From 0646f9b4e4296dbbf14de3f887ea87350e773212 Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Fri, 26 Apr 2024 12:51:18 +0100 Subject: [PATCH] tox: Remove bandit skips, run via pre-commit Most of these skips were unnecessary. The few that did generate warnings could be skipped. We also set 'skip_install' since there's no reason to build the package for linting purposes. Change-Id: I9644e5c19720b9c41c60e0a5882b7cd7f6a71f7b Signed-off-by: Stephen Finucane --- .pre-commit-config.yaml | 2 +- openstackclient/common/module.py | 2 +- openstackclient/compute/v2/server.py | 23 +++++++++----- openstackclient/compute/v2/usage.py | 2 +- openstackclient/identity/v2_0/user.py | 2 +- openstackclient/volume/v1/volume.py | 2 +- openstackclient/volume/v1/volume_backup.py | 2 +- openstackclient/volume/v1/volume_snapshot.py | 2 +- openstackclient/volume/v2/volume.py | 2 +- openstackclient/volume/v2/volume_backup.py | 2 +- openstackclient/volume/v2/volume_snapshot.py | 2 +- tox.ini | 33 +++++--------------- 12 files changed, 32 insertions(+), 44 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a65c70b42d..9c384867d1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -26,7 +26,7 @@ repos: rev: 1.7.8 hooks: - id: bandit - args: ['-x', 'tests', '-s', 'B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101'] + args: ['-x', 'tests'] - repo: https://opendev.org/openstack/hacking rev: 6.1.0 hooks: diff --git a/openstackclient/common/module.py b/openstackclient/common/module.py index 486a27cc15..585fdf8234 100644 --- a/openstackclient/common/module.py +++ b/openstackclient/common/module.py @@ -113,6 +113,6 @@ class ListModule(command.ShowOne): data[k] = mods[k].__version__ except Exception: # Catch all exceptions, just skip it - pass + pass # nosec: B110 return zip(*sorted(data.items())) diff --git a/openstackclient/compute/v2/server.py b/openstackclient/compute/v2/server.py index ce0a75550d..1d97c349c3 100644 --- a/openstackclient/compute/v2/server.py +++ b/openstackclient/compute/v2/server.py @@ -2843,11 +2843,12 @@ class ListServer(command.Lister): # there are infra failures if parsed_args.name_lookup_one_by_one or image_id: for image_id in image_ids: - # "Image Name" is not crucial, so we swallow any exceptions try: images[image_id] = image_client.get_image(image_id) except Exception: - pass + # retrieving image names is not crucial, so we swallow + # any exceptions + pass # nosec: B110 else: try: # some deployments can have *loads* of images so we only @@ -2866,7 +2867,9 @@ class ListServer(command.Lister): for i in images_list: images[i.id] = i except Exception: - pass + # retrieving image names is not crucial, so we swallow any + # exceptions + pass # nosec: B110 # create a dict that maps flavor_id to flavor object, which is used # to display the "Flavor Name" column. Note that 'flavor.id' is not @@ -2878,21 +2881,23 @@ class ListServer(command.Lister): for s in data if s.flavor and s.flavor.get('id') ): - # "Flavor Name" is not crucial, so we swallow any - # exceptions try: flavors[f_id] = compute_client.find_flavor( f_id, ignore_missing=False ) except Exception: - pass + # retrieving flavor names is not crucial, so we swallow + # any exceptions + pass # nosec: B110 else: try: flavors_list = compute_client.flavors(is_public=None) for i in flavors_list: flavors[i.id] = i except Exception: - pass + # retrieving flavor names is not crucial, so we swallow any + # exceptions + pass # nosec: B110 # Populate image_name, image_id, flavor_name and flavor_id attributes # of server objects so that we can display those columns. @@ -4805,7 +4810,9 @@ class SshServer(command.Command): cmd = ' '.join(['ssh', ip_address] + args) LOG.debug("ssh command: {cmd}".format(cmd=cmd)) - os.system(cmd) + # we intentionally pass through user-provided arguments and run this in + # the user's shell + os.system(cmd) # nosec: B605 class StartServer(command.Command): diff --git a/openstackclient/compute/v2/usage.py b/openstackclient/compute/v2/usage.py index c89296794a..0d62bc6a02 100644 --- a/openstackclient/compute/v2/usage.py +++ b/openstackclient/compute/v2/usage.py @@ -182,7 +182,7 @@ class ListUsage(command.Lister): project_cache[p.id] = p except Exception: # Just forget it if there's any trouble - pass + pass # nosec: B110 if parsed_args.formatter == 'table' and len(usage_list) > 0: self.app.stdout.write( diff --git a/openstackclient/identity/v2_0/user.py b/openstackclient/identity/v2_0/user.py index 7bcbc45151..10d2f18c3a 100644 --- a/openstackclient/identity/v2_0/user.py +++ b/openstackclient/identity/v2_0/user.py @@ -252,7 +252,7 @@ class ListUser(command.Lister): project_cache[p.id] = p except Exception: # Just forget it if there's any trouble - pass + pass # nosec: B110 formatters['tenantId'] = functools.partial( ProjectColumn, project_cache=project_cache ) diff --git