docs/contributing.rst
+++ b/docs/contributing.rst
@@ -144,7 +144,7 @@ the project root via:
 
 .. sourcecode:: bash
 
-   $ python -m unittest discover
+   $ py.test
 
 The first thing the core committers will do is run this command. Any pull
 request that fails this test suite will be **rejected**.
@@ -301,7 +301,7 @@ First we pull the code into a local branch::
 
 Then we run the tests::
 
-    python -m unittest discover
+    py.test
 
 We finish with a non-fastforward merge (to preserve the branch history) and push
 to GitHub::
diff --git a/requirements-test.txt b/requirements-test.txt
index c3e0a7b..64485a6 100644
--- a/requirements-test.txt
+++ b/requirements-test.txt
@@ -1,3 +1,4 @@
 -r requirements.txt
-coverage>=3.7.1
 mock>=2.0
+pytest>=4.0
+pytest-cov>=2.6
diff --git a/tox.ini b/tox.ini
index 47237d8..1cac71c 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,12 +1,11 @@
 [tox]
-envlist = py27,py34,py35,py36,py37,pypy,pypy3,docs,readme
+envlist = py27,py34,py35,py36,py37,pypy,pypy3,docs,readme,bandit
 
 [testenv]
 deps=
     -rrequirements-test.txt
 commands=
-    coverage run --source oauthlib -m unittest discover
-    coverage report
+    py.test --cov=oauthlib tests/
 
 
 # tox -e docs to mimick readthedocs build.
@@ -27,3 +26,9 @@ whitelist_externals=echo
 commands=
         python setup.py check -r -s
         echo setup.py/long description is syntaxly correct
+
+[testenv:bandit]
+skipsdist=True
+deps=bandit
+commands=bandit -b bandit.json -r oauthlib/
+whitelist_externals=bandit