Run bandit when verifying changes

It reports only MEDIUM issues or higher like nova [1].
It selects bandit 1.1.0 as defined in nova and neutron lower
constraints [2].

[1] https://github.com/openstack/nova/blob/master/tox.ini#L221
[2] https://github.com/openstack/nova/blob/master/lower-constraints.txt#L8

Change-Id: I52524df867d99fae75798475c762a5f8253dacfa
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
(cherry picked from commit c659caccbf1f55db4e6e3cb31bf088ac57751e86)

diff --git a/test-requirements.txt b/test-requirements.txt
index 0cfead3..bac66ab 100644 (file)
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -12,3 +12,4 @@ yamllint
 doc8 # Apache-2.0
 bashate # Apache-2.0
 ansible-lint
+bandit

diff --git a/tox.ini b/tox.ini
index 97e97dc..15b38c8 100644 (file)
--- a/tox.ini
+++ b/tox.ini
@@ -57,6 +57,10 @@ files =
   build.sh
 commands = bashate {[testenv:bashate]files}
 
+[testenv:bandit]
+basepython = python2.7
+commands = bandit -r xtesting -x tests -n 5 -ll -s B602
+
 [testenv:cover]
 basepython = python2.7
 dirs =

diff --git a/upper-constraints.txt b/upper-constraints.txt
index a884d02..3bfdf03 100644 (file)
--- a/upper-constraints.txt
+++ b/upper-constraints.txt
@@ -1 +1,2 @@
 robotframework===3.0.2
+bandit===1.1.0