openstack/cyborg
Code Issues Proposed changes
a03e6527b9
cyborg/tox.ini
Yumeng Bao d765a344ee Introduce bandit security linter 
Cyborg now does not have a code security check, which may connive at
possible security issues. For example, shell-related operations for drivers
may be insecure. Current "sudo lspci -nnn -D" in huawei ascend driver code[0]
is insecure, but there is no any job/test that can check the potential security
issues. So this patch introduces bandit as a code security check.

[0]:https://github.com/openstack/cyborg/blob/master/cyborg/accelerator/drivers/aichip/huawei/ascend.py#L69

Change-Id: Ia1f9acbbd176180cb5fe97b1a2eee5f98a95dea6
2020-01-05 19:49:22 -08:00

108 lines
3.0 KiB
INI
Raw Blame History

[tox]
minversion = 2.0
envlist = py36,py37,pep8
skipsdist = True
[testenv]
usedevelop = True
whitelist_externals = rm
install_command = {[testenv:common-constraints]install_command}
basepython = python3
setenv =
VIRTUAL_ENV={envdir}
OS_TEST_PATH=cyborg/tests/unit
deps =
-r{toxinidir}/requirements.txt
-r{toxinidir}/test-requirements.txt
commands = rm -f .testrepository/times.dbm
stestr run --slowest {posargs}
[testenv:common-constraints]
install_command = pip install -c{env:UPPER_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} {opts} {packages}
[testenv:genpolicy]
sitepackages = False
envdir = {toxworkdir}/venv
commands =
oslopolicy-sample-generator --config-file=tools/config/cyborg-policy-generator.conf
[testenv:genconfig]
sitepackages = False
envdir = {toxworkdir}/venv
commands =
oslo-config-generator --config-file=tools/config/cyborg-config-generator.conf
[testenv:bindep]
# Do not install any requirements. We want this to be fast and work even if
# system dependencies are missing, since it's used to tell you what system
# dependencies are missing! This also means that bindep must be installed
# separately, outside of the requirements files, and develop mode disabled
# explicitly to avoid unnecessarily installing the checked-out repo too (this
# further relies on "tox.skipsdist = True" above).
deps = bindep
commands = bindep test
usedevelop = False
[testenv:pep8]
commands =
flake8
doc8 doc/source/ CONTRIBUTING.rst HACKING.rst README.rst
[testenv:pep8-constraints]
install_command = {[testenv:common-constraints]install_command}
commands = flake8 {posargs}
[testenv:venv]
commands = {posargs}
[testenv:cover]
setenv =
PYTHON=coverage run --source cyborg --parallel-mode
commands =
stestr run {posargs}
coverage combine
coverage html -d cover
coverage xml -o cover/coverage.xml
coverage report
[doc8]
ignore-path = .venv,.git,.tox,*cyborg/locale*,*lib/python*,*cyborg.egg*,api-ref/build,doc/build,doc/source/contributor/api
[testenv:docs]
deps = -r{toxinidir}/doc/requirements.txt
commands =
sphinx-build -W -b html doc/source doc/build/html
[testenv:releasenotes]
deps = -r{toxinidir}/doc/requirements.txt
commands = sphinx-build -a -W -E -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html
[testenv:debug]
commands = oslo_debug_helper -t cyborg/tests {posargs}
[testenv:api-ref]
# This environment is called from CI scripts to test and publish
# the API Ref to docs.openstack.org.
deps = -r{toxinidir}/doc/requirements.txt
commands =
rm -rf api-ref/build
sphinx-build -W -b html -d api-ref/build/doctrees api-ref/source api-ref/build/html
whitelist_externals = rm
[flake8]
filename = *.py,app.wsgi
show-source = True
ignore = E123,E125,H405
builtins = _
enable-extensions = H106,H203,H904
exclude=.venv,.git,.tox,dist,doc,*lib/python*,*egg,build,*sqlalchemy/alembic/versions/*,demo/,releasenotes
[testenv:bandit]
commands = bandit -r cyborg -x cyborg/tests/* -n 5 -ll
[hacking]
local-check-factory = cyborg.hacking.checks.factory
View Git Blame Copy Permalink