Added bandit to CI to avoid security issues (#627)

* Added bandit to CI to avoid security issues.

* Remove basepython for bandit.

* Remove metrics.

3 files changed, 57 insertions, 1 deletions

diff --git a/.travis.yml b/.travis.yml
index e304ce6..c7978d7 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,6 +15,8 @@ matrix:
     env: TOXENV=py36
   - python: 3.7
     env: TOXENV=py37
+  - python: 3.7
+    env: TOXENV=bandit
   - python: pypy3.5
     env: TOXENV=pypy3
 install:
diff --git a/bandit.json b/bandit.json
new file mode 100644
index 0000000..02e15a8
--- /dev/null
+++ b/bandit.json
@@ -0,0 +1,48 @@
+{
+  "errors": [],
+  "generated_at": "2018-12-13T10:39:37Z",
+  "results": [
+    {
+      "code": "182         if request.body is not None and content_type_eligible:\n183             params.append(('oauth_body_hash', base64.b64encode(hashlib.sha1(request.body.encode('utf-8')).digest()).decode('utf-8')))\n184 \n",
+      "filename": "oauthlib/oauth1/rfc5849/__init__.py",
+      "issue_confidence": "HIGH",
+      "issue_severity": "MEDIUM",
+      "issue_text": "Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
+      "line_number": 183,
+      "line_range": [
+        183
+      ],
+      "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5",
+      "test_id": "B303",
+      "test_name": "blacklist"
+    },
+    {
+      "code": "45     def __init__(self, endpoints, claims={}, raise_errors=True):\n46         assert isinstance(claims, dict)\n47         for endpoint in endpoints:\n",
+      "filename": "oauthlib/oauth2/rfc6749/endpoints/metadata.py",
+      "issue_confidence": "HIGH",
+      "issue_severity": "LOW",
+      "issue_text": "Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.",
+      "line_number": 46,
+      "line_range": [
+        46
+      ],
+      "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html",
+      "test_id": "B101",
+      "test_name": "assert_used"
+    },
+    {
+      "code": "47         for endpoint in endpoints:\n48             assert isinstance(endpoint, BaseEndpoint)\n49 \n",
+      "filename": "oauthlib/oauth2/rfc6749/endpoints/metadata.py",
+      "issue_confidence": "HIGH",
+      "issue_severity": "LOW",
+      "issue_text": "Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.",
+      "line_number": 48,
+      "line_range": [
+        48
+      ],
+      "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html",
+      "test_id": "B101",
+      "test_name": "assert_used"
+    }
+  ]
+}
diff --git a/tox.ini b/tox.ini
index 47237d8..4893175 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = py27,py34,py35,py36,py37,pypy,pypy3,docs,readme
+envlist = py27,py34,py35,py36,py37,pypy,pypy3,docs,readme,bandit
 
 [testenv]
 deps=
@@ -27,3 +27,9 @@ whitelist_externals=echo
 commands=
         python setup.py check -r -s
         echo setup.py/long description is syntaxly correct
+
+[testenv:bandit]
+skipsdist=True
+deps=bandit
+commands=bandit -b bandit.json -r oauthlib/
+whitelist_externals=bandit