Skip to content

Use bandit (via pantsbuild) #5777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cognifloyd merged 6 commits into from
Oct 17, 2022
Merged

Use bandit (via pantsbuild) #5777

cognifloyd merged 6 commits into from
Oct 17, 2022

Conversation

@cognifloyd
Copy link
Member

@cognifloyd cognifloyd commented Oct 15, 2022
edited
Loading

Background

This is another part of introducing pants, as discussed in the TSC Meetings on 12 July 2022, 02 Aug 2022, 06 Sept 2022, and 04 Oct 2022. Pants has fine-grained per-file caching of results for lint, fmt (like black), test, etc. It also has lockfiles that work well for monorepos that have multiple python packages. With these lockfiles CI should not break when any of our dependencies or our transitive dependencies release new versions, because CI will continue to use the locked version until we explicitly relock with updates.

To keep PRs as manageable/reviewable as possible, introducing pants will take a series of PRs. I do not know yet how many PRs; I will break this up into logical steps with these goals:

  • introduce pants to the st2 repo, and
  • teach some (but not all) TSC members about pants step-by-step.

Other pants PRs include:

Overview of this PR

This configures pants to use bandit when running the lint goal.

By default, pants uses bandit>=1.7.0,<1.8, but I told it to use the version we have it pinned to: bandit==1.7.0:

st2/test-requirements.txt

Line 10 in 83904f6

bandit==1.7.0

Pants uses a lockfile for each tool it uses to ensure we get consistent results. Since I changed [bandit].version in pants.toml, pants errors, saying that the lockfile (in this case the <default> lockfile distributed with pants) is out-of-date. Note how the message is very helpful in explaining exactly what has to happen to fix this:

$ ./pants lint ::
18:05:57.53 [INFO] Initializing scheduler...
18:05:57.84 [INFO] Scheduler initialized.
18:05:59.81 [INFO] Completed: Lint with Shellcheck - shellcheck succeeded.
18:06:02.59 [ERROR] 1 Exception encountered:

  InvalidLockfileError: You are using the `<default>` lockfile provided by Pants to install the tool `bandit`, but it is not compatible with your configuration:

- You have set different requirements than those used to generate the lockfile. You can fix this by updating `[bandit].version` and/or `[bandit].extra_requirements`, or by using a new custom lockfile.
In the input requirements, but not in the lockfile: ['bandit==1.7.0']
In the lockfile, but not in the input requirements: ['bandit<1.8,>=1.7.0']

To generate a custom lockfile based on your current configuration, set `[bandit].lockfile` to where you want to create the lockfile, then run `./pants generate-lockfiles --resolve=bandit`.

As described in #5774, I'm putting lockfiles under the lockfiles/ directory. I'm also not using an extension on the file. Pants does not care about extensions, so we can adopt our own convention on naming the lockfiles. For now, I skipped the extension, but we could easily use .lock or something similar.

NOTE: it is not safe to manually change the lockfiles. If we need to change any dependencies (including transitive deps), we need to use pants to regenerate the applicable lockfiles. Therefore, 481 lines of this change are auto-generated - you can review them for sanity, but we should not change them manually.

Unlike black (#5774) and flake8 (#5776), we do not need to add skip_bandit=True in any of the BUILD files.

I used [bandit].args to reuse the bandit settings we already have in the Makefile:

st2/Makefile

Line 556 in 94d0798

. $(VIRTUALENV_DIR)/bin/activate; bandit -r $(COMPONENTS_WITH_RUNNERS) -lll -x build,dist

st2/pants.toml

Lines 88 to 93 in 837fb1c

args = [
"-lll", # only HIGH severity level
"--exclude",
"build,dist",
"--quiet", # only show output in the case of an error
]

I had to look up what each of the args meant, so I documented the -lll arg in a comment, and used --exclude instead of the shorter -x so that it's easier to tell what it's doing. Also, I added the --quiet arg because bandit has a very verbose success message--this was recommended in the pants docs.

