summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormin li <min.li1@citrix.com>2019-05-29 14:48:53 +0800
committerGitHub <noreply@github.com>2019-05-29 14:48:53 +0800
commit43b551f193508b6cfa8248389db08ff68d7486d0 (patch)
tree0eb0182f46e452d989598c5f970940fd7319e79c
parentccd1eac68028a003e7bb9f072f8110c12a634ef5 (diff)
parent218d1c376840efc4c2567f1c5a573c9d439217b1 (diff)
downloadvyos-xe-guest-utilities-43b551f193508b6cfa8248389db08ff68d7486d0.tar.gz
vyos-xe-guest-utilities-43b551f193508b6cfa8248389db08ff68d7486d0.zip
Merge pull request #62 from krizex/ninja
Check the security of the project
-rw-r--r--.gitignore2
-rw-r--r--analyze.py63
-rwxr-xr-xsecurity-check.sh18
3 files changed, 83 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
index 6921662..a2177c0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,3 +23,5 @@ _testmain.go
*.exe
*.test
*.prof
+
+build/ \ No newline at end of file
diff --git a/analyze.py b/analyze.py
new file mode 100644
index 0000000..51a7269
--- /dev/null
+++ b/analyze.py
@@ -0,0 +1,63 @@
+import sys
+import argparse
+import json
+
+
+def cnt_on_rule_id(issues, rule_id):
+ return len([issue for issue in issues if issue['rule_id'] == rule_id])
+
+def analyze(js):
+ issues = js['Issues']
+ if not issues:
+ print "Security check: no security issue detected"
+ return 0
+
+ for issue in issues:
+ f = issue['file']
+ f = '/'.join(f.split('/')[2:])
+ issue['file'] = f
+
+ must_fix = []
+ better_fix = []
+ for issue in issues:
+ if issue['severity'] == 'HIGH':
+ must_fix.append(issue)
+ else:
+ better_fix.append(issue)
+
+
+ print '======== Must fix the potential security issues ========'
+ for issue in must_fix:
+ print json.dumps(issue, indent=4)
+
+ print '======== Optional to fix the potential security issues ========'
+ for issue in better_fix:
+ print json.dumps(issue, indent=4)
+
+ if must_fix:
+ return 1
+ else:
+ return 0
+
+
+def parse_args_or_exit(argv=None):
+ """
+ Parse command line options
+ """
+ parser = argparse.ArgumentParser(description="Analyze security check result")
+ parser.add_argument("check_result", metavar="check_result",
+ help="json file of check result")
+
+ args = parser.parse_args(argv)
+
+ return args
+
+def main(argv):
+ args = parse_args_or_exit(argv)
+ check_result = args.check_result
+ with open(args.check_result) as f:
+ js = json.load(f)
+ sys.exit(analyze(js))
+
+if __name__ == '__main__':
+ main(sys.argv[1:])
diff --git a/security-check.sh b/security-check.sh
new file mode 100755
index 0000000..34b03fc
--- /dev/null
+++ b/security-check.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -x
+
+top_dir=$(pwd)
+if [ ! -z $1 ];then
+ mkdir -p $1
+ cd $1
+fi
+
+if [ ! -f ./bin/gosec ];then
+ curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s 2.0.0
+fi
+
+out_file=result.json
+
+./bin/gosec -fmt=json -out=${out_file} ${top_dir}/...
+
+python ${top_dir}/analyze.py ${out_file}