Skip to content

Commit

Permalink
Added bandit checker
Browse files Browse the repository at this point in the history
Signed-off-by: Andreas Maier <[email protected]>
  • Loading branch information
andy-maier committed Sep 29, 2024
1 parent 9d721ea commit 93de1c9
Show file tree
Hide file tree
Showing 7 changed files with 43 additions and 2 deletions.
8 changes: 8 additions & 0 deletions .bandit.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Bandit config file in TOML format

[tool.bandit]

# Checks to be ignored:
skips = [
'B101', # assert_used
]
6 changes: 6 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,12 @@ jobs:
RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
run: |
make safety
- name: Run bandit
env:
PACKAGE_LEVEL: ${{ matrix.package_level }}
RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
run: |
make bandit
test_finish:
needs: test
Expand Down
17 changes: 16 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,9 @@ pytest_no_log_opt := $(shell py.test --help 2>/dev/null |grep '\--no-print-logs'
safety_install_policy_file := .safety-policy-install.yml
safety_develop_policy_file := .safety-policy-develop.yml

# Bandit config file
bandit_rc_file := .bandit.toml

# Flake8 config file
flake8_rc_file := .flake8

Expand All @@ -190,7 +193,7 @@ ruff_rc_file := .ruff.toml
pylint_rc_file := .pylintrc

# Packages whose dependencies are checked using pip-missing-reqs
check_reqs_packages := pip_check_reqs pipdeptree build pytest coverage coveralls flake8 ruff pylint safety twine towncrier
check_reqs_packages := pip_check_reqs pipdeptree build pytest coverage coveralls flake8 ruff pylint safety bandit twine towncrier

ifdef TESTCASES
pytest_opts := $(TESTOPTS) -k $(TESTCASES)
Expand All @@ -214,6 +217,7 @@ help:
@echo " ruff - Run ruff on sources (an alternate lint tool)"
@echo ' pylint - Run PyLint on sources'
@echo " safety - Run Safety tool"
@echo " bandit - Run bandit checker"
@echo ' test - Run tests (and test coverage)'
@echo ' Does not include install but depends on it, so make sure install is current.'
@echo ' Env.var TESTCASES can be used to specify a py.test expression for its -k option'
Expand Down Expand Up @@ -259,6 +263,10 @@ pylint: $(done_dir)/pylint_$(pymn)_$(PACKAGE_LEVEL).done
safety: $(done_dir)/safety_develop_$(pymn)_$(PACKAGE_LEVEL).done $(done_dir)/safety_install_$(pymn)_$(PACKAGE_LEVEL).done
@echo '$@ done.'

.PHONY: bandit
bandit: $(done_dir)/bandit_$(pymn)_$(PACKAGE_LEVEL).done
@echo "Makefile: $@ done."

.PHONY: build
build: $(bdist_file) $(sdist_file)
@echo '$@ done.'
Expand Down Expand Up @@ -408,6 +416,13 @@ $(done_dir)/safety_install_$(pymn)_$(PACKAGE_LEVEL).done: $(done_dir)/develop_$(
echo "done" >$@
@echo "Makefile: Done running Safety for install packages"

$(done_dir)/bandit_$(pymn)_$(PACKAGE_LEVEL).done: $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done $(bandit_rc_file) $(check_py_files)
@echo "Makefile: Running Bandit"
-$(call RM_FUNC,$@)
bandit -c $(bandit_rc_file) -l $(check_py_files)
echo "done" >$@
@echo "Makefile: Done running Bandit"

.PHONY: check_reqs
check_reqs: $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done requirements.txt minimum-constraints-install.txt minimum-constraints-develop.txt
@echo "Makefile: Checking missing dependencies of this package"
Expand Down
3 changes: 3 additions & 0 deletions changes/59.feature.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Added support for running the 'bandit' checker with a new make target
'bandit', and added that to the GitHub Actions test workflow.
Adjusted the code in order to pass the bandit check.
5 changes: 5 additions & 0 deletions minimum-constraints-develop.txt
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,10 @@ typer-cli==0.12.0
typer-slim==0.12.0
psutil==6.0.0

# Bandit checker
bandit==1.7.8
# PyYAML is used by bandit and is covered in minimum-constraints-install.txt

# Twine (no imports, invoked via twine script):
twine==3.0.0
readme-renderer==23.0
Expand Down Expand Up @@ -128,6 +132,7 @@ rfc3986==1.4.0
rich==12.0.0
smmap2==2.0.1
snowballstemmer==2.0.0
stevedore==5.2.0
toml==0.10.2
tomli==2.0.1
tqdm==4.66.4
Expand Down
4 changes: 4 additions & 0 deletions requirements-develop.txt
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,10 @@ typer-cli>=0.12.0
typer-slim>=0.12.0
psutil>=6.0.0

# Bandit checker
bandit>=1.7.8
# PyYAML is used by bandit and is covered in requirements.txt

# Twine (no imports, invoked via twine script):
twine>=3.0.0
# readme-renderer 23.0 has made cmarkgfm part of extras (it fails on Cygwin)
Expand Down
2 changes: 1 addition & 1 deletion zhmc_log_forwarder/zhmc_log_forwarder.py
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@

CMD_NAME = 'zhmc_log_forwarder'
PACKAGE_NAME = 'zhmc-log-forwarder'
BLANKED_SECRET = '********'
BLANKED_SECRET = '********' # nosec B105

DEST_LOGGER_NAME = CMD_NAME + '_dest'
SELF_LOGGER_NAME = CMD_NAME
Expand Down

0 comments on commit 93de1c9

Please sign in to comment.