diff --git a/ceph-client/templates/bin/utils/_checkPGs.py.tpl b/ceph-client/templates/bin/utils/_checkPGs.py.tpl
index d6f4c1fee..40f74f3d6 100755
--- a/ceph-client/templates/bin/utils/_checkPGs.py.tpl
+++ b/ceph-client/templates/bin/utils/_checkPGs.py.tpl
@@ -1,6 +1,6 @@
#!/usr/bin/python
-import subprocess
+import subprocess # nosec
import json
import sys
from argparse import *
@@ -60,7 +60,7 @@ class cephCRUSH():
if 'all' in poolName or 'All' in poolName:
try:
poolLs = 'ceph osd pool ls -f json-pretty'
- poolstr = subprocess.check_output(poolLs, shell=True)
+ poolstr = subprocess.check_output(poolLs, shell=True) # nosec
self.listPoolName = json.loads(poolstr)
except subprocess.CalledProcessError as e:
print('{}'.format(e))
@@ -72,7 +72,7 @@ class cephCRUSH():
try:
"""Retrieve the crush hierarchies"""
crushTree = "ceph osd crush tree -f json-pretty | jq .nodes"
- chstr = subprocess.check_output(crushTree, shell=True)
+ chstr = subprocess.check_output(crushTree, shell=True) # nosec
self.crushHierarchy = json.loads(chstr)
except subprocess.CalledProcessError as e:
print('{}'.format(e))
@@ -107,8 +107,8 @@ class cephCRUSH():
self.poolSize = 0
def isNautilus(self):
- grepResult = int(subprocess.check_output('ceph mon versions | egrep -q "nautilus" | echo $?', shell=True))
- return True if grepResult == 0 else False
+ grepResult = int(subprocess.check_output('ceph mon versions | egrep -q "nautilus" | echo $?', shell=True)) # nosec
+ return grepResult == 0
def getPoolSize(self, poolName):
"""
@@ -119,7 +119,7 @@ class cephCRUSH():
"""Get the size attribute of the poolName"""
try:
poolGet = 'ceph osd pool get ' + poolName + ' size -f json-pretty'
- szstr = subprocess.check_output(poolGet, shell=True)
+ szstr = subprocess.check_output(poolGet, shell=True) # nosec
pSize = json.loads(szstr)
self.poolSize = pSize['size']
except subprocess.CalledProcessError as e:
@@ -130,7 +130,7 @@ class cephCRUSH():
def checkPGs(self, poolName):
poolPGs = self.poolPGs['pg_stats'] if self.isNautilus() else self.poolPGs
- if len(poolPGs) == 0:
+ if not poolPGs:
return
print('Checking PGs in pool {} ...'.format(poolName)),
badPGs = False
@@ -160,7 +160,8 @@ class cephCRUSH():
"""traverse up (to the root) one level"""
traverseID = self.crushFD[traverseID]['id']
traverseLevel += 1
- assert (traverseLevel == self.osd_depth), "OSD depth mismatch"
+ if not (traverseLevel == self.osd_depth):
+ raise Exception("OSD depth mismatch")
"""
check_FD should have
{
@@ -214,12 +215,13 @@ class cephCRUSH():
elif self.poolSize == 0:
print('Pool {} was not found.'.format(pool))
continue
- assert (self.poolSize > 1), "Pool size was incorrectly set"
+ if not self.poolSize > 1:
+ raise Exception("Pool size was incorrectly set")
try:
"""Get the list of PGs in the pool"""
lsByPool = 'ceph pg ls-by-pool ' + pool + ' -f json-pretty'
- pgstr = subprocess.check_output(lsByPool, shell=True)
+ pgstr = subprocess.check_output(lsByPool, shell=True) # nosec
self.poolPGs = json.loads(pgstr)
"""Check that OSDs in the PG are in separate failure domains"""
self.checkPGs(pool)
diff --git a/ceph-mon/templates/bin/moncheck/_reap-zombies.py.tpl b/ceph-mon/templates/bin/moncheck/_reap-zombies.py.tpl
index 0960fb5c0..cb72401d7 100644
--- a/ceph-mon/templates/bin/moncheck/_reap-zombies.py.tpl
+++ b/ceph-mon/templates/bin/moncheck/_reap-zombies.py.tpl
@@ -1,7 +1,7 @@
#!/usr/bin/python
import re
import os
-import subprocess
+import subprocess # nosec
import json
MON_REGEX = r"^\d: ([0-9\.]*):\d+/\d* mon.([^ ]*)$"
@@ -15,7 +15,7 @@ monmap_command = "ceph --cluster=${NAMESPACE} mon getmap > /tmp/monmap && monmap
def extract_mons_from_monmap():
- monmap = subprocess.check_output(monmap_command, shell=True)
+ monmap = subprocess.check_output(monmap_command, shell=True) # nosec
mons = {}
