From 617d7de1afa632cfec2ac8ff690e301b38f4ca9d Mon Sep 17 00:00:00 2001 From: Konrad Weihmann Date: Mon, 25 Apr 2022 17:15:08 +0200 Subject: [PATCH] remove phpsecaudit module Relates to #8749 Signed-off-by: Konrad Weihmann --- README.md | 2 - classes/sca-blacklist.bbclass | 1 - classes/sca-global.bbclass | 1 - classes/sca-on-recipe.bbclass | 1 - classes/sca-phpsecaudit.bbclass | 109 ------------------ docs/conf/module/phpsecaudit.md | 63 ---------- files/module_list.csv | 1 - .../files/fatal | 0 .../files/suppress | 0 ...sca-recipe-phpsecaudit-rules-native_1.0.bb | 19 --- .../files/phpsecaudit.sca.description | 27 ----- .../phpcs-security-audit-native_2.0.1.bb | 33 ------ test/lang_metaoe.txt | 1 - 13 files changed, 258 deletions(-) delete mode 100755 classes/sca-phpsecaudit.bbclass delete mode 100644 docs/conf/module/phpsecaudit.md delete mode 100755 recipes-sca-rules/sca-recipe-phpsecaudit-rules-native/files/fatal delete mode 100755 recipes-sca-rules/sca-recipe-phpsecaudit-rules-native/files/suppress delete mode 100755 recipes-sca-rules/sca-recipe-phpsecaudit-rules-native/sca-recipe-phpsecaudit-rules-native_1.0.bb delete mode 100644 recipes-sca/phpcs-security-audit-native/files/phpsecaudit.sca.description delete mode 100755 recipes-sca/phpcs-security-audit-native/phpcs-security-audit-native_2.0.1.bb diff --git a/README.md b/README.md index 659a72e12c..6fb55b900a 100644 --- a/README.md +++ b/README.md @@ -214,7 +214,6 @@ The layer can check on a recipe-level or on an image-level. | oelint | Bitbake recipe linter | https://github.com/priv-kweihmann/oelint-adv | | | x | x | | | | | | | | | | | | | | x | | | x | | perl | Perl warnings check | | | | | x | | | | | | | | | | | | | | x | | x | | | perlcritic | Perl linter | https://metacpan.org/pod/perlcritic | | | | x | | | | | | | | | | | | | | x | | x | | -| phpsecaudit | Find vulnerabilities in PHP code | https://github.com/FloeDesignTechnologies/phpcs-security-audit | meta-oe, manual enable | x | | x | | | | | | x | | | | | | | | | x | | | | phpstan | PHP linter | https://github.com/phpstan/phpstan | meta-oe, manual enable | x | | x | | | | | | x | | | | | | | | | | | x | | pkgqaenc | Enhanced package QA | | | | | x | | | | | | | | | | | | | x | | x | | | | proselint | Spelling and text linter | https://github.com/amperser/proselint/ | | | x | x | | | | | | | | | | x | | | | | | | x | @@ -310,7 +309,6 @@ each tool does have it's own benefits and flaws so don't be mad if you have 10k+ - [oelint](docs/conf/module/oelint.md) - [perl](docs/conf/module/perl.md) - [perlcritic](docs/conf/module/perlcritic.md) - - [phpsecaudit](docs/conf/module/phpsecaudit.md) - [phpstan](docs/conf/module/phpstan.md) - [pkgqaenc](docs/conf/module/pkgqaenc.md) - [proselint](docs/conf/module/proselint.md) diff --git a/classes/sca-blacklist.bbclass b/classes/sca-blacklist.bbclass index 17926006ef..208a99cf71 100644 --- a/classes/sca-blacklist.bbclass +++ b/classes/sca-blacklist.bbclass @@ -40,7 +40,6 @@ SCA_BLACKLIST_mypy ?= "linux-.*" SCA_BLACKLIST_nixauditor ?= "" SCA_BLACKLIST_oclint ?= "linux-.*" SCA_BLACKLIST_oelint ?= "" -SCA_BLACKLIST_phpsecaudit ?= "" SCA_BLACKLIST_phpstan ?= "" SCA_BLACKLIST_proselint ?= "" SCA_BLACKLIST_protolint ?= "" diff --git a/classes/sca-global.bbclass b/classes/sca-global.bbclass index 2f6d8ffc09..5017513b23 100644 --- a/classes/sca-global.bbclass +++ b/classes/sca-global.bbclass @@ -151,7 +151,6 @@ SCA_AVAILABLE_MODULES ?= "\ " # additional layer requirements SCA_AVAILABLE_MODULES[inspec] = "openembedded-layer rubygems" -SCA_AVAILABLE_MODULES[phpsecaudit] = "openembedded-layer" SCA_AVAILABLE_MODULES[phpstan] = "openembedded-layer" SCA_AVAILABLE_MODULES[pyright] = "openembedded-layer" SCA_AVAILABLE_MODULES[reek] = "rubygems" diff --git a/classes/sca-on-recipe.bbclass b/classes/sca-on-recipe.bbclass index 34bc82f02e..e9df31e8b7 100755 --- a/classes/sca-on-recipe.bbclass +++ b/classes/sca-on-recipe.bbclass @@ -43,7 +43,6 @@ SCA_ENABLED_MODULES_RECIPE ?= "\ oelint \ perl \ perlcritic \ - phpsecaudit \ phpstan \ pkgqaenc \ proselint \ diff --git a/classes/sca-phpsecaudit.bbclass b/classes/sca-phpsecaudit.bbclass deleted file mode 100755 index 9e6d41e0ac..0000000000 --- a/classes/sca-phpsecaudit.bbclass +++ /dev/null @@ -1,109 +0,0 @@ -## SPDX-License-Identifier: BSD-2-Clause -## Copyright (c) 2019, Konrad Weihmann - -## Add ids to suppress on a recipe level -SCA_PHPSECAUDIT_EXTRA_SUPPRESS ?= "" -## Add ids to lead to a fatal on a recipe level -SCA_PHPSECAUDIT_EXTRA_FATAL ?= "" -SCA_PHPSECAUDIT_FILE_FILTER ?= ".php" - -SCA_RAW_RESULT_FILE[phpsecaudit] = "json" - -inherit sca-conv-to-export -inherit sca-datamodel -inherit sca-global -inherit sca-helper -inherit sca-suppress -inherit sca-image-backtrack -inherit sca-tracefiles - -def do_sca_conv_phpsecaudit(d): - import os - import json - - package_name = d.getVar("PN") - buildpath = d.getVar("SCA_SOURCES_DIR") - - _findings = [] - _suppress = sca_suppress_init(d, "SCA_PHPSECAUDIT_EXTRA_SUPPRESS", - d.expand("${STAGING_DATADIR_NATIVE}/phpsecaudit-${SCA_MODE}-suppress")) - - _severity_map = { - "ERROR": "error", - "WARNING": "warning" - } - - if os.path.exists(sca_raw_result_file(d, "phpsecaudit")): - content = [] - with open(sca_raw_result_file(d, "phpsecaudit"), "r") as f: - try: - content = json.load(f) - except json.JSONDecodeError as e: - sca_log_note(d, str(e)) - content = {"files": {}} - for k,v in content["files"].items(): - for m in v["messages"]: - try: - g = sca_get_model_class(d, - PackageName=package_name, - BuildPath=buildpath, - Tool="phpsecaudit", - File=k, - Line=str(m["line"]), - Column=str(m["column"]), - Message=m["message"], - ID=m["source"], - Severity=_severity_map[m["type"]]) - if _suppress.Suppressed(g): - continue - if g.Scope not in clean_split(d, "SCA_SCOPE_FILTER"): - continue - if g.Severity in sca_allowed_warning_level(d): - _findings += sca_backtrack_findings(d, g) - except Exception as exp: - sca_log_note(d, str(exp)) - - sca_add_model_class_list(d, _findings) - return sca_save_model_to_string(d) - -python do_sca_phpsecaudit() { - import os - import subprocess - - cmd_output = "" - - ## Run - _args = [os.path.join(d.getVar("STAGING_BINDIR_NATIVE"), "phpcs-security-audit/vendor/bin/phpcs")] - _args += ["--no-colors"] - _args += ["--no-cache"] - _args += ["-s"] - _args += ["--report=json"] - _args += ["--standard=Security"] - - _files = get_files_by_extention_or_shebang(d, d.getVar("SCA_SOURCES_DIR"), ".*php", d.getVar("SCA_PHPSECAUDIT_FILE_FILTER"), \ - sca_filter_files(d, d.getVar("SCA_SOURCES_DIR"), clean_split(d, "SCA_FILE_FILTER_EXTRA"))) - - cmd_output = exec_wrap_check_output(d, _args, _files, combine=exec_wrap_combine_json_subdict, key="files", default_val={"files": {}}) - - with open(sca_raw_result_file(d, "phpsecaudit"), "w") as o: - o.write(cmd_output) -} - -python do_sca_phpsecaudit_report() { - import os - ## Create data model - d.setVar("SCA_DATAMODEL_STORAGE", "{}/phpsecaudit.dm".format(d.getVar("T"))) - dm_output = do_sca_conv_phpsecaudit(d) - with open(d.getVar("SCA_DATAMODEL_STORAGE"), "w") as o: - o.write(dm_output) - - sca_task_aftermath(d, "phpsecaudit", get_fatal_entries(d, "SCA_PHPSECAUDIT_EXTRA_FATAL", - d.expand("${STAGING_DATADIR_NATIVE}/phpsecaudit-${SCA_MODE}-fatal"))) -} - -do_sca_phpsecaudit[doc] = "Lint php scripts with phpsecaudit in workspace" -do_sca_phpsecaudit_report[doc] = "Report findings of do_sca_phpsecaudit" -addtask do_sca_phpsecaudit after do_configure before do_sca_tracefiles -addtask do_sca_phpsecaudit_report after do_sca_tracefiles before do_sca_deploy - -DEPENDS += "phpcs-security-audit-native sca-recipe-phpsecaudit-rules-native" diff --git a/docs/conf/module/phpsecaudit.md b/docs/conf/module/phpsecaudit.md deleted file mode 100644 index 98468151ce..0000000000 --- a/docs/conf/module/phpsecaudit.md +++ /dev/null @@ -1,63 +0,0 @@ -# Configuration for phpsecaudit - -## Supported environments/languages - -* PHP -* Javascript -* CSS - -## Configuration - -| var | purpose | type | default | -| ------------- |:-------------:| -----:| -----: -| SCA_BLACKLIST_phpsecaudit | Blacklist filter for this tool | space-separated-list | "" -| SCA_PHPSECAUDIT_EXTRA_FATAL | Extra error-IDs leading to build termination when found | space-separated-list | "": -| SCA_PHPSECAUDIT_EXTRA_SUPPRESS | Extra error-IDs to be suppressed | space-separated-list | "" -| SCA_PHPSECAUDIT_FILE_FILTER | File extensions to check | space-separated-list | ".php" - -## Supports - -* [x] suppression of IDs -* [x] terminate build on fatal -* [x] run on recipe -* [ ] run on image -* [ ] run with SCA-layer default settings (see SCA_AVAILABLE_MODULES) - -## Requires - -* [x] requires online access - -## Known error-IDs - -__tbd__ - -## Checking scope - -* [x] security -* [ ] functional defects -* [ ] compliance -* [ ] style issues - -## Statistics - -* ⬛⬛⬛⬛⬜⬜⬜⬜⬜⬜ 04/10 Build Speed -* ⬛⬛⬛⬛⬛⬛⬛⬛⬛⬛ 10/10 Execution Speed -* ⬛⬛⬛⬛⬛⬛⬛⬛⬛⬜ 09/10 Quality - -## Score mapping - -### Error considered as security relevant - -* phpsecaudit.phpsecaudit.* - -### Error considered as functional defect - -* n.a. - -### Error consired as compliance issue - -* n.a. - -### Error considered as style issue - -* n.a. diff --git a/files/module_list.csv b/files/module_list.csv index c86e0cd2d4..963736da46 100644 --- a/files/module_list.csv +++ b/files/module_list.csv @@ -39,7 +39,6 @@ nixauditor,Auditing tool for images,https://github.com/XalfiE/Nix-Auditor,,,x,,, oelint,Bitbake recipe linter,https://github.com/priv-kweihmann/oelint-adv,,,x,x,,,,,,,,,,,,,,x,,,x perl,Perl warnings check,,,,,x,,,,,,,,,,,,,,x,,x, perlcritic,Perl linter,https://metacpan.org/pod/perlcritic,,,,x,,,,,,,,,,,,,,x,,x, -phpsecaudit,Find vulnerabilities in PHP code,https://github.com/FloeDesignTechnologies/phpcs-security-audit,"meta-oe, manual enable",x,,x,,,,,,x,,,,,,,,,x,, phpstan,PHP linter,https://github.com/phpstan/phpstan,"meta-oe, manual enable",x,,x,,,,,,x,,,,,,,,,,,x pkgqaenc,Enhanced package QA,,,,,x,,,,,,,,,,,,,x,,x,, proselint,Spelling and text linter,https://github.com/amperser/proselint/,,,x,x,,,,,,,,,,x,,,,,,,x diff --git a/recipes-sca-rules/sca-recipe-phpsecaudit-rules-native/files/fatal b/recipes-sca-rules/sca-recipe-phpsecaudit-rules-native/files/fatal deleted file mode 100755 index e69de29bb2..0000000000 diff --git a/recipes-sca-rules/sca-recipe-phpsecaudit-rules-native/files/suppress