[openstack-dev] [Announce]Bandit 1.0 stable released
Kelsey, Timothy John
tim.kelsey at hpe.com
Mon Apr 4 17:28:37 UTC 2016
Bandit release 1.0 stable
This milestone release includes a number of major new features, as follow:
- Test IDs: bandit tests are now given unique IDs. These IDs can be used in
all situations where a test name would have been used previously
(include, exclude, etc). Additionally new CLI options "-t/-s" take a list
of test IDs to include or exclude respectively. Terse test IDs are much
more convenient then long winded names. Support for referring to tests by
name is now deprecated and will be removed in a future version.
- Configuration Overhaul: The bandit configuration file is now optional. All
test plugins ship with good defaults that will be used if not overridden.
The configuration file format has also been re-worked to be much simpler
and make good use of the new test IDs. While the old config file format is
still supported, it is deprecated and this support will be removed in a
future version. Please see the documentation for info on the new format.
- Configuration tool: A new style configuration file may be generated using
the included configuration generator tool. This contains defaults for all
discovered plugins. It provides a good base that can then be hand edited
- Profiles Deprecated: Bandit's configuration files previously contained named
lists of test to include and exclude, known as a "profile". This concept has
been deprecated in 1.0 and will be removed in future versions when support
for legacy configurations is dropped. In place of profiles we encourage
adopters to use several separate config files and pick one using the -c
command line option. This has the advantage of permitting test configuration
defaults to be overridden as needed. Adopters may find that the new -t and
-s CLI options completely remove the need for a "profile" or equivalent.
- Blacklists: Blacklisted items (function calls, module imports) now have test
IDs. Fine control of blacklisting is now possible using these IDs to include
or exclude items. A new plugin interface has been created to allow third
party adopters to extend blacklist items if desired. Suport for legacy
blacklist data is part of the deprecated legacy configuration support.
Please see the Configuration Overhaul item.
The plugin API, CLI and configuration scheme should now be considered stable.
No new version of bandit will break this contract without incrementing the
major release number.
This release also includes a number of important bug fixes, we encourage
adopters to upgrade to bandit 1.0 as soon as they are able.
What this means for adopters
In most cases you will simply need to delete your bandit.yaml file and
adjust the invocation used in your tox.ini, adding -t or -s options as needed.
In more advance scenarios, generating a minimal configuration file using the
included config generation tool and tweaking as needed will be sufficient.
Finally, new integration tests have been added bandit in an effort to maintain
good compatibility with projects using bandit in the gate. The following
projects are included:
If your project would like to use bandit and be included in these tests,
please contact the bandit team.
The bandit dev team
More information about the OpenStack-dev