Enable bandit for utilities

Story: 2008929
Task: 42530

Change-Id: Id63488414ae16b384549fcf8cbd9805b5b1a81ad
Signed-off-by: Chen, Haochuan Z <haochuan.z.chen@intel.com>

.zuul.yaml

@@ -4,10 +4,14 @@
       jobs:
         - openstack-tox-linters
         - stx-tox-pylint
+        - utilities-ceph-manager-tox-bandit
+        - utilities-ceph-client-tox-bandit
     gate:
       jobs:
         - openstack-tox-linters
         - stx-tox-pylint
+        - utilities-ceph-manager-tox-bandit
+        - utilities-ceph-client-tox-bandit
     post:
       jobs:
         - stx-utilities-upload-git-mirror
@@ -35,6 +39,30 @@
         secret: stx-utilities-github-secret
         pass-to-parent: true
 
+- job:
+    name: utilities-ceph-manager-tox-bandit
+    parent: tox
+    description: |
+      Run bandit test for utilities ceph-mananger
+    nodeset: ubuntu-bionic
+    files:
+      - ./ceph/ceph-manager/ceph-manager/*
+    vars:
+      tox_envlist: bandit
+      tox_extra_args: -c ./ceph/ceph-manager/ceph-manager/tox.ini
+
+- job:
+    name: utilities-ceph-client-tox-bandit
+    parent: tox
+    description: |
+      Run bandit test for utilities python-cephclient
+    nodeset: ubuntu-bionic
+    files:
+      - ./ceph/python-cephclient/python-cephclient/*
+    vars:
+      tox_envlist: bandit
+      tox_extra_args: -c ./ceph/python-cephclient/python-cephclient/tox.ini
+
 - secret:
     name: stx-utilities-github-secret
     data:

ceph/ceph-manager/ceph-manager/test-requirements.txt

@@ -2,6 +2,7 @@
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
 
+bandit;python_version>="3.0"
 mock
 flake8
 eventlet

ceph/ceph-manager/ceph-manager/tox.ini

@@ -22,3 +22,18 @@ commands =
 
 [flake8]
 exclude = .venv,.git,.tox,dist,doc,etc,*glance/locale*,*lib/python*,*egg,build
+
+[bandit]
+# The following bandit tests are being skipped:
+# B104: Test for use of assert
+# B110: Try, Except, Pass detected.
+#
+# Note: 'skips' entry cannot be split across multiple lines
+#
+skips = B104,B110
+exclude = tests
+
+[testenv:bandit]
+basepython = python3
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit --ini tox.ini -n 5 -r ceph_manager

ceph/python-cephclient/python-cephclient/test-requirements.txt

@@ -2,5 +2,6 @@
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
 
+bandit;python_version>="3.0"
 flake8
 pytest

ceph/python-cephclient/python-cephclient/tox.ini

@@ -1,12 +1,12 @@
 [tox]
 envlist = py27,pep8
 skipsdist = True
-toxworkdir = /tmp/{env:USER}_ceph_manager_tox
+toxworkdir = /tmp/{env:USER}_python_cephclient_tox
 
 [testenv]
 setenv = VIRTUAL_ENV={envdir}
 usedevelop = True
-install_command = pip install --no-binary --upgrade --force-reinstall {opts} {packages}
+install_command = pip install -U --force-reinstall {opts} {packages}
 deps = -r{toxinidir}/test-requirements.txt
 commands = py.test {posargs}
 whitelist_externals = bash
@@ -17,3 +17,19 @@ commands =
 
 [flake8]
 exclude = .venv,.git,.tox,dist,doc,*lib/python*,*egg,build
+
+[bandit]
+# The following bandit tests are being skipped:
+# B101: Test for use of assert
+# B404: Import of subprocess modul
+# B602: Test for use of popen with shell equals true
+#
+# Note: 'skips' entry cannot be split across multiple lines
+#
+skips = B101,B404,B602
+exclude = tests
+
+[testenv:bandit]
+basepython = python3
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit --ini tox.ini -n 5 -r cephclient

tox.ini

@@ -98,3 +98,7 @@ commands = pylint {posargs}                                          \
 commands =
     {[testenv:bashate]commands}
     {[testenv:flake8]commands}
+
+[testenv:bandit]
+basepython = python3
+description = Dummy environment to allow bandit to be run in subdir tox