search

confidential-containers / confidential-containers

Confidential Containers Community
https://confidentialcontainers.org/
Apache License 2.0
175 stars 42 forks source link

Define Static Code Analysis in CI #46

Open dcmiddle opened 2 years ago

dcmiddle commented 2 years ago

From https://bestpractices.coreinfrastructure.org/en/projects/5719#analysis

At least one static code analysis tool (beyond compiler warnings and "safe" language modes) MUST be applied to any proposed major production release of the software before its release, if there is at least one FLOSS tool that implements this criterion in the selected language. [static_analysis]

A static code analysis tool examines the software code (as source code, intermediate code, or executable) without executing it with specific inputs. For purposes of this criterion, compiler warnings and "safe" language modes do not count as static code analysis tools (these typically avoid deep analysis because speed is vital). Some static analysis tools focus on detecting generic defects, others focus on finding specific kinds of defects (such as vulnerabilities), and some do a combination. Examples of such static code analysis tools include cppcheck (C, C++), clang static analyzer (C, C++), SpotBugs (Java), FindBugs (Java) (including FindSecurityBugs), PMD (Java), Brakeman (Ruby on Rails), lintr (R), goodpractice (R), Coverity Quality Analyzer, SonarQube, Codacy, and HP Enterprise Fortify Static Code Analyzer. Larger lists of tools can be found in places such as the Wikipedia list of tools for static code analysis, OWASP information on static code analysis, NIST list of source code security analyzers, and Wheeler's list of static analysis tools. The SWAMP is a no-cost platform for assessing vulnerabilities in software using a variety of tools.

It is SUGGESTED that static source code analysis occur on every commit or at least daily.

See also https://github.com/confidential-containers/community/issues/2

wainersm commented 1 year ago

Related with static code analysis, I think we should enable a checker on pull requests to ensure new source files have the copyright notice on their headers as suggested by CNCF: https://github.com/cncf/foundation/blob/main/copyright-notices.md

For two occasions I saw that issue being discussed on pull requests for the operator:

Maybe that is an example of "Applying standard processes and checks across the repos" that @jodh-intel has tried to bring up to discuss in our weekly meetings?

@dcmiddle would you like to break it in another issue?

jodh-intel commented 1 year ago

@dcmiddle, @wainersm - This is a subset of https://github.com/confidential-containers/confidential-containers/issues/121 which I'm hoping to get some airtime to discuss at the meeting on Wednesday.

The Kata static checker already handles checking of license headers (and an awful lot more besides ;)

ariel-adam commented 1 year ago

@dcmiddle is this issue still relevant or can be closed? If it's still relevant to what release do you think we should map it to (mid-November, end-December, mid-February etc...)?

dcmiddle commented 1 year ago

@ariel-adam this should stay open as we do not have good static checkers across CoCo yet.

@wainersm thanks for adding.. Fine to track licensing/copyright checks here. The main goal of this issue is doing security related static analysis. One could argue, that improperly licensed contributions create an availability risk. That should mostly be caught by DCO checks (signed-off-by). The spdx license banner checks may help with future sbom requirements. Community Copyright labels IMO are not very consequential. I think they just help follow the provenance of the file as it is copied to other projects.

Besides, Kata static checker, are there other static checks we could inherit from Kata for code correctness / security? I'd also like to see language linters everywhere.

jodh-intel commented 1 year ago

ftr, the Kata static checker checks the SPDX headers (with exclusions). We also have GitHub actions to check the validity of all commits (Signed-off-by, plus general commit formatting and fixes issue number, etc).

mythi commented 4 weeks ago

taking this one and added to the board

mythi commented 4 weeks ago

we can use CodeQL for the Go based projects and "N/A" for Rust (I did a quick cross check against other Rust projects that have this requirement marked as completed and in all of those it was just "rustc/clippy/cargo audit".)

mythi commented 2 weeks ago

CodeQL Status: