[VVP] Adding bandit security scans and fixes

Issue-ID: VVP-244 Change-Id: Ia782f4cc7bf5a379ff8cdcce96cd2e7235998345 Signed-off-by: Lovett, Trevor <trevor.lovett@att.com>
author: Lovett, Trevor <trevor.lovett@att.com> 2019-07-23 18:09:09 -0500
committer: Lovett, Trevor (tl2972) <tl2972@att.com> 2019-07-24 08:13:17 -0500
commit: b395eb5bb6c79558202a3d414982a56fac7c9e1d (patch)
tree: fee89beee0b19a0a15ae79037024e4a8edb64aaf /checks.py
parent: ddba4856fc7e3d844e9e763d44ce97207a1f23bd (diff)
1 files changed, 22 insertions, 8 deletions
diff --git a/checks.py b/checks.py
index cde601a..b43d6c7 100644
--- a/checks.py
+++ b/checks.py
@@ -35,13 +35,16 @@
 #
 # ============LICENSE_END============================================
 #
+import contextlib
 import csv
+import io
 import json
 import os
-import subprocess
+import subprocess  #nosec
 import sys
 
 import pytest
+from flake8.main.application import Application
 
 from update_reqs import get_requirements
 
@@ -167,14 +170,24 @@ def check_non_testable_requirements_are_not_mapped():
 
 
 def check_flake8_passes():
-    result = subprocess.run(
-        ["flake8", "."],
-        encoding="utf-8",
-        stdout=subprocess.PIPE,
-        stderr=subprocess.PIPE,
-    )
+    output = io.StringIO()
+    with contextlib.redirect_stdout(output), contextlib.redirect_stderr(output):
+        app = Application()
+        app.run(["ice_validator"])
+    output.seek(0)
+    lines = [f"   {l}" for l in output.readlines()]
+    return ["flake8 errors detected:"] + lines if lines else []
+
+
+def check_bandit_passes():
+    result = subprocess.run(                                            #nosec
+        ["bandit", "-c", "bandit.yaml", "-r", ".", "-x", "./.tox/**"],  #nosec
+        encoding="utf-8",                                               #nosec
+        stdout=subprocess.PIPE,                                         #nosec
+        stderr=subprocess.PIPE,                                         #nosec
+    )                                                                   #nosec
     msgs = result.stdout.split("\n") if result.returncode != 0 else []
-    return ["flake8 errors detected:"] + [f"  {e}" for e in msgs] if msgs else []
+    return ["bandit errors detected:"] + [f"  {e}" for e in msgs] if msgs else []
 
 
 if __name__ == "__main__":
@@ -184,6 +197,7 @@ if __name__ == "__main__":
         check_testable_requirements_are_mapped,
         check_non_testable_requirements_are_not_mapped,
         check_flake8_passes,
+        check_bandit_passes,
     ]
     results = [check() for check in checks]
     errors = "\n".join("\n".join(msg) for msg in results if msg)
author	Lovett, Trevor <trevor.lovett@att.com>	2019-07-23 18:09:09 -0500
committer	Lovett, Trevor (tl2972) <tl2972@att.com>	2019-07-24 08:13:17 -0500
commit	b395eb5bb6c79558202a3d414982a56fac7c9e1d (patch)
tree	fee89beee0b19a0a15ae79037024e4a8edb64aaf /checks.py
parent	ddba4856fc7e3d844e9e763d44ce97207a1f23bd (diff)