tox: Remove bandit skips, run via pre-commit

Most of these skips were unnecessary. The few that did generate warnings could be skipped. We also set 'skip_install' since there's no reason to build the package for linting purposes. Change-Id: I9644e5c19720b9c41c60e0a5882b7cd7f6a71f7b Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2024-04-26 12:51:18 +01:00 · 2024-04-26 12:51:18 +01:00 · 0646f9b4e4
commit 0646f9b4e4
parent 648d8df578
12 changed files with 32 additions and 44 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -26,7 +26,7 @@ repos:
    rev: 1.7.8
    hooks:
      - id: bandit
-        args: ['-x', 'tests', '-s', 'B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101']
+        args: ['-x', 'tests']
  - repo: https://opendev.org/openstack/hacking
    rev: 6.1.0
    hooks:
--- a/openstackclient/common/module.py
+++ b/openstackclient/common/module.py
@ -113,6 +113,6 @@ class ListModule(command.ShowOne):
                            data[k] = mods[k].__version__
                    except Exception:
                        # Catch all exceptions, just skip it
-                        pass
+                        pass  # nosec: B110

        return zip(*sorted(data.items()))
--- a/openstackclient/compute/v2/server.py
+++ b/openstackclient/compute/v2/server.py
@ -2843,11 +2843,12 @@ class ListServer(command.Lister):
            # there are infra failures
            if parsed_args.name_lookup_one_by_one or image_id:
                for image_id in image_ids:
-                    # "Image Name" is not crucial, so we swallow any exceptions
                    try:
                        images[image_id] = image_client.get_image(image_id)
                    except Exception:
-                        pass
+                        # retrieving image names is not crucial, so we swallow
+                        # any exceptions
+                        pass  # nosec: B110
            else:
                try:
                    # some deployments can have *loads* of images so we only
@ -2866,7 +2867,9 @@ class ListServer(command.Lister):
                    for i in images_list:
                        images[i.id] = i
                except Exception:
-                    pass
+                    # retrieving image names is not crucial, so we swallow any
+                    # exceptions
+                    pass  # nosec: B110

            # create a dict that maps flavor_id to flavor object, which is used
            # to display the "Flavor Name" column. Note that 'flavor.id' is not
@ -2878,21 +2881,23 @@ class ListServer(command.Lister):
                    for s in data
                    if s.flavor and s.flavor.get('id')
                ):
-                    # "Flavor Name" is not crucial, so we swallow any
-                    # exceptions
                    try:
                        flavors[f_id] = compute_client.find_flavor(
                            f_id, ignore_missing=False
                        )
                    except Exception:
-                        pass
+                        # retrieving flavor names is not crucial, so we swallow
+                        # any exceptions
+                        pass  # nosec: B110
            else:
                try:
                    flavors_list = compute_client.flavors(is_public=None)
                    for i in flavors_list:
                        flavors[i.id] = i
                except Exception:
-                    pass
+                    # retrieving flavor names is not crucial, so we swallow any
+                    # exceptions
+                    pass  # nosec: B110

        # Populate image_name, image_id, flavor_name and flavor_id attributes
        # of server objects so that we can display those columns.
@ -4805,7 +4810,9 @@ class SshServer(command.Command):

        cmd = ' '.join(['ssh', ip_address] + args)
        LOG.debug("ssh command: {cmd}".format(cmd=cmd))
-        os.system(cmd)
+        # we intentionally pass through user-provided arguments and run this in
+        # the user's shell
+        os.system(cmd)  # nosec: B605


 class StartServer(command.Command):
--- a/openstackclient/compute/v2/usage.py
+++ b/openstackclient/compute/v2/usage.py
@ -182,7 +182,7 @@ class ListUsage(command.Lister):
                project_cache[p.id] = p
        except Exception:
            # Just forget it if there's any trouble
-            pass
+            pass  # nosec: B110