b/recipes-sca-rules/sca-recipe-phpsecaudit-rules-native/files/suppress deleted file mode 100755 index e69de29bb2..0000000000 diff --git a/recipes-sca-rules/sca-recipe-phpsecaudit-rules-native/sca-recipe-phpsecaudit-rules-native_1.0.bb b/recipes-sca-rules/sca-recipe-phpsecaudit-rules-native/sca-recipe-phpsecaudit-rules-native_1.0.bb deleted file mode 100755 index da7c9bcbbf..0000000000 --- a/recipes-sca-rules/sca-recipe-phpsecaudit-rules-native/sca-recipe-phpsecaudit-rules-native_1.0.bb +++ /dev/null @@ -1,19 +0,0 @@ -SUMMARY = "SCA ruleset for phpsecaudit at recipes" -DESCRIPTION = "Rules to configure how phpsecaudit is affecting the build" - -DEFAULT_PREFERENCE = "${SCA_DEFAULT_PREFERENCE}" -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://${SCA_LAYERDIR}/LICENSE;md5=a4a2bbea1db029f21b3a328c7a059172" - -SRC_URI = "file://suppress \ - file://fatal" - -inherit native - -do_install() { - install -d "${D}${datadir}" - install "${WORKDIR}/fatal" "${D}${datadir}/phpsecaudit-recipe-fatal" - install "${WORKDIR}/suppress" "${D}${datadir}/phpsecaudit-recipe-suppress" -} - -FILES:${PN} = "${datadir}" diff --git a/recipes-sca/phpcs-security-audit-native/files/phpsecaudit.sca.description b/recipes-sca/phpcs-security-audit-native/files/phpsecaudit.sca.description deleted file mode 100644 index 4129243a08..0000000000 --- a/recipes-sca/phpcs-security-audit-native/files/phpsecaudit.sca.description +++ /dev/null @@ -1,27 +0,0 @@ -{ - "buildspeed": 4, - "execspeed": 10, - "languages": [ - "php" - ], - "uses": [ - "@php" - ], - "quality": 9, - "scope": [ - "security" - ], - "score": { - "security": [ - "phpsecaudit.phpsecaudit..*" - ] - }, - "test": { - "findings": [ - "bad-php" - ], - "no-findings": [ - "busybox" - ] - } -} \ No newline at end of file diff --git a/recipes-sca/phpcs-security-audit-native/phpcs-security-audit-native_2.0.1.bb b/recipes-sca/phpcs-security-audit-native/phpcs-security-audit-native_2.0.1.bb deleted file mode 100755 index fb5363ac08..0000000000 --- a/recipes-sca/phpcs-security-audit-native/phpcs-security-audit-native_2.0.1.bb +++ /dev/null @@ -1,33 +0,0 @@ -SUMMARY = "PHP vulnerability finder" -DESCRIPTION = "phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code" -HOMEPAGE = "https://github.com/FloeDesignTechnologies/phpcs-security-audit" - -DEFAULT_PREFERENCE = "${SCA_DEFAULT_PREFERENCE}" -LICENSE = "GPL-3.0-only" -LIC_FILES_CHKSUM = "file://LICENSE;md5=412af50a7c6ed96fe188e6672d9f3d9b" - -DEPENDS += "phpcodesniffer-native" - -SRC_URI = "git://github.com/FloeDesignTechnologies/phpcs-security-audit.git;branch=master;protocol=https" -SRCREV = "68a6c53a57156a5efb2073b1eb3f2d79a46c9dc2" -PHPCOMPOSER_PKGS_NAME = "pheromone/phpcs-security-audit=${PV}" - -S = "${WORKDIR}/git" - -inherit phpcomposer -inherit sca-description -inherit native - -SCA_TOOL_DESCRIPTION = "phpsecaudit" - -do_compile:prepend() { - rm -f ${S}/composer.json ${S}/composer.lock -} - -do_install:append() { - ## We need to move the ruleset so it gets recognized by phpcodesniffer - mv ${D}${bindir}/phpcs-security-audit/vendor/pheromone/phpcs-security-audit/Security \ - ${D}${bindir}/phpcs-security-audit/vendor/squizlabs/php_codesniffer/src/Standards/ -} - -FILES:${PN} = "${bindir}" diff --git a/test/lang_metaoe.txt b/test/lang_metaoe.txt index 0f6f5354ea..34a97739ef 100644 --- a/test/lang_metaoe.txt +++ b/test/lang_metaoe.txt @@ -1,4 +1,3 @@ -phpsecaudit phpstan pyright retire