search

priv-kweihmann / meta-sca

Layer for static code analysis and security hardening
Other
90 stars 36 forks source link

modules per image/recipe #199

Closed RobertBerger closed 5 years ago

RobertBerger commented 5 years ago

There is (at least in my head) some confusion about how to configure the beast.

Let's see my understanding:

# SCA_AVAILABLE_MODULES: List of all available modules, use to globally enable/disable modules
# bitbake -e | grep ^SCA_AVAILABLE_MODULES= 
# SCA_AVAILABLE_MODULES = " ansible ansiblelint bandit bashate bitbake checkbashism clang cppcheck cpplint cqmetrics cspell cvecheck dennis detectsecrets
#                           eslint flint gcc gixy htmlhint jsonlint kconfighard oclint oelint proselint pyfindinjection pylint pysymcheck pytype
#                           radon rats ropgadget score shellcheck standard stylelint systemdlint textlint tlv tscancode xmllint yamllint zrd"
#
# SCA_ENABLED_MODULES: The analysis modules to be activated - different lists for images and recipes
#
# on image:
# bitbake app-container-image-python3-data-collector -e | grep ^SCA_ENABLED_MODULES=
#
# SCA_ENABLED_MODULES=" ansible ansiblelint bandit bashate bitbake checkbashism detectsecrets eslint gixy htmlhint jsonlint oelint proselint
#                       pyfindinjection pylint shellcheck standard stylelint systemdlint tlv xmllint yamllint"
# 
# on recipe:
# bitbake python3-tcpclientserver -e | grep ^SCA_ENABLED_MODULES=
#
# SCA_ENABLED_MODULES=" ansiblelint bandit bashate bitbake checkbashism clang cppcheck cpplint cqmetrics cspell cvecheck dennis detectsecrets
#                       eslint flint gcc htmlhint jsonlint kconfighard oclint oelint proselint pyfindinjection pylint pysymcheck pytype
#                       radon rats ropgadget score shellcheck standard stylelint textlint tlv tscancode xmllint yamllint zrd"
#

SCA_AVAILABLE_MODULES: global list of available modules e.g. flake8 support is not yet in this list, because there are no classes yet for it. Whatever tool is in this list is going to be built.

SCA_ENABLED_MODULES: The analysis modules to be activated - different lists for images and recipes

My understanding is, that by default sca-on-image.bbclass and sca-on-recipe.bbclass are responsible for the default values.

Now my question is:"How can I from a configuration point add/remove items to/from both lists when there is a single variable (SCA_ENABLED_MODULES) available?"

Maybe different variables like SCA_ENABLED_MODULES_RECIPE, SCA_ENABLED_MODULES_IMAGE would help.

RobertBerger commented 5 years ago

Do ideally in local.conf I would do something like that:

SCA_ENABLED_MODULES = ""
SCA_ENABLED_MODULES_IMAGE_PYTHON = " bandit pyfindinjection pylint "
SCA_ENABLED_MODULES_RECIPE_PYTHON = " bandit cspell pysymcheck radon rats "
SCA_ENABLED_MODULES_append = "${SCA_ENABLED_MODULES_IMAGE_PYTHON} ${SCA_ENABLED_MODULES_RECIPE_PYTHON}"

but now bandit shows up 2 times in the list - hopefully not causing any issues ;)

SCA_ENABLED_MODULES=" bandit pyfindinjection pylint   bandit cspell pysymcheck radon rats "
priv-kweihmann commented 5 years ago

I see. I will try to implement this.

RobertBerger commented 5 years ago

@priv-kweihmann I am playing with it and it looks good so far.

This seems to work:

# empty the defaults
SCA_ENABLED_MODULES_IMAGE = ""
SCA_ENABLED_MODULES_RECIPE = ""

# PYTHON_STUFF:
# skip bandit for now - takes a long time: bandit
SCA_ENABLED_MODULES_IMAGE_PYTHON = " pyfindinjection pylint "
SCA_ENABLED_MODULES_RECIPE_PYTHON = " bandit cspell pyfindinjection pylint pysymcheck radon rats "

# add to system:
SCA_ENABLED_MODULES_IMAGE_append = " ${SCA_ENABLED_MODULES_IMAGE_PYTHON} "
SCA_ENABLED_MODULES_RECIPE_append = " ${SCA_ENABLED_MODULES_RECIPE_PYTHON} "