python-openstackclient/tox.ini
Michael McCune 505659b0aa add a bandit environment to tox
This change is being proposed as part of the OpenStack Security Project
working session at the Austin 2016 summit. It adds support for running
the bandit[1] security linting tool against the python-openstackclient
codebase. This change adds a targetted environment for bandit and also
adds bandit as part of the pep8 job.

The bandit configuration has been tailored to exclude tests that are
currently producing warning against the codebase. These issues will be
followed up with bug reports and patches.

[1]: https://wiki.openstack.org/wiki/Security/Projects/Bandit

Depends-On: Iccd81c17e84df03d249c1012277dad9cb68c5845
Change-Id: I691829c1224557d1d239c9f665ac539d0f13c4d3
2016-04-28 14:52:33 -04:00

73 lines
2.7 KiB
INI

[tox]
minversion = 1.6
envlist = py34,py27,pep8
skipdist = True
[testenv]
usedevelop = True
install_command = pip install -U {opts} {packages}
setenv = VIRTUAL_ENV={envdir}
deps = -r{toxinidir}/test-requirements.txt
commands = ostestr {posargs}
whitelist_externals = ostestr
[testenv:pep8]
commands =
flake8
bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101
[testenv:bandit]
# This command runs the bandit security linter against the openstackclient
# codebase minus the tests directory. Some tests are being excluded to
# reduce the number of positives before a team inspection, and to ensure a
# passing gate job for initial addition. The excluded tests are:
# B105-B107: hardcoded password checks - likely to generate false positives
# in a gate environment
# B401: import subprocess - not necessarily a security issue; this plugin is
# mainly used for penetration testing workflow
# B603,B606: process without shell - not necessarily a security issue; this
# plugin is mainly used for penetration testing workflow
# B607: start process with a partial path - this should be a project level
# decision
# NOTE(elmiko): The following tests are being excluded specifically for
# python-openstackclient, they are being excluded to ensure that voting jobs
# in the project and in bandit integration tests continue to pass. These
# tests have generated issue within the project and should be investigated
# by the project.
# B110: try, except, pass detected - possible security issue; this should be
# investigated by the project for possible exploitation
# B605: process with a shell - possible security issue; this should be
# investigated by the project for possible exploitation
# B101: use of assert - this code will be removed when compiling to optimized
# byte code
commands =
bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101
[testenv:functional]
setenv = OS_TEST_PATH=./functional/tests
passenv = OS_*
[testenv:venv]
commands = {posargs}
[testenv:cover]
commands =
python setup.py test --coverage --testr-args='{posargs}'
coverage report
[testenv:debug]
commands = oslo_debug_helper -t openstackclient/tests {posargs}
[testenv:docs]
commands = python setup.py build_sphinx
[testenv:releasenotes]
commands = sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html
[flake8]
show-source = True
exclude = .git,.tox,dist,doc,*openstack/common*,*lib/python*,*egg,build,tools
# If 'ignore' is not set there are default errors and warnings that are set
# Doc: http://flake8.readthedocs.org/en/latest/config.html#default
ignore = __