ubuntu-security-tools

Merge ~alexmurray/ubuntu-security-tools:uaudit-add-dlint into ubuntu-security-tools:master

  1. Git
  2. lp:~alexmurray/ubuntu-security-tools
  3. uaudit-add-dlint
  4. Merge into master
Proposed by Alex Murray
Status: Needs review
Proposed branch: ~alexmurray/ubuntu-security-tools:uaudit-add-dlint
Merge into: ubuntu-security-tools:master
Diff against target: 40 lines (+8/-4)
1 file modified
audits/uaudit (+8/-4)
Reviewer Review Type Date Requested Status
Ubuntu Security Team Pending
Review via email: mp+427027@code.launchpad.net

Description of the change

Add support for using dlint to analyse python code

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Heh, at first I thought this was the deb dlint package, to check zone files. That seemed unlikely..

How do the snap vs deb installation sources get handled? eg there's no cppcheck snap, but:

static_analysis_tools = [
    StaticAnalysisTool("cppcheck",
                       cmd=['cppcheck', '--max-configs=15', '-j 8', '-q', '.'],
                       summary=['grep', '-c', '^[a-z]', OUTPUT_FILE]),

this doesn't seem to override source named parameter/field to request a deb installation source.

Thanks

Reply
Revision history for this message
Alex Murray (alexmurray) wrote :

Since I want to try and use a common version of cppcheck no matter which Ubuntu release a security team member is running then I haven't overridden cppcheck to use the deb - this way we get consistent analysis results no matter who is doing the audit.

Reply
Revision history for this message
Alex Murray (alexmurray) wrote (last edit ):

Oh my mistake - I thought there was a cppcheck snap - ignore that comment then - so yes you are right, cppcheck should override to install the deb.

Reply

Unmerged commits

666de84... by Alex Murray

uaudit: Add additional python static analysis via dlint

Signed-off-by: Alex Murray <email address hidden>

7b38254... by Alex Murray

uaudit: Run static analysis tools with full paths to source code

This should in general then produce output files containing the full paths
to the various files in the source code tree to make jumping to the various
errors easier.

Signed-off-by: Alex Murray <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/audits/uaudit b/audits/uaudit
2index 75e9594..b6909a9 100755
3--- a/audits/uaudit
4+++ b/audits/uaudit
5@@ -71,7 +71,7 @@ class StaticAnalysisTool(object):
6 static_analysis_tools = [
7 StaticAnalysisTool("cppcheck",
8 cmd=['cppcheck', '--max-configs=15', '-j 8', '-q', '.'],
9- summary=['grep', '-c', '^[a-z]', OUTPUT_FILE]),
10+ summary=['grep', '-c', '^/', OUTPUT_FILE]),
11 StaticAnalysisTool("bandit",
12 # output in a format which we can easily read (-f
13 # custom) and which doesn't truncate results (ie -n
14@@ -92,8 +92,11 @@ static_analysis_tools = [
15 "eval: (setq-local compilation-error-regexp-alist " +
16 " '((\"^Line: \\\\([[:digit:]]+\\\\)$\" brakeman-backward-search-filename 1)));"),
17 summary=['grep', '-c', '^Message:', OUTPUT_FILE]),
18+ StaticAnalysisTool("dlint",
19+ cmd=['dlint', '.'],
20+ summary=['grep', '-c', '^/', OUTPUT_FILE]),
21 StaticAnalysisTool("flawfinder",
22- summary=['grep', '-c', '^[a-z]', OUTPUT_FILE]),
23+ summary=['grep', '-c', '^/', OUTPUT_FILE]),
24 StaticAnalysisTool("shellcheck",
25 cmd=["shellcheck.sh"],
26 summary=['grep', '-c', '^\\./', OUTPUT_FILE]),
27@@ -577,10 +580,11 @@ def audit_code(audit_dir, details, disable_coverity=False):
28 if os.path.exists(tool_fn):
29 warn("Skipping %s. '%s' already exists" % (tool.name, tool_fn))
30 else:
31- rc, out = cmd(tool.exec_cmd())
32+ cwd = os.getcwd()
33+ rc, out = cmd([cwd if i == '.' else i for i in tool.exec_cmd()])
34 if rc != 0:
35 warn("Problem %sing code: %s" % (tool.name, str(rc)))
36- out = tool.header.replace("$PWD", os.getcwd()) + out
37+ out = tool.header.replace("$PWD", cwd) + out
38 write_file(tool_fn, out)
39
40 rc, summary = cmd(tool.summary_cmd(tool_fn))

Subscribers

People subscribed via source and target branches