Merge "Fix bandit gate jobs"

This commit is contained in:
Jenkins 2016-08-28 15:51:00 +00:00 committed by Gerrit Code Review
commit 1fd2d434b1
8 changed files with 26 additions and 17 deletions

View File

@ -67,7 +67,7 @@ EXAMPLES = '''
import json import json
import pyudev import pyudev
import re import re
import subprocess import subprocess # nosec
def get_id_part_entry_name(dev): def get_id_part_entry_name(dev):
@ -84,7 +84,10 @@ def get_id_part_entry_name(dev):
part = re.sub(r'.*[^\d]', '', dev.device_node) part = re.sub(r'.*[^\d]', '', dev.device_node)
parent = dev.find_parent('block').device_node parent = dev.find_parent('block').device_node
# NOTE(Mech422): Need to use -i as -p truncates the partition name # NOTE(Mech422): Need to use -i as -p truncates the partition name
out = subprocess.Popen(['/usr/sbin/sgdisk', '-i', part, parent], # TODO(pbourke): Consider some form of validation to be performed on
# part/parent [0]
out = subprocess.Popen(['/usr/sbin/sgdisk', '-i', part, # nosec [0]
parent],
stdout=subprocess.PIPE).communicate() stdout=subprocess.PIPE).communicate()
match = re.search(r'Partition name: \'(\w+)\'', out[0]) match = re.search(r'Partition name: \'(\w+)\'', out[0])
if match: if match:

View File

@ -22,6 +22,7 @@
# in upstream shade we will be able to use more of the shade module. Until then # in upstream shade we will be able to use more of the shade module. Until then
# if we want to be 'stable' we really need to be using it as a passthrough # if we want to be 'stable' we really need to be using it as a passthrough
import tempfile
import traceback import traceback
import shade import shade
@ -34,9 +35,9 @@ class SanityChecks(object):
@staticmethod @staticmethod
def glance(cloud): def glance(cloud):
open("/tmp/blank.qcow2", 'a').close() with tempfile.NamedTemporaryfile(suffix='qcow2') as image:
cloud.create_image("test", filename="/tmp/blank.qcow2", cloud.create_image("test", filename=image.name,
disk_format="qcow2", container_format="bare") disk_format="qcow2", container_format="bare")
testid = cloud.get_image_id("test") testid = cloud.get_image_id("test")
cloud.delete_image(testid) cloud.delete_image(testid)

View File

@ -24,7 +24,7 @@
# at this time. Once Docker updates with this feature we will usre this again. # at this time. Once Docker updates with this feature we will usre this again.
import nsenter import nsenter
import subprocess import subprocess # nosec
import sys import sys
@ -36,7 +36,7 @@ def host_mnt_exec(cmd):
'1', '1',
'mnt', 'mnt',
proc='/var/lib/kolla/host_proc/')) proc='/var/lib/kolla/host_proc/'))
process_ = subprocess.Popen(cmd) process_ = subprocess.Popen(cmd) # nosec
except Exception as e: except Exception as e:
print( print(
@ -64,5 +64,5 @@ else:
if len(sys.argv) == 2: if len(sys.argv) == 2:
cmd = cmd + sys.argv[1:] cmd = cmd + sys.argv[1:]
process_ = subprocess.Popen(cmd) process_ = subprocess.Popen(cmd) # nosec
sys.exit(process_.returncode) sys.exit(process_.returncode)

View File

@ -13,7 +13,7 @@
# limitations under the License. # limitations under the License.
import json import json
import subprocess import subprocess # nosec
import traceback import traceback
@ -23,9 +23,11 @@ def extract_gospel_node(term):
def main(): def main():
try: try:
# TODO(pbourke): see if can get gospel node without requiring shell
raw_status = subprocess.check_output( raw_status = subprocess.check_output(
"rabbitmqctl eval 'rabbit_clusterer:status().'", "/usr/sbin/rabbitmqctl eval 'rabbit_clusterer:status().'",
shell=True, stderr=subprocess.STDOUT shell=True, stderr=subprocess.STDOUT # nosec: this command appears
# to require a shell to work
) )
if "Rabbit is running in cluster configuration" not in raw_status: if "Rabbit is running in cluster configuration" not in raw_status:
raise AttributeError raise AttributeError

View File

@ -19,7 +19,7 @@ This script is a simple wrapper used to create and rebalance Swift ring files.
""" """
import argparse import argparse
import subprocess import subprocess # nosec
import sys import sys
@ -54,7 +54,10 @@ def setup_args():
def run_cmd(cmd): def run_cmd(cmd):
print(' '.join(cmd)) print(' '.join(cmd))
subprocess.call(cmd) # NOTE(sdake): [0] we expect Operators to run this command and for their
# environment to be properly secured. Since this is not a network
# facing tool, there is no risk of untrusted input.
subprocess.call(cmd) # nosec [0]
def run(args): def run(args):

View File

@ -22,7 +22,7 @@ import yaml
from Crypto.PublicKey import RSA from Crypto.PublicKey import RSA
def generate_RSA(bits=2048): def generate_RSA(bits=4096):
new_key = RSA.generate(bits, os.urandom) new_key = RSA.generate(bits, os.urandom)
private_key = new_key.exportKey("PEM") private_key = new_key.exportKey("PEM")
public_key = new_key.publickey().exportKey("OpenSSH") public_key = new_key.publickey().exportKey("OpenSSH")
@ -52,7 +52,7 @@ def main():
length = 40 length = 40
with open(passwords_file, 'r') as f: with open(passwords_file, 'r') as f:
passwords = yaml.load(f.read()) passwords = yaml.safe_load(f.read())
for k, v in passwords.items(): for k, v in passwords.items():
if (k in ssh_keys and if (k in ssh_keys and

View File

@ -32,7 +32,7 @@ def main():
for filename in args.input: for filename in args.input:
with open(filename) as fd: with open(filename) as fd:
try: try:
yaml.load(fd) yaml.safe_load(fd)
except yaml.error.YAMLError as error: except yaml.error.YAMLError as error:
res = 1 res = 1
logging.error('%s failed validation: %s', logging.error('%s failed validation: %s',

View File

@ -26,7 +26,7 @@ commands =
{toxinidir}/tools/validate-all-dockerfiles.sh {toxinidir}/tools/validate-all-dockerfiles.sh
[testenv:bandit] [testenv:bandit]
commands = bandit -r ansible/library dev docker kolla tests tools commands = bandit -r ansible/library docker kolla tests tools
[testenv:venv] [testenv:venv]
commands = {posargs} commands = {posargs}