diff options
| author | Yang Qian <yang.qian@citrix.com> | 2019-05-28 16:25:22 +0800 |
|---|---|---|
| committer | Yang Qian <yang.qian@citrix.com> | 2019-05-29 14:34:07 +0800 |
| commit | 218d1c376840efc4c2567f1c5a573c9d439217b1 (patch) | |
| tree | 0eb0182f46e452d989598c5f970940fd7319e79c | |
| parent | 2e12b5282c0aec0e61dffb1d02ad540f6392f1bd (diff) | |
| download | vyos-xe-guest-utilities-218d1c376840efc4c2567f1c5a573c9d439217b1.tar.gz vyos-xe-guest-utilities-218d1c376840efc4c2567f1c5a573c9d439217b1.zip | |
Check security issue of the project
1. Introduce gosec to check the security issue of this project.
2. Integrate the check in jenkins pipeline. (will do in the pipeline repo)
Signed-off-by: Yang Qian <yang.qian@citrix.com>
| -rw-r--r-- | analyze.py | 63 | ||||
| -rwxr-xr-x | security-check.sh | 18 |
2 files changed, 81 insertions, 0 deletions
diff --git a/analyze.py b/analyze.py new file mode 100644 index 0000000..51a7269 --- /dev/null +++ b/analyze.py @@ -0,0 +1,63 @@ +import sys +import argparse +import json + + +def cnt_on_rule_id(issues, rule_id): + return len([issue for issue in issues if issue['rule_id'] == rule_id]) + +def analyze(js): + issues = js['Issues'] + if not issues: + print "Security check: no security issue detected" + return 0 + + for issue in issues: + f = issue['file'] + f = '/'.join(f.split('/')[2:]) + issue['file'] = f + + must_fix = [] + better_fix = [] + for issue in issues: + if issue['severity'] == 'HIGH': + must_fix.append(issue) + else: + better_fix.append(issue) + + + print '======== Must fix the potential security issues ========' + for issue in must_fix: + print json.dumps(issue, indent=4) + + print '======== Optional to fix the potential security issues ========' + for issue in better_fix: + print json.dumps(issue, indent=4) + + if must_fix: + return 1 + else: + return 0 + + +def parse_args_or_exit(argv=None): + """ + Parse command line options + """ + parser = argparse.ArgumentParser(description="Analyze security check result") + parser.add_argument("check_result", metavar="check_result", + help="json file of check result") + + args = parser.parse_args(argv) + + return args + +def main(argv): + args = parse_args_or_exit(argv) + check_result = args.check_result + with open(args.check_result) as f: + js = json.load(f) + sys.exit(analyze(js)) + +if __name__ == '__main__': + main(sys.argv[1:]) diff --git a/security-check.sh b/security-check.sh new file mode 100755 index 0000000..34b03fc --- /dev/null +++ b/security-check.sh @@ -0,0 +1,18 @@ +#!/bin/bash +set -x + +top_dir=$(pwd) +if [ ! -z $1 ];then + mkdir -p $1 + cd $1 +fi + +if [ ! -f ./bin/gosec ];then + curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s 2.0.0 +fi + +out_file=result.json + +./bin/gosec -fmt=json -out=${out_file} ${top_dir}/... + +python ${top_dir}/analyze.py ${out_file} |