pre-commit: Integrate bandit

Run bandit check from per-commit so that the check is executed in pep8 job. Also remove requirements installed automatically by pre-commit from test-requirements. Change-Id: I45af8c47afb262882ebbee74ae52446fed741e26
2025-02-09 08:03:34 +09:00
parent 5f6fbaea56
commit dd0082c343
7 changed files with 14 additions and 10 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -34,6 +34,11 @@ repos:
      - id: hacking
        additional_dependencies: []
        exclude: '^(doc|releasenotes|tools)/.*$'
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.7.6
+    hooks:
+      - id: bandit
+        args: ['-x', 'tests', '-s', 'B101,B311,B320']
  - repo: https://github.com/hhatto/autopep8
    rev: v2.3.1
    hooks:
@@ -54,4 +59,4 @@ repos:
  - repo: https://github.com/PyCQA/doc8
    rev: v1.1.2
    hooks:
-      - id: doc8
+      - id: doc8
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1,10 +1,7 @@
 coverage>=4.5.1 # Apache-2.0
-doc8>=0.8.0 # Apache-2.0
 freezegun>=0.3.10 # Apache-2.0
-hacking>=7.0.0,<7.1.0 # Apache-2.0
 oslotest>=3.3.0 # Apache-2.0
 testscenarios>=0.5.0 # Apache-2.0/BSD
 testtools>=2.3.0 # MIT
 stestr>=2.0.0 # Apache-2.0
-bandit>=1.6.0 # Apache-2.0
 WebTest>=2.0.27 # MIT
--- a/tox.ini
+++ b/tox.ini
@@ -110,8 +110,10 @@ deps = -r{toxinidir}/doc/requirements.txt
 commands = sphinx-build -a -W -E -d releasenotes/build/doctrees --keep-going -b html releasenotes/source releasenotes/build/html

 [testenv:bandit]
-deps = -r{toxinidir}/test-requirements.txt
-commands = bandit -r watcher -x watcher/tests/* -n5 -ll
+skip_install = true
+deps = {[testenv:pep8]deps}
+commands =
+    pre-commit run --all-files --show-diff-on-failure bandit

 [flake8]
 filename = *.py,app.wsgi
--- a/watcher/db/sqlalchemy/job_store.py
+++ b/watcher/db/sqlalchemy/job_store.py
@@ -16,7 +16,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-import pickle
+import pickle  # nosec: B403

 from apscheduler.jobstores.base import ConflictingIdError
 from apscheduler.jobstores import sqlalchemy
--- a/watcher/decision_engine/datasources/manager.py
+++ b/watcher/decision_engine/datasources/manager.py
@@ -139,7 +139,7 @@ class DataSourceManager(object):
                    ds.METRIC_MAP.update(self.metric_map[ds.NAME])
                    return ds
                except Exception:
-                    pass
+                    pass  # nosec: B110
        raise exception.MetricNotAvailable(metric=metric)

    def load_metric_map(self, file_path):
--- a/watcher/decision_engine/model/element/base.py
+++ b/watcher/decision_engine/model/element/base.py
@@ -19,7 +19,7 @@
 import abc
 import collections

-from lxml import etree
+from lxml import etree  # nosec: B410
 from oslo_log import log

 from watcher.objects import base
--- a/watcher/decision_engine/model/model_root.py
+++ b/watcher/decision_engine/model/model_root.py
@@ -17,7 +17,7 @@ Openstack implementation of the cluster graph.
 """

 import ast
-from lxml import etree
+from lxml import etree  # nosec: B410
 import networkx as nx
 from oslo_concurrency import lockutils
 from oslo_log import log