Le ven. 10 mars 2023 à 08:33, Takashi Kajinami <tkajinam@redhat.com> a écrit :

On Fri, Mar 10, 2023 at 4:20 PM Takashi Kajinami <tkajinam@redhat.com> wrote:
fyi;

It seems the new release of bandit (1.7.5) just came out and this introduces a new lint rule
to require defining the timeout parameter for all "requests" calls.
https://github.com/PyCQA/bandit/commit/5ff73ff8ff956df7d63fde49c3bd671db8e821eb

This is currently affecting heat and quick search shows some of the other projects contain some code
not compliant with this rule(barbican, ceilometer, cinder, glance, manila, nova, ...).
Seems some of these (ceilometer, cinder, glance and manila) are not using bandit and others(nova) have
the upper version defined. SO it might not affect limited number of projects using bandit without upper version
but I'd recommend you check your own projects .

AFAIK, the Nova bandit specific tox target [1] isn't run on CI by any of the Zuul jobs we have [2] (we don't include a bandit check as part of a pep8 validation)

I tested both 1.7.4 and 1.7.5 bandit versions on the tox target locally, and I don't see much of a difference.

Sounds the issue is then unrelated to the Nova project, to clarify.

-Sylvain

[1] https://github.com/openstack/nova/blob/master/tox.ini#L260-L265

[2] https://github.com/openstack/nova/blob/master/.zuul.yaml

Also, it seems we do not pin bandit by u-c for some reason this likely affects all stable branches.
Actually I first noticed this when I tried to backport one fix to 2023.1 branch of heat...

Thank you,
Takashi