Merge "tox: Remove bandit skips, run via pre-commit"
This commit is contained in:
commit
3de6969dbe
@ -26,7 +26,7 @@ repos:
|
|||||||
rev: 1.7.8
|
rev: 1.7.8
|
||||||
hooks:
|
hooks:
|
||||||
- id: bandit
|
- id: bandit
|
||||||
args: ['-x', 'tests', '-s', 'B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101']
|
args: ['-x', 'tests']
|
||||||
- repo: https://opendev.org/openstack/hacking
|
- repo: https://opendev.org/openstack/hacking
|
||||||
rev: 6.1.0
|
rev: 6.1.0
|
||||||
hooks:
|
hooks:
|
||||||
|
@ -113,6 +113,6 @@ class ListModule(command.ShowOne):
|
|||||||
data[k] = mods[k].__version__
|
data[k] = mods[k].__version__
|
||||||
except Exception:
|
except Exception:
|
||||||
# Catch all exceptions, just skip it
|
# Catch all exceptions, just skip it
|
||||||
pass
|
pass # nosec: B110
|
||||||
|
|
||||||
return zip(*sorted(data.items()))
|
return zip(*sorted(data.items()))
|
||||||
|
@ -2843,11 +2843,12 @@ class ListServer(command.Lister):
|
|||||||
# there are infra failures
|
# there are infra failures
|
||||||
if parsed_args.name_lookup_one_by_one or image_id:
|
if parsed_args.name_lookup_one_by_one or image_id:
|
||||||
for image_id in image_ids:
|
for image_id in image_ids:
|
||||||
# "Image Name" is not crucial, so we swallow any exceptions
|
|
||||||
try:
|
try:
|
||||||
images[image_id] = image_client.get_image(image_id)
|
images[image_id] = image_client.get_image(image_id)
|
||||||
except Exception:
|
except Exception:
|
||||||
pass
|
# retrieving image names is not crucial, so we swallow
|
||||||
|
# any exceptions
|
||||||
|
pass # nosec: B110
|
||||||
else:
|
else:
|
||||||
try:
|
try:
|
||||||
# some deployments can have *loads* of images so we only
|
# some deployments can have *loads* of images so we only
|
||||||
@ -2866,7 +2867,9 @@ class ListServer(command.Lister):
|
|||||||
for i in images_list:
|
for i in images_list:
|
||||||
images[i.id] = i
|
images[i.id] = i
|
||||||
except Exception:
|
except Exception:
|
||||||
pass
|
# retrieving image names is not crucial, so we swallow any
|
||||||
|
# exceptions
|
||||||
|
pass # nosec: B110
|
||||||
|
|
||||||
# create a dict that maps flavor_id to flavor object, which is used
|
# create a dict that maps flavor_id to flavor object, which is used
|
||||||
# to display the "Flavor Name" column. Note that 'flavor.id' is not
|
# to display the "Flavor Name" column. Note that 'flavor.id' is not
|
||||||
@ -2878,21 +2881,23 @@ class ListServer(command.Lister):
|
|||||||
for s in data
|
for s in data
|
||||||
if s.flavor and s.flavor.get('id')
|
if s.flavor and s.flavor.get('id')
|
||||||
):
|
):
|
||||||
# "Flavor Name" is not crucial, so we swallow any
|
|
||||||
# exceptions
|
|
||||||
try:
|
try:
|
||||||
flavors[f_id] = compute_client.find_flavor(
|
flavors[f_id] = compute_client.find_flavor(
|
||||||
f_id, ignore_missing=False
|
f_id, ignore_missing=False
|
||||||
)
|
)
|
||||||
except Exception:
|
except Exception:
|
||||||
pass
|
# retrieving flavor names is not crucial, so we swallow
|
||||||
|
# any exceptions
|
||||||
|
pass # nosec: B110
|
||||||
else:
|
else:
|
||||||
try:
|
try:
|
||||||
flavors_list = compute_client.flavors(is_public=None)
|
flavors_list = compute_client.flavors(is_public=None)
|
||||||
for i in flavors_list:
|
for i in flavors_list:
|
||||||
flavors[i.id] = i
|
flavors[i.id] = i
|
||||||
except Exception:
|
except Exception:
