Le ven. 10 mars 2023 à 08:33, Takashi Kajinami <tkajinam@redhat.com> a écrit :
On Fri, Mar 10, 2023 at 4:20 PM Takashi Kajinami <tkajinam@redhat.com> wrote:
fyi;
It seems the new release of bandit (1.7.5) just came out and this introduces a new lint rule to require defining the timeout parameter for all "requests" calls.
https://github.com/PyCQA/bandit/commit/5ff73ff8ff956df7d63fde49c3bd671db8e82...
This is currently affecting heat and quick search shows some of the other projects contain some code not compliant with this rule(barbican, ceilometer, cinder, glance, manila, nova, ...).
Seems some of these (ceilometer, cinder, glance and manila) are not using bandit and others(nova) have the upper version defined. SO it might not affect limited number of projects using bandit without upper version but I'd recommend you check your own projects .
AFAIK, the Nova bandit specific tox target [1] isn't run on CI by any of the Zuul jobs we have [2] (we don't include a bandit check as part of a pep8 validation) I tested both 1.7.4 and 1.7.5 bandit versions on the tox target locally, and I don't see much of a difference. Sounds the issue is then unrelated to the Nova project, to clarify. -Sylvain [1] https://github.com/openstack/nova/blob/master/tox.ini#L260-L265 [2] https://github.com/openstack/nova/blob/master/.zuul.yaml Also, it seems we do not pin bandit by u-c for some reason this likely
affects all stable branches. Actually I first noticed this when I tried to backport one fix to 2023.1 branch of heat...
Thank you, Takashi