bandit: add class to perform Bandit scans

Add a class to perform security scans of Python code using Bandit.

(From meta-openembedded commit: 23acce81f49c539fee668dc7405d6a1f51792062)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Tim Orling <ticotimo@gmail.com>

1 files changed, 63 insertions, 0 deletions

diff --git a/classes/bandit.bbclass b/classes/bandit.bbclass
new file mode 100644
index 0000000..dc1041e
--- /dev/null
+++ b/classes/bandit.bbclass
@@ -0,0 +1,63 @@
+# Class to scan Python code for security issues, using Bandit.
+#
+# $ bitbake python-foo -c bandit
+#
+# Writes the report to $DEPLOY_DIR/bandit/python-foo.html.
+# No output if no issues found, a warning if issues found.
+#
+# https://github.com/PyCQA/bandit
+
+# Default location of sources, based on standard distutils
+BANDIT_SOURCE ?= "${S}/build"
+
+# The report format to use.
+# https://bandit.readthedocs.io/en/latest/formatters/index.html
+BANDIT_FORMAT ?= "html"
+
+# Whether a scan should be done every time the recipe is built.
+#
+# By default the scanning needs to be done explicitly, but by setting BANDIT_AUTO
+# to 1 the scan will be done whenever the recipe it built.  Note that you
+# shouldn't set BANDIT_AUTO to 1 globally as it will then try to scan every
+# recipe, including non-Python recipes, causing circular loops.
+BANDIT_AUTO ?= "0"
+
+# Whether Bandit finding issues results in a warning (0) or an error (1).
+BANDIT_FATAL ?= "0"
+
+do_bandit[depends] = "python3-bandit-native:do_populate_sysroot"
+python do_bandit() {
+    import os, subprocess
+    try:
+        report = d.expand("${DEPLOY_DIR}/bandit/${PN}-${PV}.${BANDIT_FORMAT}")
+        os.makedirs(os.path.dirname(report), exist_ok=True)
+
+        args = ("bandit",
+                "--format", d.getVar("BANDIT_FORMAT"),
+                "--output", report,
+                "-ll",
+                "--recursive", d.getVar("BANDIT_SOURCE"))
+        subprocess.check_output(args, stderr=subprocess.STDOUT)
+        bb.note("Bandit found no issues (report written to %s)" % report)
+    except subprocess.CalledProcessError as e:
+        if e.returncode == 1:
+            if oe.types.boolean(d.getVar("BANDIT_FATAL")):
+                bb.error("Bandit found issues (report written to %s)" % report)
+            else:
+                bb.warn("Bandit found issues (report written to %s)" % report)
+        else:
+            bb.error("Bandit failed:\n" + e.output.decode("utf-8"))
+}
+
+python() {
+    before = "do_build"
+    after = "do_compile"
+
+    if oe.types.boolean(d.getVar("BANDIT_AUTO")):
+        bb.build.addtask("do_bandit", before, after, d)
+    else:
+        bb.build.addtask("do_bandit", None, after, d)
+}
+
+# TODO: store report in sstate
+# TODO: a way to pass extra args or .bandit file, basically control -ll