diff mbox series

[oe,meta-python] bandit: add class to perform Bandit scans

Message ID 20181126150558.14940-1-ross.burton@intel.com
State Accepted
Commit 23acce81f49c539fee668dc7405d6a1f51792062
Headers show
Series [oe,meta-python] bandit: add class to perform Bandit scans | expand

Commit Message

Ross Burton Nov. 26, 2018, 3:05 p.m. UTC 
Add a class to perform security scans of Python code using Bandit.

Signed-off-by: Ross Burton <ross.burton@intel.com>

---
 meta-python/classes/bandit.bbclass | 63 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 meta-python/classes/bandit.bbclass

-- 
2.11.0

-- 
_______________________________________________
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
diff mbox series

Patch

diff --git a/meta-python/classes/bandit.bbclass b/meta-python/classes/bandit.bbclass
new file mode 100644
index 0000000000..dc1041e466
--- /dev/null
+++ b/meta-python/classes/bandit.bbclass
@@ -0,0 +1,63 @@ 
+# Class to scan Python code for security issues, using Bandit.
+#
+# $ bitbake python-foo -c bandit
+#
+# Writes the report to $DEPLOY_DIR/bandit/python-foo.html.
+# No output if no issues found, a warning if issues found.
+#
+# https://github.com/PyCQA/bandit
+
+# Default location of sources, based on standard distutils
+BANDIT_SOURCE ?= "${S}/build"
+
+# The report format to use.
+# https://bandit.readthedocs.io/en/latest/formatters/index.html
+BANDIT_FORMAT ?= "html"
+
+# Whether a scan should be done every time the recipe is built.
+#
+# By default the scanning needs to be done explicitly, but by setting BANDIT_AUTO
+# to 1 the scan will be done whenever the recipe it built.  Note that you
+# shouldn't set BANDIT_AUTO to 1 globally as it will then try to scan every
+# recipe, including non-Python recipes, causing circular loops.
+BANDIT_AUTO ?= "0"
+
+# Whether Bandit finding issues results in a warning (0) or an error (1).
+BANDIT_FATAL ?= "0"
+
+do_bandit[depends] = "python3-bandit-native:do_populate_sysroot"
+python do_bandit() {
+    import os, subprocess
+    try:
+        report = d.expand("${DEPLOY_DIR}/bandit/${PN}-${PV}.${BANDIT_FORMAT}")
+        os.makedirs(os.path.dirname(report), exist_ok=True)
+
+        args = ("bandit",
+                "--format", d.getVar("BANDIT_FORMAT"),
+                "--output", report,
+                "-ll",
+                "--recursive", d.getVar("BANDIT_SOURCE"))
+        subprocess.check_output(args, stderr=subprocess.STDOUT)
+        bb.note("Bandit found no issues (report written to %s)" % report)
+    except subprocess.CalledProcessError as e:
+        if e.returncode == 1:
+            if oe.types.boolean(d.getVar("BANDIT_FATAL")):
+                bb.error("Bandit found issues (report written to %s)" % report)
+            else:
+                bb.warn("Bandit found issues (report written to %s)" % report)
+        else:
+            bb.error("Bandit failed:\n" + e.output.decode("utf-8"))
+}
+
+python() {
+    before = "do_build"
+    after = "do_compile"
+
+    if oe.types.boolean(d.getVar("BANDIT_AUTO")):
+        bb.build.addtask("do_bandit", before, after, d)
+    else:
+        bb.build.addtask("do_bandit", None, after, d)
+}
+
+# TODO: store report in sstate
+# TODO: a way to pass extra args or .bandit file, basically control -ll