From: Ross Burton <ross.burton@intel.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH 1/2] scripts: add tool to scan for bashisms recipe shell scripts
Date: Thu, 8 Sep 2016 17:58:43 +0100 [thread overview]
Message-ID: <1473353924-21627-1-git-send-email-ross.burton@intel.com> (raw)
Shell functions in bitbake are executed with /bin/sh so should be POSIX
compliant and not use Bash extensions, or at least only use extensions that are
implemented in both dash and ash (busybox).
This tool will extract all of the shell scripts from all recipes and run them
through checkbashisms (it assumes that checkbashisms is on $PATH).
There is a whitelist to filter out false-positives such as the use of $HOSTNAME
(a bashism) in functions where we have defined it, or using the 'type' builtin
which is supported by ash/dash.
[ YOCTO #8851 ]
Signed-off-by: Ross Burton <ross.burton@intel.com>
---
scripts/verify-bashisms | 116 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 116 insertions(+)
create mode 100755 scripts/verify-bashisms
diff --git a/scripts/verify-bashisms b/scripts/verify-bashisms
new file mode 100755
index 0000000..0741e18
--- /dev/null
+++ b/scripts/verify-bashisms
@@ -0,0 +1,116 @@
+#!/usr/bin/env python3
+
+import sys, os, subprocess, re, shutil
+
+whitelist = (
+ # type is supported by dash
+ 'if type systemctl >/dev/null 2>/dev/null; then',
+ 'if type systemd-tmpfiles >/dev/null 2>/dev/null; then',
+ 'if type update-rc.d >/dev/null 2>/dev/null; then',
+ 'command -v',
+ # HOSTNAME is set locally
+ 'buildhistory_single_commit "$CMDLINE" "$HOSTNAME"',
+ # False-positive, match is a grep not shell expression
+ 'grep "^$groupname:[^:]*:[^:]*:\\([^,]*,\\)*$username\\(,[^,]*\\)*"',
+ # TODO verify dash's '. script args' behaviour
+ '. $target_sdk_dir/${oe_init_build_env_path} $target_sdk_dir >> $LOGFILE'
+ )
+
+def is_whitelisted(s):
+ for w in whitelist:
+ if w in s:
+ return True
+ return False
+
+def process(recipe, function, script):
+ import tempfile
+
+ if not script.startswith("#!"):
+ script = "#! /bin/sh\n" + script
+
+ fn = tempfile.NamedTemporaryFile(mode="w+t")
+ fn.write(script)
+ fn.flush()
+
+ try:
+ subprocess.check_output(("checkbashisms.pl", fn.name), universal_newlines=True, stderr=subprocess.STDOUT)
+ # No bashisms, so just return
+ return
+ except subprocess.CalledProcessError as e:
+ # TODO check exit code is 1
+
+ # Replace the temporary filename with the function and split it
+ output = e.output.replace(fn.name, function).splitlines()
+ if len(results) % 2 != 0:
+ print("Unexpected output from checkbashism: %s" % str(output))
+ return
+
+ # Turn the output into a list of (message, source) values
+ result = []
+ # Check the results against the whitelist
+ for message, source in zip(output[0::2], output[1::2]):
+ if not is_whitelisted(source):
+ result.append((message, source))
+ return result
+
+def get_tinfoil():
+ scripts_path = os.path.dirname(os.path.realpath(__file__))
+ lib_path = scripts_path + '/lib'
+ sys.path = sys.path + [lib_path]
+ import scriptpath
+ scriptpath.add_bitbake_lib_path()
+ import bb.tinfoil
+ tinfoil = bb.tinfoil.Tinfoil()
+ tinfoil.prepare()
+ # tinfoil.logger.setLevel(logging.WARNING)
+ return tinfoil
+
+if __name__=='__main__':
+ import shutil
+ if shutil.which("checkbashisms.pl") is None:
+ print("Cannot find checkbashisms.pl on $PATH")
+ sys.exit(1)
+
+ tinfoil = get_tinfoil()
+
+ # This is only the default configuration and should iterate over
+ # recipecaches to handle multiconfig environments
+ pkg_pn = tinfoil.cooker.recipecaches[""].pkg_pn
+
+ # TODO: use argparse and have --help
+ if len(sys.argv) > 1:
+ initial_pns = sys.argv[1:]
+ else:
+ initial_pns = sorted(pkg_pn)
+
+ pns = []
+ print("Generating file list...")
+ for pn in initial_pns:
+ for fn in pkg_pn[pn]:
+ # There's no point checking multiple BBCLASSEXTENDed variants of the same recipe
+ realfn, _, _ = bb.cache.virtualfn2realfn(fn)
+ if realfn not in pns:
+ pns.append(realfn)
+
+
+ def func(fn):
+ result = []
+ data = tinfoil.parse_recipe_file(fn)
+ for key in data.keys():
+ if data.getVarFlag(key, "func", True) and not data.getVarFlag(key, "python", True):
+ script = data.getVar(key, False)
+ if not script: continue
+ #print ("%s:%s" % (fn, key))
+ r = process(fn, key, script)
+ if r: result.extend(r)
+ return fn, result
+
+ print("Scanning scripts...\n")
+ import multiprocessing
+ pool = multiprocessing.Pool()
+ for pn,results in pool.imap(func, pns):
+ if results:
+ print(pn)
+ for message,source in results:
+ print(" %s\n %s" % (message, source))
+ print()
--
2.8.1
next reply other threads:[~2016-09-08 16:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-08 16:58 Ross Burton [this message]
2016-09-08 16:58 ` [PATCH 2/2] rpm: remove redundant removals Ross Burton
2016-09-08 17:29 ` Richard Purdie
2016-09-08 19:03 ` Burton, Ross
2016-09-08 18:29 ` [PATCH 1/2] scripts: add tool to scan for bashisms recipe shell scripts Christopher Larson
2016-09-08 19:02 ` Burton, Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1473353924-21627-1-git-send-email-ross.burton@intel.com \
--to=ross.burton@intel.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox