From d872d004239e9daa5159ac853885dd3b272549ca Mon Sep 17 00:00:00 2001 From: Stephen Kiely Date: Wed, 28 Aug 2024 16:24:58 -0500 Subject: [PATCH] Remove Bandit and Ruff PL rule (#157) * Remove Bandit and Ruff PL rule * Remove bandit.yml and bandit from main project. * Remove nosec * Remove Symlinks --- .bandit.yml | 6 -- development/Dockerfile.dockerignore | 1 - docs/dev/dev_environment.md | 2 - .../.bandit.yml | 1 - .../mattermost/nautobot_bootstrap.py | 6 +- .../pyproject.toml | 1 - .../.bandit.yml | 1 - .../pyproject.toml | 1 - .../.bandit.yml | 6 -- .../.github/workflows/ci.yml | 12 --- .../docs/dev/contributing.md | 2 +- .../docs/dev/dev_environment.md | 2 - .../pyproject.toml | 2 - .../{{ cookiecutter.project_slug }}/tasks.py | 9 -- poetry.lock | 92 +------------------ pyproject.toml | 1 - 16 files changed, 5 insertions(+), 140 deletions(-) delete mode 100644 .bandit.yml delete mode 120000 nautobot-app-chatops/{{ cookiecutter.project_slug }}/.bandit.yml delete mode 120000 nautobot-app-ssot/{{ cookiecutter.project_slug }}/.bandit.yml delete mode 100644 nautobot-app/{{ cookiecutter.project_slug }}/.bandit.yml diff --git a/.bandit.yml b/.bandit.yml deleted file mode 100644 index 56f7a83b..00000000 --- a/.bandit.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -skips: [] -# No need to check for security issues in the test scripts! -exclude_dirs: - - "./tests/" - - "./.venv/" diff --git a/development/Dockerfile.dockerignore b/development/Dockerfile.dockerignore index 6301c4a2..56acb0bd 100644 --- a/development/Dockerfile.dockerignore +++ b/development/Dockerfile.dockerignore @@ -1,7 +1,6 @@ **/* !/files/ -!/.bandit.yml !/.coveragerc !/.github/ !/.yamllint.yml diff --git a/docs/dev/dev_environment.md b/docs/dev/dev_environment.md index c7849f42..d8b00efb 100644 --- a/docs/dev/dev_environment.md +++ b/docs/dev/dev_environment.md @@ -102,7 +102,6 @@ Each command can be executed with `invoke `. All commands support the a #### Testing ``` - bandit Run bandit to validate basic static code security analysis. ruff Run ruff to perform code formatting and/or linting. pylint Run pylint code analysis. tests Run all tests for this app. @@ -304,7 +303,6 @@ To run an individual test, you can run any or all of the following: ```bash ➜ invoke unittest -➜ invoke bandit ➜ invoke ruff ➜ invoke pylint ``` diff --git a/nautobot-app-chatops/{{ cookiecutter.project_slug }}/.bandit.yml b/nautobot-app-chatops/{{ cookiecutter.project_slug }}/.bandit.yml deleted file mode 120000 index 0b4d2f4d..00000000 --- a/nautobot-app-chatops/{{ cookiecutter.project_slug }}/.bandit.yml +++ /dev/null @@ -1 +0,0 @@ -../../nautobot-app/{{ cookiecutter.project_slug }}/.bandit.yml \ No newline at end of file diff --git a/nautobot-app-chatops/{{ cookiecutter.project_slug }}/development/mattermost/nautobot_bootstrap.py b/nautobot-app-chatops/{{ cookiecutter.project_slug }}/development/mattermost/nautobot_bootstrap.py index dc922276..0c1052c8 100644 --- a/nautobot-app-chatops/{{ cookiecutter.project_slug }}/development/mattermost/nautobot_bootstrap.py +++ b/nautobot-app-chatops/{{ cookiecutter.project_slug }}/development/mattermost/nautobot_bootstrap.py @@ -26,9 +26,9 @@ # The following tokens are for the development only and safe to store in the repo. _COMMAND_TOKENS = { - "clear": "u7p1an973bd1jqg75i3y7pxj7y", # nosec - "nautobot": "ncygprhkt3rrxr4rkytcaa7c9c", # nosec - "{{ cookiecutter.chatops_interactive_command }}": "fh1kbk45xtgm8r48jzr39ru1ww", # nosec + "clear": "u7p1an973bd1jqg75i3y7pxj7y", + "nautobot": "ncygprhkt3rrxr4rkytcaa7c9c", + "{{ cookiecutter.chatops_interactive_command }}": "fh1kbk45xtgm8r48jzr39ru1ww", } for command, token in _COMMAND_TOKENS.items(): diff --git a/nautobot-app-chatops/{{ cookiecutter.project_slug }}/pyproject.toml b/nautobot-app-chatops/{{ cookiecutter.project_slug }}/pyproject.toml index 0a3bbec5..5038b877 100644 --- a/nautobot-app-chatops/{{ cookiecutter.project_slug }}/pyproject.toml +++ b/nautobot-app-chatops/{{ cookiecutter.project_slug }}/pyproject.toml @@ -38,7 +38,6 @@ nautobot = "^{{ cookiecutter.min_nautobot_version }}" nautobot-chatops = "^3.0.1" [tool.poetry.group.dev.dependencies] -bandit = "*" coverage = "*" django-debug-toolbar = "*" invoke = "*" diff --git a/nautobot-app-ssot/{{ cookiecutter.project_slug }}/.bandit.yml b/nautobot-app-ssot/{{ cookiecutter.project_slug }}/.bandit.yml deleted file mode 120000 index 0b4d2f4d..00000000 --- a/nautobot-app-ssot/{{ cookiecutter.project_slug }}/.bandit.yml +++ /dev/null @@ -1 +0,0 @@ -../../nautobot-app/{{ cookiecutter.project_slug }}/.bandit.yml \ No newline at end of file diff --git a/nautobot-app-ssot/{{ cookiecutter.project_slug }}/pyproject.toml b/nautobot-app-ssot/{{ cookiecutter.project_slug }}/pyproject.toml index 6fb1fd0c..7caa4275 100644 --- a/nautobot-app-ssot/{{ cookiecutter.project_slug }}/pyproject.toml +++ b/nautobot-app-ssot/{{ cookiecutter.project_slug }}/pyproject.toml @@ -35,7 +35,6 @@ nautobot = "^{{ cookiecutter.min_nautobot_version }}" nautobot-ssot = "^2.0.0" [tool.poetry.group.dev.dependencies] -bandit = "*" coverage = "*" django-debug-toolbar = "*" invoke = "*" diff --git a/nautobot-app/{{ cookiecutter.project_slug }}/.bandit.yml b/nautobot-app/{{ cookiecutter.project_slug }}/.bandit.yml deleted file mode 100644 index 56f7a83b..00000000 --- a/nautobot-app/{{ cookiecutter.project_slug }}/.bandit.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -skips: [] -# No need to check for security issues in the test scripts! -exclude_dirs: - - "./tests/" - - "./.venv/" diff --git a/nautobot-app/{{ cookiecutter.project_slug }}/.github/workflows/ci.yml b/nautobot-app/{{ cookiecutter.project_slug }}/.github/workflows/ci.yml index 3d217294..5a60172d 100644 --- a/nautobot-app/{{ cookiecutter.project_slug }}/.github/workflows/ci.yml +++ b/nautobot-app/{{ cookiecutter.project_slug }}/.github/workflows/ci.yml @@ -27,17 +27,6 @@ jobs: uses: "networktocode/gh-action-setup-poetry-environment@v6" - name: "Linting: ruff format" run: "poetry run invoke ruff --action format" - bandit: - runs-on: "ubuntu-22.04" - env: - INVOKE_{{ cookiecutter.app_name.upper() }}_LOCAL: "True" - steps: - - name: "Check out repository code" - uses: "actions/checkout@v4" - - name: "Setup environment" - uses: "networktocode/gh-action-setup-poetry-environment@v6" - - name: "Linting: bandit" - run: "poetry run invoke bandit" ruff-lint: runs-on: "ubuntu-22.04" env: @@ -84,7 +73,6 @@ jobs: run: "poetry run invoke yamllint" check-in-docker: needs: - - "bandit" - "ruff-format" - "ruff-lint" - "poetry" diff --git a/nautobot-app/{{ cookiecutter.project_slug }}/docs/dev/contributing.md b/nautobot-app/{{ cookiecutter.project_slug }}/docs/dev/contributing.md index aae67f6b..6e15fb93 100644 --- a/nautobot-app/{{ cookiecutter.project_slug }}/docs/dev/contributing.md +++ b/nautobot-app/{{ cookiecutter.project_slug }}/docs/dev/contributing.md @@ -4,7 +4,7 @@ The project is packaged with a light [development environment](dev_environment.m The project is following Network to Code software development guidelines and is leveraging the following: -- Python linting and formatting: `pylint`, `bandit`, and `ruff`. +- Python linting and formatting: `pylint` and `ruff`. - YAML linting is done with `yamllint`. - Django unit test to ensure the app is working properly. diff --git a/nautobot-app/{{ cookiecutter.project_slug }}/docs/dev/dev_environment.md b/nautobot-app/{{ cookiecutter.project_slug }}/docs/dev/dev_environment.md index e9da50bb..e3fdb412 100644 --- a/nautobot-app/{{ cookiecutter.project_slug }}/docs/dev/dev_environment.md +++ b/nautobot-app/{{ cookiecutter.project_slug }}/docs/dev/dev_environment.md @@ -123,7 +123,6 @@ Each command can be executed with `invoke `. All commands support the a #### Testing ``` - bandit Run bandit to validate basic static code security analysis. ruff Run ruff to perform code formatting and/or linting. pylint Run pylint code analysis. tests Run all tests for this app. @@ -462,7 +461,6 @@ To run an individual test, you can run any or all of the following: ```bash ➜ invoke unittest -➜ invoke bandit ➜ invoke ruff ➜ invoke pylint ``` diff --git a/nautobot-app/{{ cookiecutter.project_slug }}/pyproject.toml b/nautobot-app/{{ cookiecutter.project_slug }}/pyproject.toml index 4e4095fb..4b1ea26b 100644 --- a/nautobot-app/{{ cookiecutter.project_slug }}/pyproject.toml +++ b/nautobot-app/{{ cookiecutter.project_slug }}/pyproject.toml @@ -35,7 +35,6 @@ python = ">=3.8,<3.13" nautobot = "^{{ cookiecutter.min_nautobot_version }}" [tool.poetry.group.dev.dependencies] -bandit = "*" coverage = "*" django-debug-toolbar = "*" invoke = "*" @@ -99,7 +98,6 @@ target-version = "py38" select = [ "D", # pydocstyle "F", "E", "W", # flake8 - "PL", # pylint "S", # bandit "I", # isort ] diff --git a/nautobot-app/{{ cookiecutter.project_slug }}/tasks.py b/nautobot-app/{{ cookiecutter.project_slug }}/tasks.py index 64efad56..765c1e67 100644 --- a/nautobot-app/{{ cookiecutter.project_slug }}/tasks.py +++ b/nautobot-app/{{ cookiecutter.project_slug }}/tasks.py @@ -739,13 +739,6 @@ def ruff(context, action=None, target=None, fix=False, output_format="concise"): run_command(context, command, warn=True) -@task -def bandit(context): - """Run bandit to validate basic static code security analysis.""" - command = "bandit --recursive . --configfile .bandit.yml" - run_command(context, command) - - @task def yamllint(context): """Run yamllint to validate formatting adheres to NTC defined YAML standards. @@ -825,8 +818,6 @@ def tests(context, failfast=False, keepdb=False, lint_only=False): # Sorted loosely from fastest to slowest print("Running ruff...") ruff(context) - print("Running bandit...") - bandit(context) print("Running yamllint...") yamllint(context) print("Running poetry check...") diff --git a/poetry.lock b/poetry.lock index 4aed956d..8527563f 100644 --- a/poetry.lock +++ b/poetry.lock @@ -33,29 +33,6 @@ files = [ [package.dependencies] typing-extensions = {version = ">=4.0.0", markers = "python_version < \"3.11\""} -[[package]] -name = "bandit" -version = "1.7.5" -description = "Security oriented static analyser for python code." -optional = false -python-versions = ">=3.7" -files = [ - {file = "bandit-1.7.5-py3-none-any.whl", hash = "sha256:75665181dc1e0096369112541a056c59d1c5f66f9bb74a8d686c3c362b83f549"}, - {file = "bandit-1.7.5.tar.gz", hash = "sha256:bdfc739baa03b880c2d15d0431b31c658ffc348e907fe197e54e0389dd59e11e"}, -] - -[package.dependencies] -colorama = {version = ">=0.3.9", markers = "platform_system == \"Windows\""} -GitPython = ">=1.0.1" -PyYAML = ">=5.3.1" -rich = "*" -stevedore = ">=1.20.0" - -[package.extras] -test = ["beautifulsoup4 (>=4.8.0)", "coverage (>=4.5.4)", "fixtures (>=3.0.0)", "flake8 (>=4.0.0)", "pylint (==1.9.4)", "stestr (>=2.5.0)", "testscenarios (>=0.5.0)", "testtools (>=2.3.0)", "tomli (>=1.1.0)"] -toml = ["tomli (>=1.1.0)"] -yaml = ["PyYAML"] - [[package]] name = "binaryornot" version = "0.4.4" @@ -346,37 +323,6 @@ python-dateutil = ">=2.8.1" [package.extras] dev = ["flake8", "markdown", "twine", "wheel"] -[[package]] -name = "gitdb" -version = "4.0.11" -description = "Git Object Database" -optional = false -python-versions = ">=3.7" -files = [ - {file = "gitdb-4.0.11-py3-none-any.whl", hash = "sha256:81a3407ddd2ee8df444cbacea00e2d038e40150acfa3001696fe0dcf1d3adfa4"}, - {file = "gitdb-4.0.11.tar.gz", hash = "sha256:bf5421126136d6d0af55bc1e7c1af1c397a34f5b7bd79e776cd3e89785c2b04b"}, -] - -[package.dependencies] -smmap = ">=3.0.1,<6" - -[[package]] -name = "gitpython" -version = "3.1.40" -description = "GitPython is a Python library used to interact with Git repositories" -optional = false -python-versions = ">=3.7" -files = [ - {file = "GitPython-3.1.40-py3-none-any.whl", hash = "sha256:cf14627d5a8049ffbf49915732e5eddbe8134c3bdb9d476e6182b676fc573f8a"}, - {file = "GitPython-3.1.40.tar.gz", hash = "sha256:22b126e9ffb671fdd0c129796343a02bf67bf2994b35449ffc9321aa755e18a4"}, -] - -[package.dependencies] -gitdb = ">=4.0.1,<5" - -[package.extras] -test = ["black", "coverage[toml]", "ddt (>=1.1.1,!=1.4.3)", "mock", "mypy", "pre-commit", "pytest", "pytest-cov", "pytest-instafail", "pytest-subtests", "pytest-sugar"] - [[package]] name = "griffe" version = "0.38.1" @@ -777,17 +723,6 @@ files = [ {file = "pathspec-0.11.2.tar.gz", hash = "sha256:e0d8d0ac2f12da61956eb2306b69f9469b42f4deb0f3cb6ed47b9cce9996ced3"}, ] -[[package]] -name = "pbr" -version = "6.0.0" -description = "Python Build Reasonableness" -optional = false -python-versions = ">=2.6" -files = [ - {file = "pbr-6.0.0-py2.py3-none-any.whl", hash = "sha256:4a7317d5e3b17a3dccb6a8cfe67dab65b20551404c52c8ed41279fa4f0cb4cda"}, - {file = "pbr-6.0.0.tar.gz", hash = "sha256:d1377122a5a00e2f940ee482999518efe16d745d423a670c27773dfbc3c9a7d9"}, -] - [[package]] name = "platformdirs" version = "4.1.0" @@ -1198,31 +1133,6 @@ files = [ {file = "six-1.16.0.tar.gz", hash = "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926"}, ] -[[package]] -name = "smmap" -version = "5.0.1" -description = "A pure Python implementation of a sliding window memory map manager" -optional = false -python-versions = ">=3.7" -files = [ - {file = "smmap-5.0.1-py3-none-any.whl", hash = "sha256:e6d8668fa5f93e706934a62d7b4db19c8d9eb8cf2adbb75ef1b675aa332b69da"}, - {file = "smmap-5.0.1.tar.gz", hash = "sha256:dceeb6c0028fdb6734471eb07c0cd2aae706ccaecab45965ee83f11c8d3b1f62"}, -] - -[[package]] -name = "stevedore" -version = "5.1.0" -description = "Manage dynamic plugins for Python applications" -optional = false -python-versions = ">=3.8" -files = [ - {file = "stevedore-5.1.0-py3-none-any.whl", hash = "sha256:8cc040628f3cea5d7128f2e76cf486b2251a4e543c7b938f58d9a377f6694a2d"}, - {file = "stevedore-5.1.0.tar.gz", hash = "sha256:a54534acf9b89bc7ed264807013b505bf07f74dbe4bcfa37d32bd063870b087c"}, -] - -[package.dependencies] -pbr = ">=2.0.0,<2.1.0 || >2.1.0" - [[package]] name = "text-unidecode" version = "1.3" @@ -1369,4 +1279,4 @@ testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "p [metadata] lock-version = "2.0" python-versions = "^3.8" -content-hash = "dfe18f9fff26f1dcc43ff3a6272966a7a0ea1851e75310980c14fdd94555f0e5" +content-hash = "df2a275ad2562902bdba075c3a6b53e6f35e1c5fd97e6403a8a0afd9dc346d6c" diff --git a/pyproject.toml b/pyproject.toml index 57794e62..3bd7e7bc 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -16,7 +16,6 @@ python = "^3.8" pyyaml = "*" [tool.poetry.group.dev.dependencies] -bandit = "*" coverage = "*" invoke = "*" isort = "*"