for line in monmap.split("\n"):
m = re.match(MON_REGEX, line)
@@ -24,7 +24,7 @@ def extract_mons_from_monmap():
return mons
def extract_mons_from_kubeapi():
- kubemap = subprocess.check_output(kubectl_command, shell=True)
+ kubemap = subprocess.check_output(kubectl_command, shell=True) # nosec
return json.loads(kubemap)
current_mons = extract_mons_from_monmap()
@@ -37,11 +37,11 @@ removed_mon = False
for mon in current_mons:
if not mon in expected_mons:
print("removing zombie mon %s" % mon)
- subprocess.call(["ceph", "--cluster", os.environ["NAMESPACE"], "mon", "remove", mon])
+ subprocess.call(["ceph", "--cluster", os.environ["NAMESPACE"], "mon", "remove", mon]) # nosec
removed_mon = True
elif current_mons[mon] != expected_mons[mon]: # check if for some reason the ip of the mon changed
print("ip change detected for pod %s" % mon)
- subprocess.call(["kubectl", "--namespace", os.environ["NAMESPACE"], "delete", "pod", mon])
+ subprocess.call(["kubectl", "--namespace", os.environ["NAMESPACE"], "delete", "pod", mon]) # nosec
removed_mon = True
print("deleted mon %s via the kubernetes api" % mon)
diff --git a/ceph-mon/templates/bin/utils/_checkObjectReplication.py.tpl b/ceph-mon/templates/bin/utils/_checkObjectReplication.py.tpl
index ce4037bc2..9774ed628 100755
--- a/ceph-mon/templates/bin/utils/_checkObjectReplication.py.tpl
+++ b/ceph-mon/templates/bin/utils/_checkObjectReplication.py.tpl
@@ -1,6 +1,6 @@
#!/usr/bin/python
-import subprocess
+import subprocess # nosec
import json
import sys
import collections
@@ -11,7 +11,7 @@ if (int(len(sys.argv)) == 1):
else:
poolName = sys.argv[1]
cmdRep = 'ceph osd map' + ' ' + str(poolName) + ' ' + 'testreplication -f json-pretty'
- objectRep = subprocess.check_output(cmdRep, shell=True)
+ objectRep = subprocess.check_output(cmdRep, shell=True) # nosec
repOut = json.loads(objectRep)
osdNumbers = repOut['up']
print("Test object got replicated on these osds: %s" % str(osdNumbers))
@@ -19,7 +19,7 @@ else:
osdHosts= []
for osd in osdNumbers:
cmdFind = 'ceph osd find' + ' ' + str(osd)
- osdFind = subprocess.check_output(cmdFind , shell=True)
+ osdFind = subprocess.check_output(cmdFind , shell=True) # nosec
osdHost = json.loads(osdFind)
osdHostLocation = osdHost['crush_location']
osdHosts.append(osdHostLocation['host'])
diff --git a/mariadb/templates/bin/_start.py.tpl b/mariadb/templates/bin/_start.py.tpl
index 03654d6f9..f63132e23 100644
--- a/mariadb/templates/bin/_start.py.tpl
+++ b/mariadb/templates/bin/_start.py.tpl
@@ -21,7 +21,7 @@ import logging
import os
import select
import signal
-import subprocess
+import subprocess # nosec
import socket
import sys
import tempfile
@@ -142,7 +142,7 @@ def run_cmd_with_logging(popenargs,
stderr_log_level=logging.INFO,
**kwargs):
"""Run subprocesses and stream output to logger."""
- child = subprocess.Popen(
+ child = subprocess.Popen( # nosec
popenargs, stdout=subprocess.PIPE, stderr=subprocess.PIPE, **kwargs)
log_level = {
child.stdout: stdout_log_level,
@@ -266,7 +266,7 @@ def mysqld_bootstrap():
], logger)
if not mysql_dbaudit_username:
template = (
- "DELETE FROM mysql.user ;\n"
+ "DELETE FROM mysql.user ;\n" # nosec
"CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
"GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
"DROP DATABASE IF EXISTS test ;\n"
@@ -277,7 +277,7 @@ def mysqld_bootstrap():
mysql_dbsst_username, mysql_dbsst_password))
else:
template = (
- "DELETE FROM mysql.user ;\n"
+ "DELETE FROM mysql.user ;\n" # nosec
"CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
"GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
"DROP DATABASE IF EXISTS test ;\n"
@@ -537,7 +537,7 @@ def update_grastate_on_restart():
def recover_wsrep_position():
"""Extract recoved wsrep position from uncleanly exited node."""