|
||||||
pass
|
# retrieving flavor names is not crucial, so we swallow any
|
||||||
|
# exceptions
|
||||||
|
pass # nosec: B110
|
||||||
|
|
||||||
# Populate image_name, image_id, flavor_name and flavor_id attributes
|
# Populate image_name, image_id, flavor_name and flavor_id attributes
|
||||||
# of server objects so that we can display those columns.
|
# of server objects so that we can display those columns.
|
||||||
@ -4805,7 +4810,9 @@ class SshServer(command.Command):
|
|||||||
|
|
||||||
cmd = ' '.join(['ssh', ip_address] + args)
|
cmd = ' '.join(['ssh', ip_address] + args)
|
||||||
LOG.debug("ssh command: {cmd}".format(cmd=cmd))
|
LOG.debug("ssh command: {cmd}".format(cmd=cmd))
|
||||||
os.system(cmd)
|
# we intentionally pass through user-provided arguments and run this in
|
||||||
|
# the user's shell
|
||||||
|
os.system(cmd) # nosec: B605
|
||||||
|
|
||||||
|
|
||||||
class StartServer(command.Command):
|
class StartServer(command.Command):
|
||||||
|
@ -182,7 +182,7 @@ class ListUsage(command.Lister):
|
|||||||
project_cache[p.id] = p
|
project_cache[p.id] = p
|
||||||
except Exception:
|
except Exception:
|
||||||
# Just forget it if there's any trouble
|
# Just forget it if there's any trouble
|
||||||
pass
|
pass # nosec: B110
|
||||||
|
|
||||||
if parsed_args.formatter == 'table' and len(usage_list) > 0:
|
if parsed_args.formatter == 'table' and len(usage_list) > 0:
|
||||||
self.app.stdout.write(
|
self.app.stdout.write(
|
||||||
|
@ -252,7 +252,7 @@ class ListUser(command.Lister):
|
|||||||
project_cache[p.id] = p
|
project_cache[p.id] = p
|
||||||
except Exception:
|
except Exception:
|
||||||
# Just forget it if there's any trouble
|
# Just forget it if there's any trouble
|
||||||
pass
|
pass # nosec: B110
|
||||||
formatters['tenantId'] = functools.partial(
|
formatters['tenantId'] = functools.partial(
|
||||||
ProjectColumn, project_cache=project_cache
|
ProjectColumn, project_cache=project_cache
|
||||||
)
|
)
|
||||||
|
@ -424,7 +424,7 @@ class ListVolume(command.Lister):
|
|||||||
server_cache[s.id] = s
|
server_cache[s.id] = s
|
||||||
except Exception:
|
except Exception:
|
||||||
# Just forget it if there's any trouble
|
# Just forget it if there's any trouble
|
||||||
pass
|
pass # nosec: B110
|
||||||
AttachmentsColumnWithCache = functools.partial(
|
AttachmentsColumnWithCache = functools.partial(
|
||||||
AttachmentsColumn, server_cache=server_cache
|
AttachmentsColumn, server_cache=server_cache
|
||||||
)
|
)
|
||||||
|
@ -217,7 +217,7 @@ class ListVolumeBackup(command.Lister):
|
|||||||
volume_cache[s.id] = s
|
volume_cache[s.id] = s
|
||||||
except Exception:
|
except Exception:
|
||||||
# Just forget it if there's any trouble
|
# Just forget it if there's any trouble
|
||||||
pass
|
pass # nosec: B110
|
||||||
VolumeIdColumnWithCache = functools.partial(
|
VolumeIdColumnWithCache = functools.partial(
|
||||||
VolumeIdColumn, volume_cache=volume_cache
|
VolumeIdColumn, volume_cache=volume_cache
|
||||||
)
|
)
|
||||||
|
@ -244,7 +244,7 @@ class ListVolumeSnapshot(command.Lister):
|
|||||||
volume_cache[s.id] = s
|
volume_cache[s.id] = s
|
||||||
except Exception:
|
except Exception:
|
||||||
# Just forget it if there's any trouble
|
# Just forget it if there's any trouble
|
||||||
pass
|
pass # nosec: B110
|
||||||
VolumeIdColumnWithCache = functools.partial(
|
VolumeIdColumnWithCache = functools.partial(
|
||||||
VolumeIdColumn, volume_cache=volume_cache
|
VolumeIdColumn, volume_cache=volume_cache
|
||||||
)
|
)
|
||||||
|
@ -537,7 +537,7 @@ class ListVolume(command.Lister):
|
|||||||
server_cache[s.id] = s
|
server_cache[s.id] = s
|
||||||
except Exception:
|
except Exception:
|
||||||
# Just forget it if there's any trouble
|
# Just forget it if there's any trouble
|
||||||
pass
|
pass # nosec: B110
|
||||||
AttachmentsColumnWithCache = functools.partial(
|
AttachmentsColumnWithCache = functools.partial(
|
||||||
AttachmentsColumn, server_cache=server_cache
|
AttachmentsColumn, server_cache=server_cache
|
||||||
)
|
)
|
||||||
|
@ -325,7 +325,7 @@ class ListVolumeBackup(command.Lister):
|
|||||||
volume_cache[s.id] = s
|
volume_cache[s.id] = s
|
||||||
except Exception:
|
except Exception:
|
||||||
# Just forget it if there's any trouble
|
# Just forget it if there's any trouble
|
||||||
pass
|
pass # nosec: B110
|
||||||
|
|
||||||
_VolumeIdColumn = functools.partial(
|
_VolumeIdColumn = functools.partial(
|
||||||
VolumeIdColumn, volume_cache=volume_cache
|
VolumeIdColumn, volume_cache=volume_cache
|
||||||
|
@ -289,7 +289,7 @@ class ListVolumeSnapshot(command.Lister):
|
|||||||
volume_cache[s.id] = s
|
volume_cache[s.id] = s
|
||||||
except Exception:
|
except Exception:
|
||||||
# Just forget it if there's any trouble
|
# Just forget it if there's any trouble
|
||||||
pass
|
pass # nosec: B110
|
||||||
_VolumeIdColumn = functools.partial(
|
_VolumeIdColumn = functools.partial(
|
||||||
VolumeIdColumn, volume_cache=volume_cache
|
VolumeIdColumn, volume_cache=volume_cache
|
||||||
)
|
)
|
||||||
|
33
tox.ini
33
tox.ini
@ -16,37 +16,18 @@ commands =
|
|||||||
stestr run {posargs}
|
stestr run {posargs}
|
||||||
|
|
||||||
[testenv:pep8]
|
[testenv:pep8]
|
||||||
|
skip_install = true
|
||||||
deps =
|
deps =
|
||||||
pre-commit
|
pre-commit
|
||||||
commands =
|
commands =
|
||||||
pre-commit run --all-files --show-diff-on-failure
|
pre-commit run --all-files --show-diff-on-failure
|
||||||
|
|
||||||
[testenv:bandit]
|
[testenv:bandit]
|
||||||
# This command runs the bandit security linter against the openstackclient
|
skip_install = true
|
||||||
# codebase minus the tests directory. Some tests are being excluded to
|
deps =
|
||||||
# reduce the number of positives before a team inspection, and to ensure a
|
pre-commit
|
||||||
# passing gate job for initial addition. The excluded tests are:
|
|
||||||
# B105-B107: hardcoded password checks - likely to generate false positives
|
|
||||||
# in a gate environment
|
|
||||||
# B401: import subprocess - not necessarily a security issue; this plugin is
|
|
||||||
# mainly used for penetration testing workflow
|
|
||||||
# B603,B606: process without shell - not necessarily a security issue; this
|
|
||||||
# plugin is mainly used for penetration testing workflow
|
|
||||||
# B607: start process with a partial path - this should be a project level
|
|
||||||
# decision
|
|
||||||
# NOTE(elmiko): The following tests are being excluded specifically for
|
|
||||||
# python-openstackclient, they are being excluded to ensure that voting jobs
|
|
||||||
# in the project and in bandit integration tests continue to pass. These
|
|
||||||
# tests have generated issue within the project and should be investigated
|
|
||||||
# by the project.
|
|
||||||
# B110: try, except, pass detected - possible security issue; this should be
|
|
||||||
# investigated by the project for possible exploitation
|
|
||||||
# B605: process with a shell - possible security issue; this should be
|
|
||||||
# investigated by the project for possible exploitation
|
|
||||||
# B101: use of assert - this code will be removed when compiling to optimized
|
|
||||||
# byte code
|
|
||||||
commands =
|
commands =
|
||||||
bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101
|
pre-commit run --all-files --show-diff-on-failure bandit
|
||||||
|
|
||||||
[testenv:unit-tips]
|
[testenv:unit-tips]
|
||||||
commands =
|
commands =
|
||||||
|
Loading…
Reference in New Issue
Block a user