From f78601fd8e8c09380c10e27176d54428479ace5b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Herv=C3=A9=20Beraud?= <hberaud@redhat.com>
Date: Fri, 19 May 2023 16:22:58 +0200
Subject: [PATCH] Bump bandit and make oslo.versionedobjects compatible with
 latest rules

Change-Id: I3da9745c8f9f4b5832f41933af6f177b0f876bb5
---
 oslo_versionedobjects/tests/test_fixture.py | 21 ++++++++++++++++++---
 test-requirements.txt                       |  2 +-
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/oslo_versionedobjects/tests/test_fixture.py b/oslo_versionedobjects/tests/test_fixture.py
index 47211e91..f991f745 100644
--- a/oslo_versionedobjects/tests/test_fixture.py
+++ b/oslo_versionedobjects/tests/test_fixture.py
@@ -538,8 +538,13 @@ class TestObjectVersionChecker(test.TestCase):
         exp_methods = sorted([('remotable_method', argspec),
                               ('remotable_classmethod', argspec)])
         expected_relevant_data = (exp_fields, exp_methods)
+        # NOTE(hberaud) the following hashlib usage will emit a bandit
+        # warning. It can be solved by passing `usedforsecurity=False` to
+        # the md5 function, however, this parameter was introduced with py39
+        # so passing it will break py38 unittest. I'd suggest to ignore this
+        # bandit rule while py38 is in our supported runtimes.
         expected_hash = hashlib.md5(bytes(repr(
-            expected_relevant_data).encode())).hexdigest()
+            expected_relevant_data).encode())).hexdigest()  # nosec
         expected_fp = '%s-%s' % (MyObject.VERSION, expected_hash)
 
         self.assertEqual(expected_fp, fp, "_get_fingerprint() did not "
@@ -564,8 +569,13 @@ class TestObjectVersionChecker(test.TestCase):
             child_versions.items()))
         exp_relevant_data = (exp_fields, exp_methods, exp_child_versions)
 
+        # NOTE(hberaud) the following hashlib usage will emit a bandit
+        # warning. It can be solved by passing `usedforsecurity=False` to
+        # the md5 function, however, this parameter was introduced with py39
+        # so passing it will break py38 unittest. I'd suggest to ignore this
+        # bandit rule while py38 is in our supported runtimes.
         expected_hash = hashlib.md5(bytes(repr(
-            exp_relevant_data).encode())).hexdigest()
+            exp_relevant_data).encode())).hexdigest()  # nosec
         expected_fp = '%s-%s' % (MyObject.VERSION, expected_hash)
 
         self.assertEqual(expected_fp, fp, "_get_fingerprint() did not "
@@ -594,8 +604,13 @@ class TestObjectVersionChecker(test.TestCase):
         exp_extra_data = ExtraDataObj
         exp_relevant_data = (exp_fields, exp_methods, exp_extra_data)
 
+        # NOTE(hberaud) the following hashlib usage will emit a bandit
+        # warning. It can be solved by passing `usedforsecurity=False` to
+        # the md5 function, however, this parameter was introduced with py39
+        # so passing it will break py38 unittest. I'd suggest to ignore this
+        # bandit rule while py38 is in our supported runtimes.
         expected_hash = hashlib.md5(bytes(repr(
-            exp_relevant_data).encode())).hexdigest()
+            exp_relevant_data).encode())).hexdigest()  # nosec
         expected_fp = '%s-%s' % (ExtraDataObj.VERSION, expected_hash)
 
         self.assertEqual(expected_fp, fp, "_get_fingerprint() did not "
diff --git a/test-requirements.txt b/test-requirements.txt
index 6ba22a84..4e2c2a2d 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -11,6 +11,6 @@ stestr>=2.0.0 # Apache-2.0
 fixtures>=3.0.0 # Apache-2.0/BSD
 
 # Bandit security code scanner
-bandit>=1.6.0,<1.7.0 # Apache-2.0
+bandit>=1.7.0,<1.8.0 # Apache-2.0
 
 pre-commit>=2.6.0 # MIT