a/openstackclient/volume/v1/volume.py b/openstackclient/volume/v1/volume.py index 168fed4ab8..0248642b08 100644 --- a/openstackclient/volume/v1/volume.py +++ b/openstackclient/volume/v1/volume.py @@ -424,7 +424,7 @@ class ListVolume(command.Lister): server_cache[s.id] = s except Exception: # Just forget it if there's any trouble - pass + pass # nosec: B110 AttachmentsColumnWithCache = functools.partial( AttachmentsColumn, server_cache=server_cache ) diff --git a/openstackclient/volume/v1/volume_backup.py b/openstackclient/volume/v1/volume_backup.py index 241fd3010c..c90dec1951 100644 --- a/openstackclient/volume/v1/volume_backup.py +++ b/openstackclient/volume/v1/volume_backup.py @@ -217,7 +217,7 @@ class ListVolumeBackup(command.Lister): volume_cache[s.id] = s except Exception: # Just forget it if there's any trouble - pass + pass # nosec: B110 VolumeIdColumnWithCache = functools.partial( VolumeIdColumn, volume_cache=volume_cache ) diff --git a/openstackclient/volume/v1/volume_snapshot.py b/openstackclient/volume/v1/volume_snapshot.py index 81960635a0..fd4bb774a4 100644 --- a/openstackclient/volume/v1/volume_snapshot.py +++ b/openstackclient/volume/v1/volume_snapshot.py @@ -244,7 +244,7 @@ class ListVolumeSnapshot(command.Lister): volume_cache[s.id] = s except Exception: # Just forget it if there's any trouble - pass + pass # nosec: B110 VolumeIdColumnWithCache = functools.partial( VolumeIdColumn, volume_cache=volume_cache ) diff --git a/openstackclient/volume/v2/volume.py b/openstackclient/volume/v2/volume.py index f530b85080..98f4a5caba 100644 --- a/openstackclient/volume/v2/volume.py +++ b/openstackclient/volume/v2/volume.py @@ -537,7 +537,7 @@ class ListVolume(command.Lister): server_cache[s.id] = s except Exception: # Just forget it if there's any trouble - pass + pass # nosec: B110 AttachmentsColumnWithCache = functools.partial( AttachmentsColumn, server_cache=server_cache ) diff --git a/openstackclient/volume/v2/volume_backup.py b/openstackclient/volume/v2/volume_backup.py index 64c7865129..4454d17b04 100644 --- a/openstackclient/volume/v2/volume_backup.py +++ b/openstackclient/volume/v2/volume_backup.py @@ -325,7 +325,7 @@ class ListVolumeBackup(command.Lister): volume_cache[s.id] = s except Exception: # Just forget it if there's any trouble - pass + pass # nosec: B110 _VolumeIdColumn = functools.partial( VolumeIdColumn, volume_cache=volume_cache diff --git a/openstackclient/volume/v2/volume_snapshot.py b/openstackclient/volume/v2/volume_snapshot.py index 0ca87144bc..93560f53cc 100644 --- a/openstackclient/volume/v2/volume_snapshot.py +++ b/openstackclient/volume/v2/volume_snapshot.py @@ -289,7 +289,7 @@ class ListVolumeSnapshot(command.Lister): volume_cache[s.id] = s except Exception: # Just forget it if there's any trouble - pass + pass # nosec: B110 _VolumeIdColumn = functools.partial( VolumeIdColumn, volume_cache=volume_cache ) diff --git a/tox.ini b/tox.ini index 369b7c7d82..b97f72acea 100644 --- a/tox.ini +++ b/tox.ini @@ -16,37 +16,18 @@ commands = stestr run {posargs} [testenv:pep8] +skip_install = true deps = - pre-commit + pre-commit commands = - pre-commit run --all-files --show-diff-on-failure + pre-commit run --all-files --show-diff-on-failure [testenv:bandit] -# This command runs the bandit security linter against the openstackclient -# codebase minus the tests directory. Some tests are being excluded to -# reduce the number of positives before a team inspection, and to ensure a -# passing gate job for initial addition. The excluded tests are: -# B105-B107: hardcoded password checks - likely to generate false positives -# in a gate environment -# B401: import subprocess - not necessarily a security issue; this plugin is -# mainly used for penetration testing workflow -# B603,B606: process without shell - not necessarily a security issue; this -# plugin is mainly used for penetration testing workflow -# B607: start process with a partial path - this should be a project level -# decision -# NOTE(elmiko): The following tests are being excluded specifically for -# python-openstackclient, they are being excluded to ensure that voting jobs -# in the project and in bandit integration tests continue to pass. These -# tests have generated issue within the project and should be investigated -# by the project. -# B110: try, except, pass detected - possible security issue; this should be -# investigated by the project for possible exploitation -# B605: process with a shell - possible security issue; this should be -# investigated by the project for possible exploitation -# B101: use of assert - this code will be removed when compiling to optimized -# byte code +skip_install = true +deps = + pre-commit commands = - bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101 + pre-commit run --all-files --show-diff-on-failure bandit [testenv:unit-tips] commands =