watcher

bandit 1.6.0 breaks pep8 runs with B104: hardcoded_bind_all_interfaces

Bug #1828419 reported by Matt Riedemann
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
watcher
Fix Released
Undecided
Matt Riedemann

Bug Description

Seen here:

http://logs.openstack.org/94/645294/18/check/openstack-tox-pep8/20e027d/job-output.txt.gz#_2019-05-09_11_30_40_069134

2019-05-09 11:30:40.068998 | ubuntu-bionic | Test results:
2019-05-09 11:30:40.069134 | ubuntu-bionic | >> Issue: [B104:hardcoded_bind_all_interfaces] Possible binding to all interfaces.
2019-05-09 11:30:40.069226 | ubuntu-bionic | Severity: Medium Confidence: Medium
2019-05-09 11:30:40.069306 | ubuntu-bionic | Location: watcher/tests/config.py:18
2019-05-09 11:30:40.069486 | ubuntu-bionic | More Info: https://bandit.readthedocs.io/en/latest/plugins/b104_hardcoded_bind_all_interfaces.html
2019-05-09 11:30:40.069545 | ubuntu-bionic | 16 server = {
2019-05-09 11:30:40.069604 | ubuntu-bionic | 17 'port': '9322',
2019-05-09 11:30:40.069665 | ubuntu-bionic | 18 'host': '0.0.0.0'
2019-05-09 11:30:40.069698 | ubuntu-bionic | 19 }
2019-05-09 11:30:40.069730 | ubuntu-bionic | 20
2019-05-09 11:30:40.069805 | ubuntu-bionic | 21 # Pecan Application Configurations
2019-05-09 11:30:40.069845 | ubuntu-bionic | 22 app = {

bandit 1.6.0 was released today:

https://pypi.org/project/bandit/1.6.0/

And is uncapped in test-requirements:

https://github.com/openstack/watcher/blob/master/test-requirements.txt#L16

And not in upper-constraints:

https://github.com/openstack/requirements/blob/master/upper-constraints.txt

Seems we should exclude test code from bandit scans.

Tags: testing
Revision history for this message
Matt Riedemann (mriedem) wrote :

Hmm, it looks like bandit should already skip tests:

bandit -r watcher -x tests -n5 -ll -s B320

but that -x option doesn't seem to be working.

Revision history for this message
Matt Riedemann (mriedem) wrote :

Fix: https://review.opendev.org/#/c/658089/

Changed in watcher:
status: New → In Progress
assignee: nobody → Matt Riedemann (mriedem)
Revision history for this message
Matt Riedemann (mriedem) wrote :

If this is a problem on stable branches, I'd just cap bandit<1.6.0 on stable in watcher's test-requirements file.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to watcher (master)

Reviewed: https://review.opendev.org/658089
Committed: https://git.openstack.org/cgit/openstack/watcher/commit/?id=838768c76e887ce455f325c49e685a7046bd0107
Submitter: Zuul
Branch: master

commit 838768c76e887ce455f325c49e685a7046bd0107
Author: Matt Riedemann <email address hidden>
Date: Thu May 9 10:02:44 2019 -0400

    Fix bandit runs with 1.6.0

    The -x option for bandit changed in 1.6.0 and now
    supports glob patterns so use that to correctly
    exclude test code from bandit scans.

    Since this change requires bandit>=1.6.0, we have
    to also fix the networkx requirement to pass the
    requirements-check job so that the networkx requirement
    matches what is in global-requirements from change
    I0a9700926c9a0db93e782c853c33f1aaee3d4876.

    Change-Id: I4fc1166daee5d8739296419216d11d684be27c0a
    Closes-Bug: #1828419

Changed in watcher:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to watcher (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/659983

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on watcher (stable/stein)

Change abandoned by Vlad Gusev (<email address hidden>) on branch: stable/stein
Review: https://review.opendev.org/659983
Reason: Abandoned in favour of I588d3fb02ef61623affd82a43a54585aba0cb5f9

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/watcher 3.0.0.0rc1

This issue was fixed in the openstack/watcher 3.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.