From dd0082c343c22d0846e0c892bbca4e4b8e6d4443 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sun, 9 Feb 2025 08:03:34 +0900 Subject: [PATCH] pre-commit: Integrate bandit Run bandit check from per-commit so that the check is executed in pep8 job. Also remove requirements installed automatically by pre-commit from test-requirements. Change-Id: I45af8c47afb262882ebbee74ae52446fed741e26 --- .pre-commit-config.yaml | 7 ++++++- test-requirements.txt | 3 --- tox.ini | 6 ++++-- watcher/db/sqlalchemy/job_store.py | 2 +- watcher/decision_engine/datasources/manager.py | 2 +- watcher/decision_engine/model/element/base.py | 2 +- watcher/decision_engine/model/model_root.py | 2 +- 7 files changed, 14 insertions(+), 10 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4902db990..545b1c45c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -34,6 +34,11 @@ repos: - id: hacking additional_dependencies: [] exclude: '^(doc|releasenotes|tools)/.*$' + - repo: https://github.com/PyCQA/bandit + rev: 1.7.6 + hooks: + - id: bandit + args: ['-x', 'tests', '-s', 'B101,B311,B320'] - repo: https://github.com/hhatto/autopep8 rev: v2.3.1 hooks: @@ -54,4 +59,4 @@ repos: - repo: https://github.com/PyCQA/doc8 rev: v1.1.2 hooks: - - id: doc8 \ No newline at end of file + - id: doc8 diff --git a/test-requirements.txt b/test-requirements.txt index 1743f85a0..4b261e60e 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,10 +1,7 @@ coverage>=4.5.1 # Apache-2.0 -doc8>=0.8.0 # Apache-2.0 freezegun>=0.3.10 # Apache-2.0 -hacking>=7.0.0,<7.1.0 # Apache-2.0 oslotest>=3.3.0 # Apache-2.0 testscenarios>=0.5.0 # Apache-2.0/BSD testtools>=2.3.0 # MIT stestr>=2.0.0 # Apache-2.0 -bandit>=1.6.0 # Apache-2.0 WebTest>=2.0.27 # MIT diff --git a/tox.ini b/tox.ini index 39f044181..d41666428 100644 --- a/tox.ini +++ b/tox.ini @@ -110,8 +110,10 @@ deps = -r{toxinidir}/doc/requirements.txt commands = sphinx-build -a -W -E -d releasenotes/build/doctrees --keep-going -b html releasenotes/source releasenotes/build/html [testenv:bandit] -deps = -r{toxinidir}/test-requirements.txt -commands = bandit -r watcher -x watcher/tests/* -n5 -ll +skip_install = true +deps = {[testenv:pep8]deps} +commands = + pre-commit run --all-files --show-diff-on-failure bandit [flake8] filename = *.py,app.wsgi diff --git a/watcher/db/sqlalchemy/job_store.py b/watcher/db/sqlalchemy/job_store.py index 6cd704443..cf0fbc4a7 100644 --- a/watcher/db/sqlalchemy/job_store.py +++ b/watcher/db/sqlalchemy/job_store.py @@ -16,7 +16,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -import pickle +import pickle # nosec: B403 from apscheduler.jobstores.base import ConflictingIdError from apscheduler.jobstores import sqlalchemy diff --git a/watcher/decision_engine/datasources/manager.py b/watcher/decision_engine/datasources/manager.py index 8e0959c63..a5845e322 100644 --- a/watcher/decision_engine/datasources/manager.py +++ b/watcher/decision_engine/datasources/manager.py @@ -139,7 +139,7 @@ class DataSourceManager(object): ds.METRIC_MAP.update(self.metric_map[ds.NAME]) return ds except Exception: - pass + pass # nosec: B110 raise exception.MetricNotAvailable(metric=metric) def load_metric_map(self, file_path): diff --git a/watcher/decision_engine/model/element/base.py b/watcher/decision_engine/model/element/base.py index 3dea73130..be2495ccd 100644 --- a/watcher/decision_engine/model/element/base.py +++ b/watcher/decision_engine/model/element/base.py @@ -19,7 +19,7 @@ import abc import collections -from lxml import etree +from lxml import etree # nosec: B410 from oslo_log import log from watcher.objects import base diff --git a/watcher/decision_engine/model/model_root.py b/watcher/decision_engine/model/model_root.py index a38e53314..c05101ec8 100644 --- a/watcher/decision_engine/model/model_root.py +++ b/watcher/decision_engine/model/model_root.py @@ -17,7 +17,7 @@ Openstack implementation of the cluster graph. """ import ast -from lxml import etree +from lxml import etree # nosec: B410 import networkx as nx from oslo_concurrency import lockutils from oslo_log import log