1*4882a593Smuzhiyun# Class to scan Python code for security issues, using Bandit. 2*4882a593Smuzhiyun# 3*4882a593Smuzhiyun# $ bitbake python-foo -c bandit 4*4882a593Smuzhiyun# 5*4882a593Smuzhiyun# Writes the report to $DEPLOY_DIR/bandit/python-foo.html. 6*4882a593Smuzhiyun# No output if no issues found, a warning if issues found. 7*4882a593Smuzhiyun# 8*4882a593Smuzhiyun# https://github.com/PyCQA/bandit 9*4882a593Smuzhiyun 10*4882a593Smuzhiyun# Default location of sources, based on standard distutils 11*4882a593SmuzhiyunBANDIT_SOURCE ?= "${S}/build" 12*4882a593Smuzhiyun 13*4882a593Smuzhiyun# The report format to use. 14*4882a593Smuzhiyun# https://bandit.readthedocs.io/en/latest/formatters/index.html 15*4882a593SmuzhiyunBANDIT_FORMAT ?= "html" 16*4882a593Smuzhiyun 17*4882a593Smuzhiyun# Whether a scan should be done every time the recipe is built. 18*4882a593Smuzhiyun# 19*4882a593Smuzhiyun# By default the scanning needs to be done explicitly, but by setting BANDIT_AUTO 20*4882a593Smuzhiyun# to 1 the scan will be done whenever the recipe it built. Note that you 21*4882a593Smuzhiyun# shouldn't set BANDIT_AUTO to 1 globally as it will then try to scan every 22*4882a593Smuzhiyun# recipe, including non-Python recipes, causing circular loops. 23*4882a593SmuzhiyunBANDIT_AUTO ?= "0" 24*4882a593Smuzhiyun 25*4882a593Smuzhiyun# Whether Bandit finding issues results in a warning (0) or an error (1). 26*4882a593SmuzhiyunBANDIT_FATAL ?= "0" 27*4882a593Smuzhiyun 28*4882a593Smuzhiyundo_bandit[depends] = "python3-bandit-native:do_populate_sysroot" 29*4882a593Smuzhiyunpython do_bandit() { 30*4882a593Smuzhiyun import os, subprocess 31*4882a593Smuzhiyun try: 32*4882a593Smuzhiyun report = d.expand("${DEPLOY_DIR}/bandit/${PN}-${PV}.${BANDIT_FORMAT}") 33*4882a593Smuzhiyun os.makedirs(os.path.dirname(report), exist_ok=True) 34*4882a593Smuzhiyun 35*4882a593Smuzhiyun args = ("bandit", 36*4882a593Smuzhiyun "--format", d.getVar("BANDIT_FORMAT"), 37*4882a593Smuzhiyun "--output", report, 38*4882a593Smuzhiyun "-ll", 39*4882a593Smuzhiyun "--recursive", d.getVar("BANDIT_SOURCE")) 40*4882a593Smuzhiyun subprocess.check_output(args, stderr=subprocess.STDOUT) 41*4882a593Smuzhiyun bb.note("Bandit found no issues (report written to %s)" % report) 42*4882a593Smuzhiyun except subprocess.CalledProcessError as e: 43*4882a593Smuzhiyun if e.returncode == 1: 44*4882a593Smuzhiyun if oe.types.boolean(d.getVar("BANDIT_FATAL")): 45*4882a593Smuzhiyun bb.error("Bandit found issues (report written to %s)" % report) 46*4882a593Smuzhiyun else: 47*4882a593Smuzhiyun bb.warn("Bandit found issues (report written to %s)" % report) 48*4882a593Smuzhiyun else: 49*4882a593Smuzhiyun bb.error("Bandit failed:\n" + e.output.decode("utf-8")) 50*4882a593Smuzhiyun} 51*4882a593Smuzhiyun 52*4882a593Smuzhiyunpython() { 53*4882a593Smuzhiyun before = "do_build" 54*4882a593Smuzhiyun after = "do_compile" 55*4882a593Smuzhiyun 56*4882a593Smuzhiyun if oe.types.boolean(d.getVar("BANDIT_AUTO")): 57*4882a593Smuzhiyun bb.build.addtask("do_bandit", before, after, d) 58*4882a593Smuzhiyun else: 59*4882a593Smuzhiyun bb.build.addtask("do_bandit", None, after, d) 60*4882a593Smuzhiyun} 61*4882a593Smuzhiyun 62*4882a593Smuzhiyun# TODO: store report in sstate 63*4882a593Smuzhiyun# TODO: a way to pass extra args or .bandit file, basically control -ll 64