meta-sca icon indicating copy to clipboard operation
meta-sca copied to clipboard

Published 20 hours ago verified publisher icon priv-kweihmann

Metadata

Layer for static code analysis and security hardening

meta-sca

https://img.shields.io/badge/Supported%20languages-C%2CC%2B%2B%2CGo%2CPython%2CShell%%2Cperl-informational

Nightly Lastest commit

For the list of current findings from pipelines see meta-sca report

Important note

As announced by this discussion at the end of April 2022 this layer will undergo a major change in support.

Support will be given only for master branch

What can I do when I'm affected by the changes

A maintainers guide can be found here. Feel free to raise pull requests against not officially supported branches.

Support for these branches, including quality control, has to be done fully by the community

Table of content

  • Purpose
  • Getting started
  • Installation
    • Prerequisites
    • Use of containers
    • Use in CI
    • Setup
    • Kas
  • Web monitor
  • Support
    • Releases
    • Compatibility
  • Licensing
  • Zero impact
  • Available tools
    • Overview of tools
  • Further documentation
  • Contributing
    • Get involved
    • Security Policy

Purpose

Purpose of this layer is to provide a proper set of static analysis tools for your YOCTO build. All provided tools can be easily configured and integrated into any CI service (like e.g. Jenkins).

All results are stored to SCA_EXPORT_DIR (which defaults to ${DEPLOY_DIR_IMAGE}/sca). The results will be stored in the raw-format of the corresponding tool and in checkstyle-format.

Getting started

For a quick start how to use this layer see getting started guide

Installation

To install clone the needed branch(es) to any path on your local system.

Prerequisites

  • You need the current standard poky-layer installed onto your local build environment.
  • You need glib-2.0-dev package installed on your build host (used for e.g. configcheck, lynis, tiger, upc)

Use of containers

It is recommended to use privkweihmann/yocto-sca-minimal:latest docker container for building, which has all necessary requirements already installed.

Use in CI

When you're planing to use meta-sca in your CI/CD, it is advised to use the minified layer meta-sca-minified to save you from cloning this fairly large repository.

NOTE meta-sca-minified only offer releases of this layer for releases made after 03/2020

Setup

In your bblayers.conf-file add the following line

BBLAYERS += "<full path to sca-layer>/meta-sca"

or with poky layer already setup run in shell

bitbake-layers add-layer "<full path to sca-layer>/meta-sca"

Kas

Alternatively you can use kas to setup the workspace. Use conf/kas/scatest-qemux86-64.yaml from this layer

Web monitor

If you're not quite convinced what this layer can do for you, have a look at the web monitor, where all findings from the layer CI pipelines are publically available.

Support

Actively maintained branch is currently only master. Unmaintained branches will only receive package updates on demand. Support for unmaintained branches has to be done by the community.

Status of the branches is described at SECURITY.md.

It's advised to use the tagged source versions in productive environment.

Releases

See SECURITY.md for details

Compatibility

If there is a technical issue that might break backward compatibility it will be mentioned in release note of the corresponding milestone release.

Licensing

This layer does only provide open source tools. The layer itself is licensed under BSD.

If individual files are licensed under different terms, terms and conditions can be found in the individual file header

Zero impact

This layer provides only -native tools, so actually none of the build binaries will be deployed to your target. Everything happens on the build machine.

There are some excludes to this rule (e.g. lynis) as they need to be cross-compiled to make use of them, nevertheless none of these tools will be installed automatically to your build.

Available tools

The layer can check on a recipe-level or on an image-level.

  • On image-level the whole root-filesystem could be taken into account, which in most cases can't be granted on a recipe-level.
  • On the other hand some static code analysis does not make any sense on an image-level - so this layer does have different tools for both level available.

