Skip to content

Layer for static code analysis and security hardening

License

Notifications You must be signed in to change notification settings

genetzky/meta-sca

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

meta-sca

https://img.shields.io/badge/Supported%20languages-C%2CC%2B%2B%2CGo%2CLua%2CPHP%2CPython%2CShell%2Cjs%2Cperl%2Cruby-informational

Nightly Lastest commit

For the list of current findings from pipelines see meta-sca report

Table of content

Purpose

Purpose of this layer is to provide a proper set of static analysis tools for your YOCTO build. All provided tools can be easily configured and integrated into any CI service (like e.g. Jenkins).

All results are stored to SCA_EXPORT_DIR (which defaults to ${DEPLOY_DIR_IMAGE}/sca). The results will be stored in the raw-format of the corresponding tool and in checkstyle-format.

Getting started

For a quick start how to use this layer see getting started guide

Installation

To install clone the needed branch(es) to any path on your local system.

Prerequisites

  • You need the current standard poky-layer installed onto your local build environment.
  • You need at least python 3.5 to be installed on your build host.
  • You need glib-2.0-dev package installed on your build host (used for e.g. configcheck, lynis, tiger, upc)

Use of containers

It is recommended to use privkweihmann/yocto-sca-minimal:latest docker container for building, which has all necessary requirements already installed.

Use in CI

When you're planing to use meta-sca in your CI/CD, it is advised to use the minified layer meta-sca-minified to save you from cloning this fairly large repository.

NOTE meta-sca-minified only offer releases of this layer for releases made after 03/2020

Setup

In your bblayers.conf-file add the following line

BBLAYERS += "<full path to sca-layer>/meta-sca"

or with poky layer already setup run in shell

bitbake-layers add-layer "<full path to sca-layer>/meta-sca"

Optional layer

meta-clang

To make the integration of clang (clang-tidy) work you need to add the meta-clang layer to your bblayer-file.

meta-oe

To enable the php/lua/npm support you need to add the meta-oe layer to your bblayer-file.

meta-rubygems

To enable the ruby support you need to add the meta-rubygems layer to your bblayer-file.

Web monitor

If you're not quite convinced what this layer can do for you, have a look at the web monitor, where all findings from the layer CI pipelines are publically available.

Support

Actively maintained branches will receive feature and package updates according to the release cycle. Unmaintained branches will only receive package updates on demand.

Status of the branches is described at SECURITY.md.

It's advised to use the tagged source versions in productive environment.

Release cycle

You can expect a new tagged build every 4-6 weeks for every actively maintained branch. Planning is done by milestone features on GitHub.

Releases

See SECURITY.md for details

Compatibility

If there is a technical issue that might break backward compatibility it will be mentioned in release note of the corresponding milestone release.

Licensing

This layer does only provide open source tools. The layer itself is licensed under BSD.

If individual files are licensed under different terms, terms and conditions can be found in the individual file header

Zero impact

This layer provides only -native tools, so actually none of the build binaries will be deployed to your target. Everything happens on the build machine.

There are some excludes to this rule (e.g. lynis) as they need to be cross-compiled to make use of them, nevertheless none of these tools will be installed automatically to your build.

Available tools

The layer can check on a recipe-level or on an image-level.

  • On image-level the whole root-filesystem could be taken into account, which in most cases can't be granted on a recipe-level.
  • On the other hand some static code analysis does not make any sense on an image-level - so this layer does have different tools for both level available.