- wsrep_recover = subprocess.Popen(
+ wsrep_recover = subprocess.Popen( # nosec
[
'mysqld', '--bind-address=127.0.0.1',
'--wsrep_cluster_address=gcomm://', '--wsrep-recover'
diff --git a/nagios/templates/bin/_selenium-tests.py.tpl b/nagios/templates/bin/_selenium-tests.py.tpl
index 6078a1a6e..7f5bb2a82 100644
--- a/nagios/templates/bin/_selenium-tests.py.tpl
+++ b/nagios/templates/bin/_selenium-tests.py.tpl
@@ -59,7 +59,7 @@ def click_link_by_name(link_name):
browser.quit()
sys.exit(1)
-def take_screenshot(page_name, artifacts_dir='/tmp/artifacts/'):
+def take_screenshot(page_name, artifacts_dir='/tmp/artifacts/'): # nosec
file_name = page_name.replace(' ', '_')
try:
el = WebDriverWait(browser, 15)
@@ -130,7 +130,7 @@ except TimeoutException:
sys.exit(1)
logger.info("The following screenshots were captured:")
-for root, dirs, files in os.walk("/tmp/artifacts/"):
+for root, dirs, files in os.walk("/tmp/artifacts/"): # nosec
for name in files:
logger.info(os.path.join(root, name))
diff --git a/redis/templates/test/_python_redis_tests.py.tpl b/redis/templates/test/_python_redis_tests.py.tpl
index 47cdd88ba..748b84eb0 100644
--- a/redis/templates/test/_python_redis_tests.py.tpl
+++ b/redis/templates/test/_python_redis_tests.py.tpl
@@ -12,7 +12,7 @@ class RedisTest(object):
def test_connection(self):
ping = self.redis_conn.ping()
- assert ping, "No connection to database"
+ if not ping: raise Exception('No connection to database')
print("Successfully connected to database")
def database_info(self):
@@ -20,29 +20,29 @@ class RedisTest(object):
for client in self.redis_conn.client_list():
ip_port.append(client["addr"])
print(ip_port)
- assert self.redis_conn.client_list(), "Database client's list is null"
+ if not self.redis_conn.client_list():
+ raise Exception('Database client list is null')
return ip_port
def test_insert_delete_data(self):
key = "test"
value = "it's working"
result_set = self.redis_conn.set(key, value)
- assert result_set, "Error: SET command failed"
+ if not result_set: raise Exception('ERROR: SET command failed')
print("Successfully SET keyvalue pair")
result_get = self.redis_conn.get(key)
- assert result_get, "Error: GET command failed"
+ if not result_get: raise Exception('ERROR: GET command failed')
print("Successfully GET keyvalue pair")
db_size = self.redis_conn.dbsize()
- assert db_size > 0, "Database size not valid"
+ if db_size <= 0: raise Exception("Database size not valid")
result_delete = self.redis_conn.delete(key)
- assert result_delete == 1, "Error: Delete command failed"
+ if not result_delete == 1: raise Exception("Error: Delete command failed")
print("Successfully DELETED keyvalue pair")
def test_client_kill(self, client_ip_port_list):
for client_ip_port in client_ip_port_list:
result = self.redis_conn.client_kill(client_ip_port)
- print(result)
- assert result, "Client failed to be removed"
+ if not result: raise Exception('Client failed to be removed')
print("Successfully DELETED client")
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index 3e6dc6b55..2a295e80e 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -34,11 +34,9 @@
name: openstack-helm-infra-bandit
run: playbooks/osh-infra-bandit.yaml
nodeset: openstack-helm-single-node
-# Note(gagehugo): Uncomment this once it passes so that it only runs
-# when python related files are changed.
-# files:
-# - ^.*\.py\.tpl$
-# - ^.*\.py$
+ files:
+ - ^.*\.py\.tpl$
+ - ^.*\.py$
- job:
name: openstack-helm-infra
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index b9d778b22..571842824 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -19,8 +19,7 @@
check:
jobs:
- openstack-helm-lint
- - openstack-helm-infra-bandit:
- voting: false
+ - openstack-helm-infra-bandit
- openstack-helm-infra-aio-logging
- openstack-helm-infra-aio-monitoring
- openstack-helm-infra-federated-monitoring: