[openstack-dev] [Announce]Bandit 1.0 stable released

Kelsey, Timothy John tim.kelsey at hpe.com
Mon Apr 4 17:28:37 UTC 2016

Bandit release 1.0 stable

This milestone release includes a number of major new features, as follow:

- Test IDs: bandit tests are now given unique IDs. These IDs can be used in
  all situations where a test name would have been used previously
  (include, exclude, etc). Additionally new CLI options "-t/-s" take a list
  of test IDs to include or exclude respectively. Terse test IDs are much
  more convenient then long winded names. Support for referring to tests by
  name is now deprecated and will be removed in a future version.

- Configuration Overhaul: The bandit configuration file is now optional. All
  test plugins ship with good defaults that will be used if not overridden.
  The configuration file format has also been re-worked to be much simpler
  and make good use of the new test IDs. While the old config file format is
  still supported, it is deprecated and this support will be removed in a
  future version. Please see the documentation for info on the new format.

- Configuration tool: A new style configuration file may be generated using
  the included configuration generator tool. This contains defaults for all
  discovered plugins. It provides a good base that can then be hand edited
  as needed.

- Profiles Deprecated: Bandit's configuration files previously contained named
  lists of test to include and exclude, known as a "profile". This concept has
  been deprecated in 1.0 and will be removed in future versions when support
  for legacy configurations is dropped. In place of profiles we encourage
  adopters to use several separate config files and pick one using the -c
  command line option. This has the advantage of permitting test configuration
  defaults to be overridden as needed. Adopters may find that the new -t and
  -s CLI options completely remove the need for a "profile" or equivalent.

- Blacklists: Blacklisted items (function calls, module imports) now have test
  IDs. Fine control of blacklisting is now possible using these IDs to include
  or exclude items. A new plugin interface has been created to allow third
  party adopters to extend blacklist items if desired. Suport for legacy
  blacklist data is part of the deprecated legacy configuration support.
  Please see the Configuration Overhaul item.

The plugin API, CLI and configuration scheme should now be considered stable.
No new version of bandit will break this contract without incrementing the
major release number.

This release also includes a number of important bug fixes, we encourage
adopters to upgrade to bandit 1.0 as soon as they are able.

What this means for adopters

In most cases you will simply need to delete your bandit.yaml file and
adjust the invocation used in your tox.ini, adding -t or -s options as needed.
In more advance scenarios, generating a minimal configuration file using the
included config generation tool and tweaking as needed will be sufficient.

Finally, new integration tests have been added bandit in an effort to maintain
good compatibility with projects using bandit in the gate. The following
projects are included:

- barbican
- glance
- keystone
- keystonemiddleware
- magnum
- oslo.config
- oslo.log
- oslo.service
- oslo.utils
- python-keystoneclient
- python-magnumclient
- sahara

If your project would like to use bandit and be included in these tests,
please contact the bandit team.


Thank you,

The bandit dev team

More information about the OpenStack-dev mailing list