From 93de1c9ea87dd725b0796912b3f02e7c6f5f217e Mon Sep 17 00:00:00 2001
From: Andreas Maier <maiera@de.ibm.com>
Date: Thu, 26 Sep 2024 16:31:13 +0200
Subject: [PATCH] Added bandit checker

Signed-off-by: Andreas Maier <maiera@de.ibm.com>
---
 .bandit.toml                             |  8 ++++++++
 .github/workflows/test.yml               |  6 ++++++
 Makefile                                 | 17 ++++++++++++++++-
 changes/59.feature.rst                   |  3 +++
 minimum-constraints-develop.txt          |  5 +++++
 requirements-develop.txt                 |  4 ++++
 zhmc_log_forwarder/zhmc_log_forwarder.py |  2 +-
 7 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 .bandit.toml
 create mode 100644 changes/59.feature.rst

diff --git a/.bandit.toml b/.bandit.toml
new file mode 100644
index 0000000..1fba660
--- /dev/null
+++ b/.bandit.toml
@@ -0,0 +1,8 @@
+# Bandit config file in TOML format
+
+[tool.bandit]
+
+# Checks to be ignored:
+skips = [
+  'B101',  # assert_used
+]
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 6cfc302..55d98f1 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -205,6 +205,12 @@ jobs:
         RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make safety
+    - name: Run bandit
+      env:
+        PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
+      run: |
+        make bandit
 
   test_finish:
     needs: test
diff --git a/Makefile b/Makefile
index 49057a4..ecce0ce 100644
--- a/Makefile
+++ b/Makefile
@@ -180,6 +180,9 @@ pytest_no_log_opt := $(shell py.test --help 2>/dev/null |grep '\--no-print-logs'
 safety_install_policy_file := .safety-policy-install.yml
 safety_develop_policy_file := .safety-policy-develop.yml
 
+# Bandit config file
+bandit_rc_file := .bandit.toml
+
 # Flake8 config file
 flake8_rc_file := .flake8
 
@@ -190,7 +193,7 @@ ruff_rc_file := .ruff.toml
 pylint_rc_file := .pylintrc
 
 # Packages whose dependencies are checked using pip-missing-reqs
-check_reqs_packages := pip_check_reqs pipdeptree build pytest coverage coveralls flake8 ruff pylint safety twine towncrier
+check_reqs_packages := pip_check_reqs pipdeptree build pytest coverage coveralls flake8 ruff pylint safety bandit twine towncrier
 
 ifdef TESTCASES
 pytest_opts := $(TESTOPTS) -k $(TESTCASES)
@@ -214,6 +217,7 @@ help:
 	@echo "  ruff       - Run ruff on sources (an alternate lint tool)"
 	@echo '  pylint     - Run PyLint on sources'
 	@echo "  safety     - Run Safety tool"
+	@echo "  bandit     - Run bandit checker"
 	@echo '  test       - Run tests (and test coverage)'
 	@echo '               Does not include install but depends on it, so make sure install is current.'
 	@echo '               Env.var TESTCASES can be used to specify a py.test expression for its -k option'
@@ -259,6 +263,10 @@ pylint: $(done_dir)/pylint_$(pymn)_$(PACKAGE_LEVEL).done
 safety: $(done_dir)/safety_develop_$(pymn)_$(PACKAGE_LEVEL).done $(done_dir)/safety_install_$(pymn)_$(PACKAGE_LEVEL).done
 	@echo '$@ done.'
 
+.PHONY: bandit
+bandit: $(done_dir)/bandit_$(pymn)_$(PACKAGE_LEVEL).done
+	@echo "Makefile: $@ done."
+
 .PHONY: build
 build: $(bdist_file) $(sdist_file)
 	@echo '$@ done.'
@@ -408,6 +416,13 @@ $(done_dir)/safety_install_$(pymn)_$(PACKAGE_LEVEL).done: $(done_dir)/develop_$(
 	echo "done" >$@
 	@echo "Makefile: Done running Safety for install packages"
 
+$(done_dir)/bandit_$(pymn)_$(PACKAGE_LEVEL).done: $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done $(bandit_rc_file) $(check_py_files)
+	@echo "Makefile: Running Bandit"
+	-$(call RM_FUNC,$@)
+	bandit -c $(bandit_rc_file) -l $(check_py_files)
+	echo "done" >$@
+	@echo "Makefile: Done running Bandit"
+
 .PHONY: check_reqs
 check_reqs: $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done requirements.txt minimum-constraints-install.txt minimum-constraints-develop.txt
 	@echo "Makefile: Checking missing dependencies of this package"
diff --git a/changes/59.feature.rst b/changes/59.feature.rst
new file mode 100644
index 0000000..d08634b
--- /dev/null
+++ b/changes/59.feature.rst
@@ -0,0 +1,3 @@
+Added support for running the 'bandit' checker with a new make target
+'bandit', and added that to the GitHub Actions test workflow.
+Adjusted the code in order to pass the bandit check.
diff --git a/minimum-constraints-develop.txt b/minimum-constraints-develop.txt
index 7407322..a298f60 100644
--- a/minimum-constraints-develop.txt
+++ b/minimum-constraints-develop.txt
@@ -89,6 +89,10 @@ typer-cli==0.12.0
 typer-slim==0.12.0
 psutil==6.0.0
 
+# Bandit checker
+bandit==1.7.8
+# PyYAML is used by bandit and is covered in minimum-constraints-install.txt
+
 # Twine (no imports, invoked via twine script):
 twine==3.0.0
 readme-renderer==23.0
@@ -128,6 +132,7 @@ rfc3986==1.4.0
 rich==12.0.0
 smmap2==2.0.1
 snowballstemmer==2.0.0
+stevedore==5.2.0
 toml==0.10.2
 tomli==2.0.1
 tqdm==4.66.4
diff --git a/requirements-develop.txt b/requirements-develop.txt
index a3b81fc..d2e25e2 100644
--- a/requirements-develop.txt
+++ b/requirements-develop.txt
@@ -95,6 +95,10 @@ typer-cli>=0.12.0
 typer-slim>=0.12.0
 psutil>=6.0.0
 
+# Bandit checker
+bandit>=1.7.8
+# PyYAML is used by bandit and is covered in requirements.txt
+
 # Twine (no imports, invoked via twine script):
 twine>=3.0.0
 # readme-renderer 23.0 has made cmarkgfm part of extras (it fails on Cygwin)
diff --git a/zhmc_log_forwarder/zhmc_log_forwarder.py b/zhmc_log_forwarder/zhmc_log_forwarder.py
index 7f47e3f..df8db84 100755
--- a/zhmc_log_forwarder/zhmc_log_forwarder.py
+++ b/zhmc_log_forwarder/zhmc_log_forwarder.py
@@ -44,7 +44,7 @@
 
 CMD_NAME = 'zhmc_log_forwarder'
 PACKAGE_NAME = 'zhmc-log-forwarder'
-BLANKED_SECRET = '********'
+BLANKED_SECRET = '********'  # nosec B105
 
 DEST_LOGGER_NAME = CMD_NAME + '_dest'
 SELF_LOGGER_NAME = CMD_NAME