add a bandit environment to tox

This change is being proposed as part of the OpenStack Security Project
working session at the Austin 2016 summit. It adds support for running
the bandit[1] security linting tool against the python-openstackclient
codebase. This change adds a targetted environment for bandit and also
adds bandit as part of the pep8 job.

The bandit configuration has been tailored to exclude tests that are
currently producing warning against the codebase. These issues will be
followed up with bug reports and patches.

[1]: https://wiki.openstack.org/wiki/Security/Projects/Bandit

Depends-On: Iccd81c17e84df03d249c1012277dad9cb68c5845
Change-Id: I691829c1224557d1d239c9f665ac539d0f13c4d3

2 files changed, 32 insertions, 2 deletions

diff --git a/test-requirements.txt b/test-requirements.txt
index 5694550a..26de9fd2 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -17,6 +17,7 @@ testrepository>=0.0.18 # Apache-2.0/BSD
 testtools>=1.4.0 # MIT
 tempest-lib>=0.14.0 # Apache-2.0
 osprofiler>=1.3.0 # Apache-2.0
+bandit>=1.0.1 # Apache-2.0
 
 # Install these to generate sphinx autodocs
 python-barbicanclient>=4.0.0 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index 15f62363..ced4dc95 100644
--- a/tox.ini
+++ b/tox.ini
@@ -12,7 +12,36 @@ commands = ostestr {posargs}
 whitelist_externals = ostestr
 
 [testenv:pep8]
-commands = flake8
+commands =
+    flake8
+    bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101
+
+[testenv:bandit]
+# This command runs the bandit security linter against the openstackclient
+# codebase minus the tests directory. Some tests are being excluded to
+# reduce the number of positives before a team inspection, and to ensure a
+# passing gate job for initial addition. The excluded tests are:
+# B105-B107: hardcoded password checks - likely to generate false positives
+#            in a gate environment
+# B401: import subprocess - not necessarily a security issue; this plugin is
+#       mainly used for penetration testing workflow
+# B603,B606: process without shell - not necessarily a security issue; this
+#            plugin is mainly used for penetration testing workflow
+# B607: start process with a partial path - this should be a project level
+#       decision
+# NOTE(elmiko): The following tests are being excluded specifically for
+# python-openstackclient, they are being excluded to ensure that voting jobs
+# in the project and in bandit integration tests continue to pass. These
+# tests have generated issue within the project and should be investigated
+# by the project.
+# B110: try, except, pass detected - possible security issue; this should be
+#       investigated by the project for possible exploitation
+# B605: process with a shell - possible security issue; this should be
+#       investigated by the project for possible exploitation
+# B101: use of assert - this code will be removed when compiling to optimized
+#       byte code
+commands =
+    bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101
 
 [testenv:functional]
 setenv = OS_TEST_PATH=./functional/tests
@@ -40,4 +69,4 @@ show-source = True
 exclude = .git,.tox,dist,doc,*openstack/common*,*lib/python*,*egg,build,tools
 # If 'ignore' is not set there are default errors and warnings that are set
 # Doc: http://flake8.readthedocs.org/en/latest/config.html#default
-ignore = __
\ No newline at end of file
+ignore = __