Relevant Pants documentation

Things you can do with pantsbuild

I needed to generate the lockfiles/bandit lockfile, which I did with this (the "scheduler" info messages occur whenever pantsd is starting up in the background, so we can ignore those.):

$./pants generate-lockfiles --resolve=bandit
20:48:36.94 [INFO] Initializing scheduler...
20:48:37.23 [INFO] Scheduler initialized.
20:49:00.55 [INFO] Completed: Generate lockfile for bandit
20:49:00.55 [INFO] Wrote lockfile for the resolve `bandit` to lockfiles/bandit

You can run ./pants lint :: to see if bandit finds any issues (the GHA Lint workflow runs this as well). You can run only one of the linters with the helpful --only arg like this:

$ ./pants lint --only=bandit ::
20:49:08.16 [INFO] Completed: Building bandit.pex from lockfiles/bandit
20:49:09.61 [INFO] Completed: Lint with Bandit - bandit succeeded.
20:49:10.36 [INFO] Completed: Lint with Bandit - bandit succeeded.
20:49:10.99 [INFO] Completed: Lint with Bandit - bandit succeeded.
20:49:11.51 [INFO] Completed: Lint with Bandit - bandit succeeded.
20:49:18.92 [INFO] Completed: Lint with Bandit - bandit succeeded.
20:49:19.91 [INFO] Completed: Lint with Bandit - bandit succeeded.
20:49:22.35 [INFO] Completed: Lint with Bandit - bandit succeeded.
20:49:24.10 [INFO] Completed: Lint with Bandit - bandit succeeded.
20:49:27.22 [INFO] Completed: Lint with Bandit - bandit succeeded.

✓ bandit succeeded.

The --only flag is "scoped" to the lint goal. So, these are equivalent if you wanted to specify that flag in a different order:
./pants lint --only=bandit ::
./pants --lint-only=bandit lint ::
./pants lint :: --lint-only=bandit

note: that I had to add lint in the arg name to use a different order

@cognifloyd cognifloyd added this to the pants milestone Oct 15, 2022
@cognifloyd cognifloyd requested review from a team, amanda11, arm4b, nzlosh and rush-skills October 15, 2022 01:54
@cognifloyd cognifloyd self-assigned this Oct 15, 2022
@pull-request-size pull-request-size bot added the size/L PR that changes 100-499 lines. Requires some effort to review. label Oct 15, 2022
@pull-request-size pull-request-size bot added size/XL PR that changes 500-999 lines. Consider splitting work into several ones that easier to review. and removed size/L PR that changes 100-499 lines. Requires some effort to review. labels Oct 15, 2022
@cognifloyd cognifloyd requested a review from winem October 15, 2022 01:58
This was referenced Oct 15, 2022
Merged
Merged
Merged
amanda11
amanda11 approved these changes Oct 17, 2022
View reviewed changes
Copy link
Contributor

@amanda11 amanda11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - although the vote seems to be going for .lock files...

@cognifloyd cognifloyd requested a review from a team October 17, 2022 16:21
@cognifloyd cognifloyd enabled auto-merge October 17, 2022 16:21
@cognifloyd
add BUILD comments about skipping git submodule contents
f443f39 
We do not want to have pants or git complaining about changes in the git
submodule as those changes would require a separate PR process.
cognifloyd
cognifloyd commented Oct 17, 2022
View reviewed changes
st2tests/st2tests/fixtures/packs/BUILD
Comment on lines +26 to 27
# do not fmt across git submodule boundary
skip_black=True,
Copy link
Member Author

@cognifloyd cognifloyd Oct 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was requested in #5774 (comment)
I missed adding it before merging, so I'm adding it here.

Eric-Arellano
Eric-Arellano approved these changes Oct 17, 2022
View reviewed changes
Copy link

@Eric-Arellano Eric-Arellano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bandit is one of my favorite tools. Nice :)

rush-skills
rush-skills approved these changes Oct 17, 2022
View reviewed changes
Copy link
Member

@rush-skills rush-skills left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cognifloyd cognifloyd merged commit 4099a09 into master Oct 17, 2022
@cognifloyd cognifloyd deleted the pants-bandit branch October 17, 2022 21:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rush-skills rush-skills rush-skills approved these changes

@amanda11 amanda11 amanda11 approved these changes

@arm4b arm4b Awaiting requested review from arm4b

@nzlosh nzlosh Awaiting requested review from nzlosh

@winem winem Awaiting requested review from winem

+1 more reviewer

@Eric-Arellano Eric-Arellano Eric-Arellano approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@cognifloyd cognifloyd

Labels

external dependency infrastructure: ci/cd pantsbuild size/XL PR that changes 500-999 lines. Consider splitting work into several ones that easier to review.

Projects

None yet

Milestone

pants

Development

Successfully merging this pull request may close these issues.

5 participants

@cognifloyd @rush-skills @amanda11 @Eric-Arellano