fkromer
commented
6 years ago @git-afsantos I want to debug my draft integration of flawfinder. Can you give me some hints how to proceed during plugin development?
Open fkromer opened 6 years ago
fkromer
commented
6 years ago @git-afsantos I want to debug my draft integration of flawfinder. Can you give me some hints how to proceed during plugin development?
git-afsantos
commented
6 years ago @fkromer Sure. There are some things you need to make sure in all cases:
.haros/plugins alongside the others;__init__.py, plugin.py and plugin.yaml;plugin.yaml matches the plugin's directory name;plugin.yaml, under rules or metrics, respectively;package_analysis, if the tool operates on one file at a time file_analysis may be easier.To try things out, go with something along the lines of haros analyse -w flawfinder_plugin -p my_index.yaml. Trying it out with a relatively small index (one or two packages) and increasing it over time may be easier. Unfortunately, the error reporting for plugins is not very good, but hopefully you can make sense of some stack traces.
Another thing you can do in the first stages is to use print instead of iface.report_violation. This way you have more immediate results on the screen, and you can change it to proper reports later on. Also, this way you do not have to check the resulting JSON files, nor open the visualiser every time.
I can help you out once you hit more specific obstacles.
Do you plan to add a plugin for the static analyser for potential CWE security issues in C++ code flawfinder? According to the tools website it is officially CWE-compatible.