From caf925349ac7b95eb5cd5c6a7242cf20c1e06855 Mon Sep 17 00:00:00 2001
From: Kaifeng Wang <kaifeng.w@gmail.com>
Date: Mon, 3 Jun 2019 15:04:41 +0800
Subject: [PATCH] Incorporate bandit support in CI

Change-Id: I0ffe0c12e9e32f32d2b400b5756fc2148a2993a0
Story: 2005791
Task: 33518
---
 lower-constraints.txt   |  1 +
 test-requirements.txt   |  1 +
 tox.ini                 |  5 +++++
 zuul.d/ironic-jobs.yaml | 22 ++++++++++++++++++++++
 zuul.d/project.yaml     |  2 ++
 5 files changed, 31 insertions(+)

diff --git a/lower-constraints.txt b/lower-constraints.txt
index 859c210448..9756f30f14 100644
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@@ -5,6 +5,7 @@ appdirs==1.4.3
 asn1crypto==0.24.0
 automaton==1.9.0
 Babel==2.3.4
+bandit==1.1.0
 bashate==0.5.1
 beautifulsoup4==4.6.0
 blockdiag==1.5.3
diff --git a/test-requirements.txt b/test-requirements.txt
index 373d2a4da9..56cca0300c 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -19,3 +19,4 @@ WebTest>=2.0.27 # MIT
 bashate>=0.5.1 # Apache-2.0
 flake8-import-order>=0.13 # LGPLv3
 Pygments>=2.2.0 # BSD
+bandit!=1.6.0,>=1.1.0,<2.0.0 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index 7b0ae57609..39b7bea1d8 100644
--- a/tox.ini
+++ b/tox.ini
@@ -145,3 +145,8 @@ deps =
   -c{toxinidir}/lower-constraints.txt
   -r{toxinidir}/test-requirements.txt
   -r{toxinidir}/requirements.txt
+
+[testenv:bandit]
+basepython = python3
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r ironic -x tests -n5 -ll
diff --git a/zuul.d/ironic-jobs.yaml b/zuul.d/ironic-jobs.yaml
index 22c17fac76..b1355bdd5e 100644
--- a/zuul.d/ironic-jobs.yaml
+++ b/zuul.d/ironic-jobs.yaml
@@ -493,3 +493,25 @@
         IRONIC_IPXE_ENABLED: False
         IRONIC_BOOT_MODE: uefi
         IRONIC_AUTOMATED_CLEAN_ENABLED: False
+
+- job:
+    # Security testing for known issues
+    name: ironic-tox-bandit
+    parent: openstack-tox
+    timeout: 2400
+    vars:
+      tox_envlist: bandit
+    required-projects:
+      - openstack/ironic
+    irrelevant-files:
+      - ^.*\.rst$
+      - ^api-ref/.*$
+      - ^doc/.*$
+      - ^driver-requirements.txt$
+      - ^install-guide/.*$
+      - ^ironic/locale/.*$
+      - ^ironic/tests/.*$
+      - ^releasenotes/.*$
+      - ^setup.cfg$
+      - ^tools/.*$
+      - ^tox.ini$
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 8afa209c11..2e244351ed 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -27,6 +27,8 @@
         - ironic-tempest-bfv
         - ironic-tempest-ipa-partition-uefi-pxe-grub2
         # Non-voting jobs
+        - ironic-tox-bandit:
+            voting: false
         - ironic-tempest-ipa-wholedisk-bios-pxe_snmp-tinyipa:
             voting: false
         - ironic-inspector-tempest: