aboutsummaryrefslogtreecommitdiffstats
path: root/meta-python
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2018-11-26 15:05:58 +0000
committerKhem Raj <raj.khem@gmail.com>2018-11-27 11:05:22 -0800
commit23acce81f49c539fee668dc7405d6a1f51792062 (patch)
tree405dfdfdc2dc776175740c398019088c61f9945a /meta-python
parent11c3566f104acb867362edb2baefd03b282b69bb (diff)
downloadmeta-openembedded-23acce81f49c539fee668dc7405d6a1f51792062.tar.gz
meta-openembedded-23acce81f49c539fee668dc7405d6a1f51792062.tar.bz2
meta-openembedded-23acce81f49c539fee668dc7405d6a1f51792062.zip
bandit: add class to perform Bandit scans
Add a class to perform security scans of Python code using Bandit. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-python')
-rw-r--r--meta-python/classes/bandit.bbclass63
1 files changed, 63 insertions, 0 deletions
diff --git a/meta-python/classes/bandit.bbclass b/meta-python/classes/bandit.bbclass
new file mode 100644
index 000000000..dc1041e46
--- /dev/null
+++ b/meta-python/classes/bandit.bbclass
@@ -0,0 +1,63 @@
+# Class to scan Python code for security issues, using Bandit.
+#
+# $ bitbake python-foo -c bandit
+#
+# Writes the report to $DEPLOY_DIR/bandit/python-foo.html.
+# No output if no issues found, a warning if issues found.
+#
+# https://github.com/PyCQA/bandit
+
+# Default location of sources, based on standard distutils
+BANDIT_SOURCE ?= "${S}/build"
+
+# The report format to use.
+# https://bandit.readthedocs.io/en/latest/formatters/index.html
+BANDIT_FORMAT ?= "html"
+
+# Whether a scan should be done every time the recipe is built.
+#
+# By default the scanning needs to be done explicitly, but by setting BANDIT_AUTO
+# to 1 the scan will be done whenever the recipe it built. Note that you
+# shouldn't set BANDIT_AUTO to 1 globally as it will then try to scan every
+# recipe, including non-Python recipes, causing circular loops.
+BANDIT_AUTO ?= "0"
+
+# Whether Bandit finding issues results in a warning (0) or an error (1).
+BANDIT_FATAL ?= "0"
+
+do_bandit[depends] = "python3-bandit-native:do_populate_sysroot"
+python do_bandit() {
+ import os, subprocess
+ try:
+ report = d.expand("${DEPLOY_DIR}/bandit/${PN}-${PV}.${BANDIT_FORMAT}")
+ os.makedirs(os.path.dirname(report), exist_ok=True)
+
+ args = ("bandit",
+ "--format", d.getVar("BANDIT_FORMAT"),
+ "--output", report,
+ "-ll",
+ "--recursive", d.getVar("BANDIT_SOURCE"))
+ subprocess.check_output(args, stderr=subprocess.STDOUT)
+ bb.note("Bandit found no issues (report written to %s)" % report)
+ except subprocess.CalledProcessError as e:
+ if e.returncode == 1:
+ if oe.types.boolean(d.getVar("BANDIT_FATAL")):
+ bb.error("Bandit found issues (report written to %s)" % report)
+ else:
+ bb.warn("Bandit found issues (report written to %s)" % report)
+ else:
+ bb.error("Bandit failed:\n" + e.output.decode("utf-8"))
+}
+
+python() {
+ before = "do_build"
+ after = "do_compile"
+
+ if oe.types.boolean(d.getVar("BANDIT_AUTO")):
+ bb.build.addtask("do_bandit", before, after, d)
+ else:
+ bb.build.addtask("do_bandit", None, after, d)
+}
+
+# TODO: store report in sstate
+# TODO: a way to pass extra args or .bandit file, basically control -ll