Add bandit to pep8 and bandit testenv0.14.0

This patch adds bandit security linter to tox jobs. It ignores files in the 'tests' directory. This patch will also fix or exclude any issues as a result from scan. Change-Id: I9caa41f596a17a8b961a542d4bc6bb121e7a147f
author: Eric Brown <browne@vmware.com> 2016-04-28 07:46:57 -0700
committer: Eric Brown <browne@vmware.com> 2016-07-08 22:39:55 +0000
commit: 79532ea599cd0226e7176c6c7d59e04ee3b1a8ff (patch)
tree: 3ae776533e3af4f3b5873d5e8c06447153349088
parent: 7207ffaf616db90e1efe2bb7e4184b6d90ed007b (diff)
download: glance_store-79532ea599cd0226e7176c6c7d59e04ee3b1a8ff.tar.gz
3 files changed, 18 insertions, 2 deletions
diff --git a/glance_store/_drivers/sheepdog.py b/glance_store/_drivers/sheepdog.py
index 7f0512d..0563311 100644
--- a/glance_store/_drivers/sheepdog.py
+++ b/glance_store/_drivers/sheepdog.py
@@ -72,7 +72,7 @@ class SheepdogImage(object):
 
         try:
             return processutils.execute(
-                cmd, process_input=data, shell=True)[0]
+                cmd, process_input=data)[0]
         except processutils.ProcessExecutionError as exc:
             LOG.error(exc)
             raise glance_store.BackendException(exc)
@@ -231,7 +231,7 @@ class Store(glance_store.driver.Store):
                                                    reason=reason)
 
         try:
-            processutils.execute("collie", shell=True)
+            processutils.execute("collie")
         except processutils.ProcessExecutionError as exc:
             reason = _("Error in store configuration: %s") % exc
             LOG.error(reason)
diff --git a/test-requirements.txt b/test-requirements.txt
index 0633897..b45ee6f 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -17,6 +17,7 @@ testscenarios>=0.4 # Apache-2.0/BSD
 testtools>=1.4.0 # MIT
 oslotest>=1.10.0 # Apache-2.0
 os-testr>=0.7.0 # Apache-2.0
+bandit>=1.0.1  # Apache-2.0
 
 # this is required for the docs build jobs
 sphinx!=1.3b1,<1.3,>=1.2.1 # BSD
diff --git a/tox.ini b/tox.ini
index e11776f..5f5d0ff 100644
--- a/tox.ini
+++ b/tox.ini
@@ -25,6 +25,21 @@ commands = sphinx-build -a -E -W -d releasenotes/build/.doctrees -b html release
 [testenv:pep8]
 commands =
   flake8 {posargs}
+  # Run security linter
+  # The following bandit tests are being skipped:
+  # B101 - Use of assert detected.
+  # B110 - Try, Except, Pass detected.
+  # B303 - Use of insecure MD2, MD4, or MD5 hash function.
+  bandit -r glance_store -x tests --skip B101,B110,B303
+
+[testenv:bandit]
+# NOTE(browne): This is required for the integration test job of the bandit
+# project. Please do not remove.
+# The following bandit tests are being skipped:
+# B101 - Use of assert detected.
+# B110 - Try, Except, Pass detected.
+# B303 - Use of insecure MD2, MD4, or MD5 hash function.
+commands = bandit -r glance_store -x tests --skip B101,B110,B303
 
 [testenv:cover]
 # NOTE(nikhil): this target does not use constraints because upstream infra
author	Eric Brown <browne@vmware.com>	2016-04-28 07:46:57 -0700
committer	Eric Brown <browne@vmware.com>	2016-07-08 22:39:55 +0000
commit	79532ea599cd0226e7176c6c7d59e04ee3b1a8ff (patch)
tree	3ae776533e3af4f3b5873d5e8c06447153349088
parent	7207ffaf616db90e1efe2bb7e4184b6d90ed007b (diff)
download	glance_store-79532ea599cd0226e7176c6c7d59e04ee3b1a8ff.tar.gz