From 1d9f0fa6f81a20078df04258cc6303b4d1f0d629 Mon Sep 17 00:00:00 2001
From: Dalton Bohning <dalton.bohning@hpe.com>
Date: Wed, 3 Jun 2026 13:03:50 -0700
Subject: [PATCH] SRE-3787 cq: update python bandit to rocky 9.7 (#18290)

Update python bandit check to Rocky 9.7 and install bandit with pip so
we get the latest version available.

Skip-unit-tests: true
Skip-fault-injection-test: true
Skip-func-test: true
Skip-test-rpms: true

Signed-off-by: Dalton Bohning <dalton.bohning@hpe.com>
---
 Jenkinsfile                               |  3 +-
 ci/bandit.config                          |  2 +-
 ci/python_bandit_check.sh                 |  1 +
 utils/docker/Dockerfile.code_scanning     | 46 ++++++++++++-----------
 utils/rpms/packaging/Dockerfile.mockbuild |  3 +-
 utils/scripts/install-el-bandit.sh        | 33 ++++++++++++++++
 6 files changed, 62 insertions(+), 26 deletions(-)
 create mode 100755 utils/scripts/install-el-bandit.sh

diff --git a/Jenkinsfile b/Jenkinsfile
index 9c0232492e9..e9074ef8977 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -467,7 +467,8 @@ pipeline {
                             filename 'utils/docker/Dockerfile.code_scanning'
                             label 'docker_runner'
                             additionalBuildArgs dockerBuildArgs(add_repos: false) +
-                                                ' --build-arg FVERSION=37'
+                                                ' --build-arg POINT_RELEASE=.7' +
+                                                " --build-arg PYTHON_VERSION=${env.PYTHON_VERSION}"
                         }
                     }
                     steps {
diff --git a/ci/bandit.config b/ci/bandit.config
index 4c23904c246..0e49bf2bbec 100755
--- a/ci/bandit.config
+++ b/ci/bandit.config
@@ -83,7 +83,7 @@
 # IPAS Required Checkers. Do not disable these
 # Additional checkers may be added if desired
 tests:
-  [ 'B301', 'B302', 'B303', 'B304', 'B305', 'B306', 'B308', 'B310', 'B311', 'B312', 'B313', 'B314', 'B315', 'B316', 'B317', 'B318', 'B319', 'B320', 'B321', 'B323', 'B324', 'B401', 'B402', 'B403', 'B404', 'B405', 'B406', 'B407', 'B408', 'B409', 'B410', 'B411', 'B412', 'B413']
+  [ 'B301', 'B302', 'B303', 'B304', 'B305', 'B306', 'B308', 'B310', 'B311', 'B312', 'B313', 'B314', 'B315', 'B316', 'B317', 'B318', 'B319', 'B321', 'B323', 'B324', 'B401', 'B402', 'B403', 'B404', 'B405', 'B406', 'B407', 'B408', 'B409', 'B411', 'B412', 'B413']
 
 # (optional) list skipped test IDs here, eg '[B101, B406]':
 # The following checkers are not required but be added to tests list if desired
diff --git a/ci/python_bandit_check.sh b/ci/python_bandit_check.sh
index c866726c3cb..788b8c7f7c2 100755
--- a/ci/python_bandit_check.sh
+++ b/ci/python_bandit_check.sh
@@ -4,4 +4,5 @@ set -uex
 
 git clean -dxf
 
+bandit --version
 bandit --format xml -o bandit.xml -r . -c ci/bandit.config || true
diff --git a/utils/docker/Dockerfile.code_scanning b/utils/docker/Dockerfile.code_scanning
index dce9f26fdb3..d7a64512015 100644
--- a/utils/docker/Dockerfile.code_scanning
+++ b/utils/docker/Dockerfile.code_scanning
@@ -1,14 +1,17 @@
 #
-# Copyright 2018-2022, Intel Corporation
+# Copyright 2018-2022 Intel Corporation.
+# Copyright 2026 Hewlett Packard Enterprise Development LP
 #
 # 'recipe' for Docker for code scanning.
 #
 
-ARG FVERSION=latest
-FROM fedora:$FVERSION
-# Needed for later use of FVERSION
-ARG FVERSION
+# Pull base image
+ARG POINT_RELEASE=
+ARG BASE_DISTRO=rockylinux:9$POINT_RELEASE
+FROM $BASE_DISTRO AS basic
 LABEL maintainer="daos@daos.groups.io"
+# Needed for later use of BASE_DISTRO
+ARG BASE_DISTRO
 
