From: Jeremy Stanley <fungi@yuggoth.org>
Date: Sat, 27 Apr 2019 16:14:45 +0000 (+0000)
Subject: Test for high-severity vulnerabilities with bandit
X-Git-Tag: 0.0.1~28
X-Git-Url: https://mudpy.org/gitweb?p=mudpy.git;a=commitdiff_plain;h=a5b8f6c1bf36ed95824365c188fffa34b61519f6

Test for high-severity vulnerabilities with bandit

Use the bandit analyzer to check non-test-related Python source code
for potential vulnerabilities. To start, only error on matches with
severity "high" (we can ratchet it down later as lower-severity
items are addressed).
---

diff --git a/tox.ini b/tox.ini
index 7a73d73..0888046 100644
--- a/tox.ini
+++ b/tox.ini
@@ -4,7 +4,7 @@
 
 [tox]
 minversion = 3.1
-envlist = dist, docs, flake8, yamllint, selftest_config, py3
+envlist = bandit, dist, docs, flake8, yamllint, selftest_config, py3
 skipsdist = True
 ignore_basepython_conflict = True
 
@@ -16,6 +16,10 @@ setenv =
     PYTHONWARNINGS=default::DeprecationWarning
 commands = mudpy_selftest mudpy/tests/fixtures/test_daemon.yaml
 
+[testenv:bandit]
+deps = bandit
+commands = bandit -lll -r mudpy -x mudpy/tests {posargs}
+
 [testenv:demo]
 commands = mudpy {posargs}