add bandit for static code analysis (#19)

* add bandit for static code analysis * add bandit for static code analysis * add bandit for static code analysis
canonical · Oct 20, 2022 · 880f5f6 · 880f5f6
1 parent 279d2b6
commit 880f5f6
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 5 deletions.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -6,7 +6,7 @@ on:
 
 jobs:
   lint-and-unit-test:
-    name: Lint and unit tests
+    name: lint and unit tests
     runs-on: ubuntu-20.04
     outputs:
       report: ${{ steps.export-test-report.outputs.report }}

diff --git a/Makefile b/Makefile
@@ -9,12 +9,16 @@ lint: blacken
 	@echo "Running flake8"
 	@tox -e lint
 
+static:
+	@echo "Running bandit"
+	@tox -e static
+
 # We actually use the build directory created by charmcraft,
 # but the .charm file makes a much more convenient sentinel.
 unittest:
 	@tox -e unit
 
-test: lint unittest
+test: lint unittest static
 
 clean:
 	@echo "Cleaning files"

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,11 @@
 # Copyright 2022 Canonical Ltd.
 # See LICENSE file for licensing details.
 
+[tool.bandit]
+exclude_dirs = ["/venv/"]
+[tool.bandit.assert_used]
+skips = ["*/*test.py", "*/test_*.py"]
+
 # Testing tools configuration
 [tool.coverage.run]
 branch = true

diff --git a/src/charm.py b/src/charm.py
@@ -285,7 +285,7 @@ def _render_template(self, tmpl: str, ctx: dict) -> str:
 
         :returns: A rendered Jinja2 template
         """
-        j2env = Environment(loader=BaseLoader())
+        j2env = Environment(loader=BaseLoader(), autoescape=True)
         j2template = j2env.from_string(tmpl)
 
         return j2template.render(**ctx)
@@ -371,7 +371,7 @@ def _make_pod_env(self) -> dict:
 
         ctx = self._get_context_from_relations()
 
-        j2env = Environment(loader=BaseLoader)
+        j2env = Environment(loader=BaseLoader, autoescape=True)
         j2template = j2env.parse(env)
         missing_vars = set()
 

diff --git a/tox.ini b/tox.ini
@@ -1,8 +1,12 @@
 [tox]
 skipsdist=True
-envlist = unit
+envlist = lint, unit, static, coverage-report
 skip_missing_interpreters = True
 
+[vars]
+src_path = {toxinidir}/src/
+tst_path = {toxinidir}/tests/
+
 [testenv]
 basepython = python3
 
@@ -48,6 +52,15 @@ deps =
 commands =
     coverage report
 
+[testenv:static]
+description = Run static analysis tests
+deps =
+    bandit
+    toml
+    -r{toxinidir}/requirements.txt
+commands =
+    bandit -c {toxinidir}/pyproject.toml -r {[vars]src_path} {[vars]tst_path}
+
 [flake8]
 exclude =
     .git,