 # Intermittent cache-bust.  Used to reduce load on the actual CACHEBUST later.
 ARG CB0
@@ -26,22 +29,21 @@ ENV NO_PROXY=${DAOS_NO_PROXY}
 RUN echo "no_proxy=${DAOS_NO_PROXY}" >> /etc/environment && \
     echo "NO_PROXY=${DAOS_NO_PROXY}" >> /etc/environment
 
-# script to install OS updates basic tools and daos dependencies
-# COPY ./utils/scripts/install-fedora.sh /tmp/install.sh
-# script to setup local repo if available
-COPY ./utils/scripts/helpers/repo-helper-fedora.sh /tmp/repo-helper.sh
-
-RUN chmod +x /tmp/repo-helper.sh &&                 \
-    /tmp/repo-helper.sh &&                          \
+# Script to setup local repo if available
+COPY ./utils/scripts/helpers/repo-helper-el9.sh /tmp/repo-helper.sh
+RUN chmod +x /tmp/repo-helper.sh && \
+    /tmp/repo-helper.sh &&          \
     rm -f /tmp/repo-helper.sh
 
-# Install Python Bandit scanner.
-# The unset commands are currently needed for the combination of running
-# with a local repository, yet needing a proxy to reach outside repositories.
-# This needs to be moved to a shell script like above in the future to
-# properly only remove the proxy variables only when they need to be removed
-RUN unset HTTPS_PROXY && unset https_proxy && \
-    dnf -y upgrade && dnf -y install bandit && dnf clean all
-
-ARG CB1
-RUN unset HTTPS_PROXY && unset https_proxy && dnf -y upgrade && dnf clean all
+# Script to install OS packages needed for code scanning, including python and bandit.
+ARG PYTHON_VERSION
+ENV PATH=/home/daos/venv/bin:$PATH
+ENV VIRTUAL_ENV=/home/daos/venv/
+COPY ./utils/scripts/install-el-bandit.sh /tmp/install.sh
+FROM basic
+# Install OS packages
+RUN dnf upgrade &&              \
+    chmod +x /tmp/install.sh && \
+    /tmp/install.sh &&          \
+    dnf clean all &&            \
+    rm -f /tmp/install.sh
diff --git a/utils/rpms/packaging/Dockerfile.mockbuild b/utils/rpms/packaging/Dockerfile.mockbuild
index 96621daabc3..6e97ed3a919 100644
--- a/utils/rpms/packaging/Dockerfile.mockbuild
+++ b/utils/rpms/packaging/Dockerfile.mockbuild
@@ -1,6 +1,6 @@
 #
 # Copyright 2018-2024 Intel Corporation
-# Copyright 2025 Hewlett Packard Enterprise Development LP
+# Copyright 2025-2026 Hewlett Packard Enterprise Development LP
 #
 # 'recipe' for Docker to build an RPM
 #
@@ -16,7 +16,6 @@ LABEL maintainer="daos@daos.groups.io"
 ARG REPO_FILE_URL
 ARG DAOS_LAB_CA_FILE_URL
 # script to install OS updates basic tools and daos dependencies
-# COPY ./utils/scripts/install-fedora.sh /tmp/install.sh
 # script to setup local repo if available
 COPY ./utils/scripts/helpers/repo-helper-fedora.sh /tmp/repo-helper.sh
 
diff --git a/utils/scripts/install-el-bandit.sh b/utils/scripts/install-el-bandit.sh
new file mode 100755
index 00000000000..913db31258a
--- /dev/null
+++ b/utils/scripts/install-el-bandit.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+# Copyright 2026 Hewlett Packard Enterprise Development LP
+
+# Install OS updates and packages as required for running python bandit.
+
+# This script use used by docker but can be invoked from elsewhere, in order to run it
+# interactively then these two commands can be used to set dnf into automatic mode.
+# dnf --assumeyes install dnf-plugins-core
+# dnf config-manager --save --setopt=assumeyes=True
+
+set -e
+
+dnf_install_args="${1:-}"
+
+: "${PYTHON_VERSION:=}"
+: "${VIRTUAL_ENV:=}"
+
+# shellcheck disable=SC2086
+dnf --nodocs install ${dnf_install_args} \
+    git \
+    python${PYTHON_VERSION} \
+    python${PYTHON_VERSION}-pip
+
+# Setup a virtual environment if requested
+if [ -n "$VIRTUAL_ENV" ]; then
+    python"${PYTHON_VERSION}" -m venv "$VIRTUAL_ENV"
+    # shellcheck disable=SC1091
+    . "$VIRTUAL_ENV/bin/activate"
+fi
+
+# Install Python Bandit scanner
+python3 -m pip --no-cache-dir install --upgrade pip
+python3 -m pip --no-cache-dir install bandit