Turn on bandit check as part of pep8

Add bandit job as part of pep8 in tox.ini Had to fix one issue and mark two instances of try except pass as OK so that bandit will pass Change-Id: Ia1c96e27d1bae360c6ae0d4131665e2b712f573f
2017-02-08 08:50:28 -07:00 · 2017-02-08 08:50:28 -07:00 · 7082ded836
commit 7082ded836
parent 70f75304ff
4 changed files with 23 additions and 6 deletions
--- a/monasca_persister/persister.py
+++ b/monasca_persister/persister.py
@ -1,4 +1,4 @@
-# (C) Copyright 2014-2016 Hewlett Packard Enterprise Development Company LP
+# (C) Copyright 2014-2017 Hewlett Packard Enterprise Development LP
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -100,7 +100,9 @@ def clean_exit(signum, frame=None):
            if process.is_alive():
                process.terminate()  # Sends sigterm which any processes after a notification is sent attempt to handle
                wait_for_exit = True
-        except Exception:
+        except Exception:  # nosec
+            # There is really nothing to do if the kill fails, so just go on.
+            # The # nosec keeps bandit from reporting this as a security issue
            pass

    # wait for a couple seconds to give the subprocesses a chance to shut down correctly.
@ -112,7 +114,9 @@ def clean_exit(signum, frame=None):
        LOG.debug('Killing pid %s' % child.pid)
        try:
            os.kill(child.pid, signal.SIGKILL)
-        except Exception:
+        except Exception:  # nosec
+            # There is really nothing to do if the kill fails, so just go on.
+            # The # nosec keeps bandit from reporting this as a security issue
            pass

    if signum == signal.SIGTERM:
--- a/monasca_persister/repositories/influxdb/init.py
+++ b/monasca_persister/repositories/influxdb/init.py
@ -1,4 +1,4 @@
-# (C) Copyright 2016 Hewlett Packard Enterprise Development Company LP
+# (C) Copyright 2016-2017 Hewlett Packard Enterprise Development LP
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -18,7 +18,7 @@ influxdb_opts = [cfg.StrOpt('database_name'),
                 cfg.StrOpt('ip_address'),
                 cfg.StrOpt('port'),
                 cfg.StrOpt('user'),
-                 cfg.StrOpt('password')]
+                 cfg.StrOpt('password', secret=True)]

 influxdb_group = cfg.OptGroup(name='influxdb', title='influxdb')
 cfg.CONF.register_group(influxdb_group)
--- a/test-requirements.txt
+++ b/test-requirements.txt
@ -1,6 +1,7 @@
 # The order of packages is significant, because pip processes them in the order
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
+bandit>=1.1.0  # Apache-2.0
 flake8<2.6.0,>=2.5.4 # MIT
 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
 coverage>=4.0 # Apache-2.0
--- a/tox.ini
+++ b/tox.ini
@ -50,11 +50,19 @@ commands =
  oslo_debug_helper -t monasca_persister/tests {posargs}

 [testenv:pep8]
-commands = flake8
+deps =
+  {[testenv]deps}
+commands =
+  {[testenv:flake8]commands}
+  {[bandit]commands}

 [testenv:venv]
 commands = {posargs}

+[testenv:flake8]
+commands =
+    flake8 monasca_persister
+
 [flake8]
 max-line-length = 120
 # TODO: ignored checks should be enabled in the future
@ -62,3 +70,7 @@ max-line-length = 120
 # H904  Wrap long lines in parentheses instead of a backslash
 ignore = F821,H405,H904,E126,E125,H306,E302,E122
 exclude=.venv,.git,.tox,dist,*egg,build
+
+[bandit]
+commands =
+  bandit -r monasca_persister -n5 -x monasca_persister/tests