Turn on bandit check as part of pep8

Add bandit job as part of pep8 in tox.ini

Had to fix one issue and mark two instances of try except pass as OK so that
bandit will pass

Change-Id: Ia1c96e27d1bae360c6ae0d4131665e2b712f573f
This commit is contained in:
Craig Bryant 2017-02-08 08:50:28 -07:00
parent 70f75304ff
commit 7082ded836
4 changed files with 23 additions and 6 deletions

View File

@ -1,4 +1,4 @@
# (C) Copyright 2014-2016 Hewlett Packard Enterprise Development Company LP # (C) Copyright 2014-2017 Hewlett Packard Enterprise Development LP
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
@ -100,7 +100,9 @@ def clean_exit(signum, frame=None):
if process.is_alive(): if process.is_alive():
process.terminate() # Sends sigterm which any processes after a notification is sent attempt to handle process.terminate() # Sends sigterm which any processes after a notification is sent attempt to handle
wait_for_exit = True wait_for_exit = True
except Exception: except Exception: # nosec
# There is really nothing to do if the kill fails, so just go on.
# The # nosec keeps bandit from reporting this as a security issue
pass pass
# wait for a couple seconds to give the subprocesses a chance to shut down correctly. # wait for a couple seconds to give the subprocesses a chance to shut down correctly.
@ -112,7 +114,9 @@ def clean_exit(signum, frame=None):
LOG.debug('Killing pid %s' % child.pid) LOG.debug('Killing pid %s' % child.pid)
try: try:
os.kill(child.pid, signal.SIGKILL) os.kill(child.pid, signal.SIGKILL)
except Exception: except Exception: # nosec
# There is really nothing to do if the kill fails, so just go on.
# The # nosec keeps bandit from reporting this as a security issue
pass pass
if signum == signal.SIGTERM: if signum == signal.SIGTERM:

View File

@ -1,4 +1,4 @@
# (C) Copyright 2016 Hewlett Packard Enterprise Development Company LP # (C) Copyright 2016-2017 Hewlett Packard Enterprise Development LP
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
@ -18,7 +18,7 @@ influxdb_opts = [cfg.StrOpt('database_name'),
cfg.StrOpt('ip_address'), cfg.StrOpt('ip_address'),
cfg.StrOpt('port'), cfg.StrOpt('port'),
cfg.StrOpt('user'), cfg.StrOpt('user'),
cfg.StrOpt('password')] cfg.StrOpt('password', secret=True)]
influxdb_group = cfg.OptGroup(name='influxdb', title='influxdb') influxdb_group = cfg.OptGroup(name='influxdb', title='influxdb')
cfg.CONF.register_group(influxdb_group) cfg.CONF.register_group(influxdb_group)

View File

@ -1,6 +1,7 @@
# The order of packages is significant, because pip processes them in the order # The order of packages is significant, because pip processes them in the order
# of appearance. Changing the order has an impact on the overall integration # of appearance. Changing the order has an impact on the overall integration
# process, which may cause wedges in the gate later. # process, which may cause wedges in the gate later.
bandit>=1.1.0 # Apache-2.0
flake8<2.6.0,>=2.5.4 # MIT flake8<2.6.0,>=2.5.4 # MIT
hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
coverage>=4.0 # Apache-2.0 coverage>=4.0 # Apache-2.0

14
tox.ini
View File

@ -50,11 +50,19 @@ commands =
oslo_debug_helper -t monasca_persister/tests {posargs} oslo_debug_helper -t monasca_persister/tests {posargs}
[testenv:pep8] [testenv:pep8]
commands = flake8 deps =
{[testenv]deps}
commands =
{[testenv:flake8]commands}
{[bandit]commands}
[testenv:venv] [testenv:venv]
commands = {posargs} commands = {posargs}
[testenv:flake8]
commands =
flake8 monasca_persister
[flake8] [flake8]
max-line-length = 120 max-line-length = 120
# TODO: ignored checks should be enabled in the future # TODO: ignored checks should be enabled in the future
@ -62,3 +70,7 @@ max-line-length = 120
# H904 Wrap long lines in parentheses instead of a backslash # H904 Wrap long lines in parentheses instead of a backslash
ignore = F821,H405,H904,E126,E125,H306,E302,E122 ignore = F821,H405,H904,E126,E125,H306,E302,E122
exclude=.venv,.git,.tox,dist,*egg,build exclude=.venv,.git,.tox,dist,*egg,build
[bandit]
commands =
bandit -r monasca_persister -n5 -x monasca_persister/tests