diff options
| author | min li <min.li1@citrix.com> | 2019-05-29 14:48:53 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-05-29 14:48:53 +0800 |
| commit | 43b551f193508b6cfa8248389db08ff68d7486d0 (patch) | |
| tree | 0eb0182f46e452d989598c5f970940fd7319e79c | |
| parent | ccd1eac68028a003e7bb9f072f8110c12a634ef5 (diff) | |
| parent | 218d1c376840efc4c2567f1c5a573c9d439217b1 (diff) | |
| download | vyos-xe-guest-utilities-43b551f193508b6cfa8248389db08ff68d7486d0.tar.gz vyos-xe-guest-utilities-43b551f193508b6cfa8248389db08ff68d7486d0.zip | |
Merge pull request #62 from krizex/ninja
Check the security of the project
| -rw-r--r-- | .gitignore | 2 | ||||
| -rw-r--r-- | analyze.py | 63 | ||||
| -rwxr-xr-x | security-check.sh | 18 |
3 files changed, 83 insertions, 0 deletions
@@ -23,3 +23,5 @@ _testmain.go *.exe *.test *.prof + +build/
\ No newline at end of file diff --git a/analyze.py b/analyze.py new file mode 100644 index 0000000..51a7269 --- /dev/null +++ b/analyze.py @@ -0,0 +1,63 @@ +import sys +import argparse +import json + + +def cnt_on_rule_id(issues, rule_id): + return len([issue for issue in issues if issue['rule_id'] == rule_id]) + +def analyze(js): + issues = js['Issues'] + if not issues: + print "Security check: no security issue detected" + return 0 + + for issue in issues: + f = issue['file'] + f = '/'.join(f.split('/')[2:]) + issue['file'] = f + + must_fix = [] + better_fix = [] + for issue in issues: + if issue['severity'] == 'HIGH': + must_fix.append(issue) + else: + better_fix.append(issue) + + + print '======== Must fix the potential security issues ========' + for issue in must_fix: + print json.dumps(issue, indent=4) + + print '======== Optional to fix the potential security issues ========' + for issue in better_fix: + print json.dumps(issue, indent=4) + + if must_fix: + return 1 + else: + return 0 + + +def parse_args_or_exit(argv=None): + """ + Parse command line options + """ + parser = argparse.ArgumentParser(description="Analyze security check result") + parser.add_argument("check_result", metavar="check_result", + help="json file of check result") + + args = parser.parse_args(argv) + + return args + +def main(argv): + args = parse_args_or_exit(argv) + check_result = args.check_result + with open(args.check_result) as f: + js = json.load(f) + sys.exit(analyze(js)) + +if __name__ == '__main__': + main(sys.argv[1:]) diff --git a/security-check.sh b/security-check.sh new file mode 100755 index 0000000..34b03fc --- /dev/null +++ b/security-check.sh @@ -0,0 +1,18 @@ +#!/bin/bash +set -x + +top_dir=$(pwd) +if [ ! -z $1 ];then + mkdir -p $1 + cd $1 +fi + +if [ ! -f ./bin/gosec ];then + curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s 2.0.0 +fi + +out_file=result.json + +./bin/gosec -fmt=json -out=${out_file} ${top_dir}/... + +python ${top_dir}/analyze.py ${out_file} |