aboutsummaryrefslogtreecommitdiffstats
path: root/classes
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2018-11-26 15:05:58 +0000
committerKhem Raj <raj.khem@gmail.com>2018-11-27 11:05:22 -0800
commit4f624695e7cb271b5125b02c770311dc8e4456a4 (patch)
treee6ef5e01de8782332c9a377546f95e228bc01095 /classes
parent40a8db63b81f3facfe39ce89c16d7ec5e2a7791b (diff)
downloadmeta-python2-4f624695e7cb271b5125b02c770311dc8e4456a4.tar.gz
meta-python2-4f624695e7cb271b5125b02c770311dc8e4456a4.tar.bz2
meta-python2-4f624695e7cb271b5125b02c770311dc8e4456a4.zip
bandit: add class to perform Bandit scans
Add a class to perform security scans of Python code using Bandit. (From meta-openembedded commit: 23acce81f49c539fee668dc7405d6a1f51792062) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Tim Orling <ticotimo@gmail.com>
Diffstat (limited to 'classes')
-rw-r--r--classes/bandit.bbclass63
1 files changed, 63 insertions, 0 deletions
diff --git a/classes/bandit.bbclass b/classes/bandit.bbclass
new file mode 100644
index 00000000..dc1041e4
--- /dev/null
+++ b/classes/bandit.bbclass
@@ -0,0 +1,63 @@
+# Class to scan Python code for security issues, using Bandit.
+#
+# $ bitbake python-foo -c bandit
+#
+# Writes the report to $DEPLOY_DIR/bandit/python-foo.html.
+# No output if no issues found, a warning if issues found.
+#
+# https://github.com/PyCQA/bandit
+
+# Default location of sources, based on standard distutils
+BANDIT_SOURCE ?= "${S}/build"
+
+# The report format to use.
+# https://bandit.readthedocs.io/en/latest/formatters/index.html
+BANDIT_FORMAT ?= "html"
+
+# Whether a scan should be done every time the recipe is built.
+#
+# By default the scanning needs to be done explicitly, but by setting BANDIT_AUTO
+# to 1 the scan will be done whenever the recipe it built. Note that you
+# shouldn't set BANDIT_AUTO to 1 globally as it will then try to scan every
+# recipe, including non-Python recipes, causing circular loops.
+BANDIT_AUTO ?= "0"
+
+# Whether Bandit finding issues results in a warning (0) or an error (1).
+BANDIT_FATAL ?= "0"
+
+do_bandit[depends] = "python3-bandit-native:do_populate_sysroot"
+python do_bandit() {
+ import os, subprocess
+ try:
+ report = d.expand("${DEPLOY_DIR}/bandit/${PN}-${PV}.${BANDIT_FORMAT}")
+ os.makedirs(os.path.dirname(report), exist_ok=True)
+
+ args = ("bandit",
+ "--format", d.getVar("BANDIT_FORMAT"),
+ "--output", report,
+ "-ll",
+ "--recursive", d.getVar("BANDIT_SOURCE"))
+ subprocess.check_output(args, stderr=subprocess.STDOUT)
+ bb.note("Bandit found no issues (report written to %s)" % report)
+ except subprocess.CalledProcessError as e:
+ if e.returncode == 1:
+ if oe.types.boolean(d.getVar("BANDIT_FATAL")):
+ bb.error("Bandit found issues (report written to %s)" % report)
+ else:
+ bb.warn("Bandit found issues (report written to %s)" % report)
+ else:
+ bb.error("Bandit failed:\n" + e.output.decode("utf-8"))
+}
+
+python() {
+ before = "do_build"
+ after = "do_compile"
+
+ if oe.types.boolean(d.getVar("BANDIT_AUTO")):
+ bb.build.addtask("do_bandit", before, after, d)
+ else:
+ bb.build.addtask("do_bandit", None, after, d)
+}
+
+# TODO: store report in sstate
+# TODO: a way to pass extra args or .bandit file, basically control -ll