From d765a344ee54b08791ab06149f3e1652e456ac06 Mon Sep 17 00:00:00 2001 From: Yumeng Bao Date: Wed, 25 Dec 2019 02:07:23 -0800 Subject: [PATCH] Introduce bandit security linter Cyborg now does not have a code security check, which may connive at possible security issues. For example, shell-related operations for drivers may be insecure. Current "sudo lspci -nnn -D" in huawei ascend driver code[0] is insecure, but there is no any job/test that can check the potential security issues. So this patch introduces bandit as a code security check. [0]:https://github.com/openstack/cyborg/blob/master/cyborg/accelerator/drivers/aichip/huawei/ascend.py#L69 Change-Id: Ia1f9acbbd176180cb5fe97b1a2eee5f98a95dea6 --- .zuul.yaml | 24 +++++++++++++++++++ ...ndit-security-linter-339d3f12b6200d64.yaml | 7 ++++++ test-requirements.txt | 1 + tox.ini | 3 +++ 4 files changed, 35 insertions(+) create mode 100644 releasenotes/notes/introduce-bandit-security-linter-339d3f12b6200d64.yaml diff --git a/.zuul.yaml b/.zuul.yaml index 073630ea..ea632164 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -9,7 +9,31 @@ jobs: - cyborg-tempest - cyborg-tempest-ipv6-only + - cyborg-tox-bandit: + voting: false gate: jobs: - cyborg-tempest +- job: + name: cyborg-tox-bandit + parent: openstack-tox + timeout: 2400 + vars: + tox_envlist: bandit + required-projects: + - openstack/requirements + irrelevant-files: &gate-irrelevant-files + - ^(test-|)requirements.txt$ + - ^.*\.rst$ + - ^api-ref/.*$ + - ^cyborg/cmd/status\.py$ + - ^cyborg/hacking/.*$ + - ^cyborg/tests/functional.*$ + - ^cyborg/tests/unit.*$ + - ^doc/.*$ + - ^etc/.*$ + - ^releasenotes/.*$ + - ^setup.cfg$ + - ^tools/.*$ + - ^tox.ini$ diff --git a/releasenotes/notes/introduce-bandit-security-linter-339d3f12b6200d64.yaml b/releasenotes/notes/introduce-bandit-security-linter-339d3f12b6200d64.yaml new file mode 100644 index 00000000..1ae41c3e --- /dev/null +++ b/releasenotes/notes/introduce-bandit-security-linter-339d3f12b6200d64.yaml @@ -0,0 +1,7 @@ +--- +security: + - | + Introduce bandit check as the code security check, which can help us avoid + possible security issues. For example, shell-related operations for drivers + may be insecure. With bandit test, it can check the potential security + issues. diff --git a/test-requirements.txt b/test-requirements.txt index 2175be94..61d06529 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -4,6 +4,7 @@ hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 +bandit>=1.6.0 # Apache-2.0 coverage>=3.6,!=4.4 # Apache-2.0 fixtures>=3.0.0 # Apache-2.0/BSD mock>=2.0.0 # BSD diff --git a/tox.ini b/tox.ini index 1850b2a4..c7aced56 100644 --- a/tox.ini +++ b/tox.ini @@ -100,5 +100,8 @@ builtins = _ enable-extensions = H106,H203,H904 exclude=.venv,.git,.tox,dist,doc,*lib/python*,*egg,build,*sqlalchemy/alembic/versions/*,demo/,releasenotes +[testenv:bandit] +commands = bandit -r cyborg -x cyborg/tests/* -n 5 -ll + [hacking] local-check-factory = cyborg.hacking.checks.factory