Code Review / releng-anteater.git / blob
? search:


083639f7775d5ac21f94d5bc21c8f78f941fba4d
[releng-anteater.git] / anteater / src / patch_scan.py
1 #!/usr/bin/env python
2 # -*- coding: utf-8 -*-
3 ##############################################################################
4 # Copyright (c) 2017 Luke Hinds <lhinds@redhat.com>, Red Hat
5 #
6 # All rights reserved. This program and the accompanying materials
7 # are made available under the terms of the Apache License, Version 2.0
8 # which accompanies this distribution, and is available at
9 # http://www.apache.org/licenses/LICENSE-2.0
10 ##############################################################################
11
12 """
13     Accepts the --patchset argument and iterates through each line of the
14     patchset file to perform various checks such as if the file is a binary, or
15     contains a blacklisted string. If any violations are found, the script
16     exits with code 1 and logs the violation(s) found.
17 """
18
19 from __future__ import division, print_function, absolute_import
20 from binaryornot.check import is_binary
21 import logging
22 import hashlib
23 import six.moves.configparser
24 import sys
25 import re
26
27 from . import get_lists
28
29 logger = logging.getLogger(__name__)
30 config = six.moves.configparser.RawConfigParser()
31 config.read('anteater.conf')
32 reports_dir = config.get('config', 'reports_dir')
33 failure = False
34 hasher = hashlib.sha256()
35
36
37 def prepare_patchset(project, patchset):
38     """ Create black/white lists and default / project waivers
39         and iterates over patchset file """
40
41     # Get Various Lists / Project Waivers
42     lists = get_lists.GetLists()
43     # Get binary white list
44     binary_list = lists.binary_list(project)
45
46     # Get file name black list and project waivers
47     file_audit_list, file_audit_project_list = lists.file_audit_list(project)
48
49     # Get file content black list and project waivers
50     master_list, project_list_re = lists.file_content_list(project)
51
52     # Get Licence Lists
53     licence_ext = lists.licence_extensions()
54     licence_ignore = lists.licence_ignore()
55
56     # Open patch set to get file list
57     try:
58         fo = open(patchset, 'r')
59         lines = fo.readlines()
60     except IOError:
61         logger.error('%s does not exist', patchset)
62         sys.exit(1)
63
64     for line in lines:
65         patch_file = line.strip('\n')
66         # Perform binary and file / content checks
67         scan_patch(project, patch_file, binary_list,
68                    file_audit_list, file_audit_project_list,
69                    master_list, project_list_re, licence_ext,
70                    licence_ignore)
71
72     # Process each file in patch set using waivers generated above
73     # Process final result
74     process_failure()
75
76
77 def scan_patch(project, patch_file, binary_list, file_audit_list,
78                file_audit_project_list, master_list,
79                project_list_re, licence_ext, licence_ignore):
80     """ Scan actions for each commited file in patch set """
81     global failure
82     if is_binary(patch_file):
83         hashlist = get_lists.GetLists()
84         binary_hash = hashlist.binary_hash(project, patch_file)
85         if not binary_list.search(patch_file):
86             with open(patch_file, 'rb') as afile:
87                 buf = afile.read()
88                 hasher.update(buf)
89             if hasher.hexdigest() in binary_hash:
90                 logger.info('Found matching file hash for file: %s',
91                             patch_file)
92             else:
93                 logger.error('Non Whitelisted Binary file: %s',
94                              patch_file)
95                 logger.error('Submit patch with the following hash: %s',
96                              hasher.hexdigest())
97             failure = True
98             with open(reports_dir + "binaries-" + project + ".log", "a") \
99                     as gate_report:
100                 gate_report.write('Non Whitelisted Binary file: {0}\n'.
101                                   format(patch_file))
102     else:
103         # Check file names / extensions
104         if file_audit_list.search(patch_file) and not \
105                     file_audit_project_list.search(patch_file):
106             match = file_audit_list.search(patch_file)
107             logger.error('Blacklisted file: %s', patch_file)
108             logger.error('Matched String: %s', match.group())
109             failure = True
110             with open(reports_dir + "file-names_" + project + ".log", "a") \
111                     as gate_report:
112                 gate_report.write('Blacklisted file: {0}\n'.
113                                   format(patch_file))
114                 gate_report.write('Matched String: {0}'.
115                                   format(match.group()))
116
117         # Open file to check for blacklisted content
118         try:
119             fo = open(patch_file, 'r')
120             lines = fo.readlines()
121             file_exists = True
122         except IOError:
123             file_exists = False
124
125         if file_exists:
126             for line in lines:
127                 for key, value in master_list.iteritems():
128                     regex = value['regex']
129                     desc = value['desc']
130                     if re.search(regex, line) and not re.search(project_list_re, line):
131                         logger.error('File contains violation: %s', patch_file)
132                         logger.error('Flagged Content: %s', line.rstrip())
133                         logger.error('Matched Regular Exp: %s', regex)
134                         logger.error('Rationale: %s', desc.rstrip())
135                         failure = True
136                         with open(reports_dir + "contents_" + project + ".log",
137                                   "a") as gate_report:
138                             gate_report.write('File contains violation: {0}\n'.
139                                               format(patch_file))
140                             gate_report.write('Flagged Content: {0}'.
141                                               format(line))
142                             gate_report.write('Matched Regular Exp: {0}\n'.
143                                               format(regex))
144                             gate_report.write('Rationale: {0}\n'.
145                                               format(desc.rstrip()))
146             # Run license check
147             licence_check(project, licence_ext, licence_ignore, patch_file)
148
149
150 def licence_check(project, licence_ext,
151                   licence_ignore, patch_file):
152     """ Performs licence checks """
153     global failure
154     if patch_file.endswith(tuple(licence_ext)) \
155             and patch_file not in licence_ignore:
156         fo = open(patch_file, 'r')
157         content = fo.read()
158         # Note: Hardcoded use of 'copyright' & 'spdx' is the result
159         # of a decision made at 2017 plugfest to limit searches to
160         # just these two strings.
161         patterns = ['copyright', 'spdx',
162                     'http://creativecommons.org/licenses/by/4.0']
163         if any(i in content.lower() for i in patterns):
164             logger.info('Contains needed Licence string: %s', patch_file)
165         else:
166             logger.error('Licence header missing in file: %s', patch_file)
167             failure = True
168             with open(reports_dir + "licence-" + project + ".log", "a") \
169                     as gate_report:
170                 gate_report.write('Licence header missing in file: {0}\n'.
171                                   format(patch_file))
172
173
174 def process_failure():
175     """ If any scan operations register a failure, sys.exit(1) is called
176         to allow jjb to register a failure"""
177     if failure:
178         logger.error('Please visit: https://wiki.opnfv.org/x/5oey')
179         sys.exit(1)