Overview of tools

Module Description Homepage Requires Requires inet Run on image Run on recipe Available in SDK C C++ Python Shell Javascript PHP Go Images LUA Spelling Metrics Binaries Packages Other formats Security scope Functional scope Style scope
bandit Scan python code for insecurities https://github.com/PyCQA/bandit x x x x x
bashate Shell script linter http://docs.openstack.org/developer/bashate/ x x x x x x
bitbake Bitbake issue handling x x x x x
cbmc C Bounded Model Checker https://github.com/diffblue/cbmc/ x x x x
checkbashisms Shell script linter https://manpages.debian.org/jessie/devscripts/checkbashisms.1.en.html x x x x x x
checksec check on security issues https://github.com/slimm609/checksec.sh x x x
cmake Get cmake errors and warnings x x x x
configcheck Check application configurations x x x
cppcheck C/C++ linter https://github.com/danmar/cppcheck x x x x x x x
cpplint C/C++ linter https://github.com/cpplint/cpplint x x x x x x x
cvecheck Check for unpatched CVEs https://github.com/clearlinux/cve-check-tool manual enable x x x x
darglint Python docstring linter https://github.com/terrencepreilly/darglint x x x x
dennis I18N linter https://github.com/willkg/dennis/ x x x x x
detectsecrets Detect hardcoded secrets in code https://github.com/Yelp/detect-secrets x x x x x x
flake8 Python linter http://flake8.pycqa.org/en/latest/ x x x x x x
flawfinder C/C++ security linter https://github.com/david-a-wheeler/flawfinder x x x x x
flint C/C++ linter https://github.com/JossWhittle/FlintPlusPlus x x x x x
gcc GCC compiler issues and hardening x x x x x
golicensecheck Scan code for license information https://github.com/go-enry/go-license-detector x x x
golint GO linter https://github.com/golang/lint x x x x
it Python linter https://github.com/thg-consulting/it x x x x
jsonlint JSON file linter x x x x x
kconfighard Kernel config hardening checker https://github.com/a13xp0p0v/kconfig-hardened-check x x x x
licensecheck Scan code for license information https://github.com/boyter/lc x x x
looong Find functions with too long arglists https://github.com/anapaulagomes/looong x x x x
lse check on security issues https://github.com/diego-treitos/linux-smart-enumeration x x x
lynis Auditing tool for images https://github.com/CISOfy/lynis x x x
msgcheck I18n linter https://github.com/codingjoe/msgcheck x x x x
multimetric Coding metrics https://github.com/priv-kweihmann/multimetric manual enable x x x x x x x x x x x x
mypy Python linter https://github.com/python/mypy x x x x x
oelint Bitbake recipe linter https://github.com/priv-kweihmann/oelint-adv x x x x
perl Perl warnings check x x x x
perlcritic Perl linter https://metacpan.org/pod/perlcritic x x x x
pkgqaenc Enhanced package QA x x x
protolint Lint protobuf files https://github.com/yoheimuta/protolint x x x x x
pscan Find insecure printfs http://deployingradius.com/pscan/ x x x x
pyfindinjection Find SQL injections in python code https://github.com/uber/py-find-injection x x x x x
pylint Python linter https://github.com/PyCQA/pylint x x x x x x
pysymcheck Check binaries for forbidden function usage https://github.com/priv-kweihmann/pysymbolcheck x x x
rats Check on insecurities in several languages https://github.com/redNixon/rats x x x x x x x
reconbf security audit tool https://github.com/HewlettPackard/reconbf x x x x
reuse Scan code for license information https://github.com/fsfe/reuse-tool x x x
revive GO linter https://github.com/mgechev/revive x x x x x
scancode Scan code for license information https://github.com/nexB/scancode-toolkit x x x
setuptoolslint Lint python-setup.py https://github.com/johnnoone/setuptools-pylint x x x x
shellcheck Shell script linter https://github.com/koalaman/shellcheck x x x x x x
slick Shell script linter https://github.com/mcandre/slick x x x x x
sparse C linter https://sparse.wiki.kernel.org/index.php/Main_Page x x x x
stank Shell script linter https://github.com/mcandre/stank x x x x x x
sudokiller check on sudo https://github.com/TH3xACE/SUDO_KILLER x x x
systemdlint Systemd unit linter https://github.com/priv-kweihmann/systemdlint x x x x x x x
tiger security audit and intrusion detection tool http://www.nongnu.org/tiger/ x x x
tlv Find duplicate code https://github.com/priv-kweihmann/tlv manual enable x x x x x x x x x x x
tscancode C and lua linter https://github.com/Tencent/TscanCode x x x x
upc check for simple privilege escalation vectors https://github.com/pentestmonkey/unix-privesc-check x x x
vulture Find dead python code https://github.com/jendrikseipp/vulture x x x x x
xmllint XML linter http://xmlsoft.org/xmllint.html x x x x x
yamllint YAML linter https://github.com/adrienverge/yamllint x x x x x

each tool does have it's own benefits and flaws so don't be mad if you have 10k+ findings on the initial run.

Further documentation

  • Global Configuration
    • Blacklisting sources
    • Configuration wizard
    • Custom severity
    • Enable SCA locally/globally
    • Fatal findings
    • Filter findings
    • Filter out files to check
    • Output formats
    • Suppress findings
    • Trace source files
    • SDK support
    • Tools
      • bandit
      • bashate
      • bitbake
      • cbmc
      • checkbashism
      • checksec
      • cmake
      • configcheck
      • cppcheck
      • cpplint
      • cvecheck
      • darglint
      • dennis
      • detectsecrets
      • flake8
      • flawfinder
      • flint++
      • gcc
      • golicensecheck
      • golint
      • it
      • jsonlint
      • kconfighard
      • licensecheck
      • looong
      • lse
      • lynis
      • msgcheck
      • multimetric
      • mypy
      • oelint
      • perl
      • perlcritic
      • pkgqaenc
      • protolint
      • pscan
      • pyfindinjection
      • pylint
      • pysymcheck
      • rats
      • reconbf
      • reuse
      • revive
      • scancode
      • setuptoolslint
      • shellcheck
      • slick
      • sparse
      • stank
      • sudokiller
      • systemdlint
      • tiger
      • tlv
      • tscancode
      • upc
      • vulture
      • xmllint
      • yamllint
  • Configuration Examples
    • C/C++ code while developing
    • Image monitoring
    • Image security/hardening monitor
    • Python code while developing
    • Shell code while developing
    • Webapps while developing
    • Recommended tools for software integration
  • Results
  • Build system integration
    • Control via command-line
    • SCA bot
    • Jenkins integration
      • Basic jenkins integration
      • Parameterized jenkins build
  • Application notes
    • Recipe buildtime dependencies
    • How are the statistics of a tool calculated?
    • How to build your own module
    • build and version conflicts
    • maintaining your own branch
  • Case studies
    • Regression on severe code issues
    • Idenfying hardening and security potential

Contributing

Please see the detailed contribution guideline for details

Get involved

To get involved following things can be done

  • create an issue
  • fix an issue and create a pull request
  • see the pinned issues in the bugtracker

Security Policy

For the project's security policy please see here

Metadata

86
Stars
33
Forks
Watchers

Owner

verified publisher icon priv-kweihmann

Metadata

Layer for static code analysis and security hardening

Back