turn on bandit based static security analysis

mr-c · mr-c · commit 06a74e1b83a2 · 2019-04-20T12:35:06.000+02:00
diff --git a/cwltool/resolver.py b/cwltool/resolver.py
@@ -84,6 +84,6 @@ def resolve_ga4gh_tool(document_loader, uri):
                     ds2 = GA4GH_TRS_PRIMARY_DESCRIPTOR.format(reg, urllib.parse.quote(path, ""), urllib.parse.quote(version, ""), urllib.parse.quote(primary_path, ""))
                     _logger.debug("Resolved %s", ds2)
                     return ds2
-        except Exception:
+        except Exception:  # nosec
             pass
     return None
diff --git a/tox.ini b/tox.ini
@@ -2,6 +2,7 @@
 envlist =
   py{27,34,35,36,37}-lint,
   py{27,34,35,36,37}-unit,
+  py{27,34,35,36,37}-bandit,
   py{34,35,36,36,37}-mypy{2,3},
   py27-pipconflictchecker,
   py27-lint-readme,
@@ -31,6 +32,7 @@ deps =
   py{27,34,35,36,37}-unit: -rtest-requirements.txt
   py{27,34,35,36,37}-unit: galaxy-lib
   py{27,34,35,36,37}-lint: flake8
+  py{27,34,35,36,37}-bandit: bandit
   py{34,35,36,36,37}-mypy{2,3}: mypy==0.620
 
 setenv =
@@ -45,6 +47,7 @@ commands =
   py{27,34,35,36,37}-unit: coverage report
   py{27,34,35,36,37}-unit: coverage xml
   py{27,34,35,36,37}-unit: codecov --file coverage.xml
+  py{27,34,35,36,37}-bandit: bandit -r cwltool
   py{27,34,35,36,37}-lint: flake8 schema_salad setup.py
   py{34,35,36,36,37}-mypy2: make mypy2
   py{34,35,36,36,37}-mypy3: make mypy3
