From 30d76ff2ea628351d561c9a073aeb3d18db7cfd4 Mon Sep 17 00:00:00 2001
From: elajkat <lajos.katona@est.tech>
Date: Wed, 10 Apr 2024 14:58:09 +0200
Subject: [PATCH] bandit: add bandit and bashate checks for tox

Change-Id: I01e312845c6ffb4e130ec1d0882b27aeec664a0f
---
 .pre-commit-config.yaml | 11 +++++++++++
 devstack/plugin.sh      |  2 +-
 tox.ini                 | 22 ++++++++++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 15fd5f7e..30cd1ffd 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -15,6 +15,17 @@ repos:
       - id: check-merge-conflict
       - id: debug-statements
       - id: check-yaml
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.8.3
+    hooks:
+      - id: bandit
+        # E005 file does not begin with #! or have a .sh prefix
+        # E006 check for lines longer than 79 columns
+        # E042 local declaration hides errors
+        # E043 Arithmetic compound has inconsistent return semantics
+        args: ['-n5', '-sE006,E005,E042,E043']
+        files: 'neutron_taas/'
+        exclude: 'neutron_taas/tests'
   - repo: https://github.com/lucas-c/pre-commit-hooks
     rev: v1.5.4
     hooks:
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 3efb7400..d499fb27 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -33,7 +33,7 @@ function configure_taas_plugin {
     neutron_server_config_add $TAAS_PLUGIN_CONF_FILE
     neutron_service_plugin_class_add taas
     if is_service_enabled tap_mirror; then
-      neutron_service_plugin_class_add tapmirror
+        neutron_service_plugin_class_add tapmirror
     fi
     inicomment $TAAS_PLUGIN_CONF_FILE service_providers service_provider
     iniadd $TAAS_PLUGIN_CONF_FILE service_providers service_provider $TAAS_SERVICE_DRIVER
diff --git a/tox.ini b/tox.ini
index 963237b6..83b8a34c 100644
--- a/tox.ini
+++ b/tox.ini
@@ -39,6 +39,8 @@ commands =
   neutron-db-manage --subproject tap-as-a-service --database-connection sqlite:// check_migration
   {[testenv:genconfig]commands}
   {[testenv:genpolicy]commands}
+  {[testenv:bashate]commands}
+  {[testenv:bandit]commands}
 allowlist_externals = bash
 
 [testenv:venv]
@@ -106,6 +108,26 @@ extension =
 [hacking]
 import_exceptions = neutron_taas._i18n
 
+[testenv:bandit]
+deps = {[testenv:pep8]deps}
+# B104: Possible binding to all interfaces
+# B604: any_other_function_with_shell_equals_true
+commands = bandit -r neutron -x tests -n5
+#-s B104,B604
+
+[testenv:bashate]
+deps = {[testenv:pep8]deps}
+commands = bash -c "find {toxinidir}             \
+         -not \( -type d -name .tox\* -prune \)  \
+         -not \( -type d -name .venv\* -prune \) \
+         -type f                                 \
+         -name \*.sh                             \
+# E005 file does not begin with #! or have a .sh prefix
+# E006 check for lines longer than 79 columns
+# E042 local declaration hides errors
+# E043 Arithmetic compound has inconsistent return semantics
+         -print0 | xargs -0 bashate -v -iE006 -eE005,E042,E043"
+
 [testenv:genconfig]
 commands = bash {toxinidir}/tools/generate_config_file_samples.sh