Add support for Makefile as build script and make as build tool

oracle / macaron

Macaron is an extensible supply-chain security analysis framework from Oracle Labs that supports a wide range of build systems and CI/CD services. It can be used to prevent supply chain attacks, detect malicious Python packages, or check conformance to frameworks, such as SLSA. Documentation:

https://oracle.github.io/macaron/

Universal Permissive License v1.0

133 stars 22 forks source link

Add support for Makefile as build script and make as build tool #833

Open behnazh-w opened 2 months ago

behnazh-w commented 2 months ago

Makefile is often used as a generic build tool. In fact, Macaron itself uses Makefile to generate artifacts. We already have support for a number of build tools.

To support Makefile

we need to add a parser for Makefile to extract shell commands, similar to our bashparser.
add a new module for make similar to other build tools.

jenstroeger commented 2 weeks ago

I poked around a little, and here are a few references. First off, It would be tricky to write a grammar for make, since the grammar is extremely context-dependent. (thread, similar questions here or especially here).

Having said that, I found the following attempts to come up with a Makefile grammar:

https://github.com/Icraus/MakefileGrammar
https://github.com/grammarjs/makefile (requires other repos from the same org)

It might also make sense to explore existing syntax highlighters like Pygments which support at least Makefile lexers.

@behnazh-w given a Makefile, it looks like you’re interested in extracting the Recipes from it?

behnazh-w commented 2 weeks ago

@behnazh-w given a Makefile, it looks like you’re interested in extracting the Recipes from it?

Yes exactly. Our ultimate goal is to find shell commands that invoke build tools. For now we can limit the Recipes to bash scripts.