        if parsed_args.formatter == 'table' and len(usage_list) > 0:
            self.app.stdout.write(
--- a/openstackclient/identity/v2_0/user.py
+++ b/openstackclient/identity/v2_0/user.py
@ -252,7 +252,7 @@ class ListUser(command.Lister):
                    project_cache[p.id] = p
            except Exception:
                # Just forget it if there's any trouble
-                pass
+                pass  # nosec: B110
            formatters['tenantId'] = functools.partial(
                ProjectColumn, project_cache=project_cache
            )
--- a/openstackclient/volume/v1/volume.py
+++ b/openstackclient/volume/v1/volume.py
@ -424,7 +424,7 @@ class ListVolume(command.Lister):
                server_cache[s.id] = s
        except Exception:
            # Just forget it if there's any trouble
-            pass
+            pass  # nosec: B110
        AttachmentsColumnWithCache = functools.partial(
            AttachmentsColumn, server_cache=server_cache
        )
--- a/openstackclient/volume/v1/volume_backup.py
+++ b/openstackclient/volume/v1/volume_backup.py
@ -217,7 +217,7 @@ class ListVolumeBackup(command.Lister):
                volume_cache[s.id] = s
        except Exception:
            # Just forget it if there's any trouble
-            pass
+            pass  # nosec: B110
        VolumeIdColumnWithCache = functools.partial(
            VolumeIdColumn, volume_cache=volume_cache
        )
--- a/openstackclient/volume/v1/volume_snapshot.py
+++ b/openstackclient/volume/v1/volume_snapshot.py
@ -244,7 +244,7 @@ class ListVolumeSnapshot(command.Lister):
                volume_cache[s.id] = s
        except Exception:
            # Just forget it if there's any trouble
-            pass
+            pass  # nosec: B110
        VolumeIdColumnWithCache = functools.partial(
            VolumeIdColumn, volume_cache=volume_cache
        )
--- a/openstackclient/volume/v2/volume.py
+++ b/openstackclient/volume/v2/volume.py
@ -537,7 +537,7 @@ class ListVolume(command.Lister):
                    server_cache[s.id] = s
            except Exception:
                # Just forget it if there's any trouble
-                pass
+                pass  # nosec: B110
        AttachmentsColumnWithCache = functools.partial(
            AttachmentsColumn, server_cache=server_cache
        )
--- a/openstackclient/volume/v2/volume_backup.py
+++ b/openstackclient/volume/v2/volume_backup.py
@ -325,7 +325,7 @@ class ListVolumeBackup(command.Lister):
                volume_cache[s.id] = s
        except Exception:
            # Just forget it if there's any trouble
-            pass
+            pass  # nosec: B110

        _VolumeIdColumn = functools.partial(
            VolumeIdColumn, volume_cache=volume_cache
--- a/openstackclient/volume/v2/volume_snapshot.py
+++ b/openstackclient/volume/v2/volume_snapshot.py
@ -289,7 +289,7 @@ class ListVolumeSnapshot(command.Lister):
                volume_cache[s.id] = s
        except Exception:
            # Just forget it if there's any trouble
-            pass
+            pass  # nosec: B110
        _VolumeIdColumn = functools.partial(
            VolumeIdColumn, volume_cache=volume_cache
        )
--- a/tox.ini
+++ b/tox.ini
@ -16,37 +16,18 @@ commands =
    stestr run {posargs}

 [testenv:pep8]
+skip_install = true
 deps =
-  pre-commit
+    pre-commit
 commands =
-  pre-commit run --all-files --show-diff-on-failure
+    pre-commit run --all-files --show-diff-on-failure

 [testenv:bandit]
-# This command runs the bandit security linter against the openstackclient
-# codebase minus the tests directory. Some tests are being excluded to
-# reduce the number of positives before a team inspection, and to ensure a
-# passing gate job for initial addition. The excluded tests are:
-# B105-B107: hardcoded password checks - likely to generate false positives
-#            in a gate environment
-# B401: import subprocess - not necessarily a security issue; this plugin is
-#       mainly used for penetration testing workflow
-# B603,B606: process without shell - not necessarily a security issue; this
-#            plugin is mainly used for penetration testing workflow
-# B607: start process with a partial path - this should be a project level
-#       decision
-# NOTE(elmiko): The following tests are being excluded specifically for
-# python-openstackclient, they are being excluded to ensure that voting jobs
-# in the project and in bandit integration tests continue to pass. These
-# tests have generated issue within the project and should be investigated
-# by the project.
-# B110: try, except, pass detected - possible security issue; this should be
-#       investigated by the project for possible exploitation
-# B605: process with a shell - possible security issue; this should be
-#       investigated by the project for possible exploitation
-# B101: use of assert - this code will be removed when compiling to optimized
-#       byte code
+skip_install = true
+deps =
+    pre-commit
 commands =
-    bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101
+    pre-commit run --all-files --show-diff-on-failure bandit

 [testenv:unit-tips]
 commands =