Overview of tools

Module Description Homepage Requires Requires inet Run on image Run on recipe C C++ Python Shell Javascript PHP Go Images LUA Spelling Metrics Binaries Packages Other formats Security scope Functional scope Style scope
alexkohler Suite of GO analysis tools https://github.com/alexkohler x x x
ansible Hardening of images with ansible x x x
ansiblelint Linter for ansible playbooks https://github.com/ansible/ansible-lint x x x x x x
bandit Scan python code for insecurities https://github.com/PyCQA/bandit x x x x
bashate Shell script linter http://docs.openstack.org/developer/bashate/ x x x x x
bitbake Bitbake issue handling x x x x x
cbmc C Bounded Model Checker https://github.com/diffblue/cbmc/ x x x x
checkbashisms Shell script linter https://manpages.debian.org/jessie/devscripts/checkbashisms.1.en.html x x x x x
checksec check on security issues https://github.com/slimm609/checksec.sh x x x
clang C/C++ linter using LLVM https://clang.llvm.org/extra/clang-tidy/ meta-clang, manual enable x x x x
cmake Get cmake errors and warnings x x x x
configcheck Check application configurations x x x
cppcheck C/C++ linter https://github.com/danmar/cppcheck x x x x x x
cpplint C/C++ linter https://github.com/cpplint/cpplint x x x x x x
cspell Spelling linter https://github.com/Jason3S/cspell meta-oe, manual enable x x x x
cvecheck Check for unpatched CVEs https://github.com/clearlinux/cve-check-tool manual enable x x x x
darglint Python docstring linter https://github.com/terrencepreilly/darglint x x x
dennis I18N linter https://github.com/willkg/dennis/ x x x x
detectsecrets Detect hardcoded secrets in code https://github.com/Yelp/detect-secrets x x x x x
eslint Javascript linter https://github.com/eslint/eslint meta-oe, manual enable x x x x x
flake8 Python linter http://flake8.pycqa.org/en/latest/ x x x x x
flawfinder C/C++ security linter https://github.com/david-a-wheeler/flawfinder x x x x
flint C/C++ linter https://github.com/JossWhittle/FlintPlusPlus x x x x
gcc GCC compiler issues and hardening x x x x x
goconsistent make your Go programs more consistent https://github.com/quasilyte/go-consistent x x x
goconst Find variables that could be constants in GO files https://github.com/jgautheron/goconst x x x
golicensecheck Scan code for license information https://github.com/go-enry/go-license-detector x x x
golint GO linter https://github.com/golang/lint x x x
gosec GO security linter https://github.com/securego/gosec x x x
htmlhint HTML linter https://github.com/htmlhint/HTMLHint meta-oe, manual enable x x x x x
image-summary Aggregate all findings for package in an image x x x x x
inspec framework for end-to-end infrastructure tests https://github.com/inspec/inspec meta-oe, meta-rubygems, manual enable x x x
it Python linter https://github.com/thg-consulting/it x x x
jshint Javascript linter https://github.com/jshint/jshint meta-oe, manual enable x x x x x x
jsonlint JSON file linter x x x x
kconfighard Kernel config hardening checker https://github.com/a13xp0p0v/kconfig-hardened-check x x x
licensecheck Scan code for license information https://github.com/boyter/lc x x x
looong Find functions with too long arglists https://github.com/anapaulagomes/looong x x x
lse check on security issues https://github.com/diego-treitos/linux-smart-enumeration x x x
luacheck LUA linter https://github.com/mpeterv/luacheck meta-oe, manual enable x x x x
lynis Auditing tool for images https://github.com/CISOfy/lynis x x x
msgcheck I18n linter https://github.com/codingjoe/msgcheck x x x
multimetric Coding metrics https://github.com/priv-kweihmann/multimetric manual enable x x x x x x x x x x x
mypy Python linter https://github.com/python/mypy x x x x
nixauditor Auditing tool for images https://github.com/XalfiE/Nix-Auditor x x x
npmaudit NPM package auditor https://docs.npmjs.com/cli/audit meta-oe, manual enable x x x x
oelint Bitbake recipe linter https://github.com/priv-kweihmann/oelint-adv x x x x
perl Perl warnings check x x x
perlcritic Perl linter https://metacpan.org/pod/perlcritic x x x
phan PHP linter https://github.com/phan/phan meta-oe, manual enable x x x x
phpcodefixer Find deprecated PHP functions https://github.com/wapmorgan/PhpCodeFixer meta-oe, manual enable x x x x
phpcodesniffer PHP Js and CSS linter https://github.com/squizlabs/PHP_CodeSniffer meta-oe, manual enable x x x
phpmd PHP Linter https://github.com/phpmd/phpmd meta-oe, manual enable x x x x x
phpsecaudit Find vulnerabilities in PHP code https://github.com/FloeDesignTechnologies/phpcs-security-audit meta-oe, manual enable x x x x
phpstan PHP linter https://github.com/phpstan/phpstan meta-oe, manual enable x x x x
pkgqaenc Enhanced package QA x x x
proselint Spelling and text linter https://github.com/amperser/proselint/ x x x x
protolint Lint protobuf files https://github.com/yoheimuta/protolint x x x x
pscan Find insecure printfs http://deployingradius.com/pscan/ x x x
pyfindinjection Find SQL injections in python code https://github.com/uber/py-find-injection x x x x
pylint Python linter https://github.com/PyCQA/pylint x x x x x
pyright Python type linter https://github.com/Microsoft/pyright meta-oe, manual enable x x x x
pysymcheck Check binaries for forbidden function usage https://github.com/priv-kweihmann/pysymbolcheck x x x
pytype Python linter using type-annotations https://github.com/google/pytype x x x x
rats Check on insecurities in several languages https://github.com/redNixon/rats x x x x x x
reconbf security audit tool https://github.com/HewlettPackard/reconbf x x x
reek Code smell detector for Ruby https://github.com/troessner/reek meta-rubygems, manual enable x x x
retire Check for known vulnerabilities in javascript and NPM https://retirejs.github.io/retire.js/ meta-oe, manual enable x x x x x
reuse Scan code for license information https://github.com/fsfe/reuse-tool x x x
revive GO linter https://github.com/mgechev/revive x x x x
ropgadget Determine ROP exploitability in binaries https://github.com/JonathanSalwan/ROPgadget manual enable x x x
rubycritic Ruby linter https://github.com/whitesmith/rubycritic/ meta-rubygems, manual enable x x x
safety Check for known vulnerabilities in python-packages https://github.com/pyupio/safety x x x x
scancode Scan code for license information https://github.com/nexB/scancode-toolkit x x x
secretlint Tool to prevent committing credential https://github.com/secretlint/secretlint meta-oe, manual enable x x x x
semgrep Pattern based linting for many formats and languages https://github.com/returntocorp/semgrep only avaiable for x86-64 hosts x x x x x x x x x
setuptoolslint Lint python-setup.py https://github.com/johnnoone/setuptools-pylint x x x
shellcheck Shell script linter https://github.com/koalaman/shellcheck x x x x x
slick Shell script linter https://github.com/mcandre/slick x x x x
sparse C linter https://sparse.wiki.kernel.org/index.php/Main_Page x x x
standard Javascript linter https://github.com/standard/standard meta-oe, manual enable x x x x x x
stank Shell script linter https://github.com/mcandre/stank x x x x x
stylelint CSS/SCSS linter https://github.com/stylelint/stylelint meta-oe, manual enable x x x x
sudokiller check on sudo https://github.com/TH3xACE/SUDO_KILLER x x x
systemdlint Systemd unit linter https://github.com/priv-kweihmann/systemdlint x x x x x x
textlint Spelling and text linter https://github.com/textlint/textlint meta-oe, manual enable x x x x
tiger security audit and intrusion detection tool http://www.nongnu.org/tiger/ x x x
tlv Find duplicate code https://github.com/priv-kweihmann/tlv manual enable x x x x x x x x x x
tscancode C and lua linter https://github.com/Tencent/TscanCode x x x
upc check for simple privilege escalation vectors https://github.com/pentestmonkey/unix-privesc-check x x x
vulture Find dead python code https://github.com/jendrikseipp/vulture x x x x
wotan Typescript/javascript linter https://github.com/fimbullinter/wotan meta-oe, manual enable x x x x x x
xmllint XML linter http://xmlsoft.org/xmllint.html x x x x
yamllint YAML linter https://github.com/adrienverge/yamllint x x x x
yara Find suspicious pattern in binaries https://github.com/VirusTotal/yara x x x

each tool does have it's own benefits and flaws so don't be mad if you have 10k+ findings on the initial run.

Further documentation

Contributing

Please see the detailed contribution guideline for details

Get involved

To get involved following things can be done

  • create an issue
  • fix an issue and create a pull request
  • see the pinned issues in the bugtracker

Security Policy

For the project's security policy please see here

About

Layer for static code analysis and security hardening

Resources

License

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages

  • BitBake 69.9%
  • PHP 25.1%
  • Python 1.8%
  • C 0.9%
  • NASL 0.5%
  • Pascal 0.4%
  • Other 1.4%