diff --git a/README.md b/README.md index bc946d6eb0..247dda063b 100644 --- a/README.md +++ b/README.md @@ -223,7 +223,6 @@ The layer can check on a recipe-level or on an image-level. | pysymcheck | Check binaries for forbidden function usage | https://github.com/priv-kweihmann/pysymbolcheck | | | | x | | | | | | | | | | | | x | | | x | | | | rats | Check on insecurities in several languages | https://github.com/redNixon/rats | | | | x | | x | x | x | | x | | | | | | | | | x | | | | reconbf | security audit tool | https://github.com/HewlettPackard/reconbf | | | x | | | | | | | | | x | | | | | | | x | | | -| retire | Check for known vulnerabilities in javascript and NPM | https://retirejs.github.io/retire.js/ | meta-oe, manual enable | x | | x | | | | | x | | | | | | | | x | | x | | | | reuse | Scan code for license information | https://github.com/fsfe/reuse-tool | | | | x | | | | | | | | | | | | | | x | x | | | | revive | GO linter | https://github.com/mgechev/revive | | | | x | | | | | | | x | | | | | | | | | x | x | | ropgadget | Determine ROP exploitability in binaries | https://github.com/JonathanSalwan/ROPgadget | manual enable | | | x | | | | | | | | | | | | x | | | x | | | @@ -315,7 +314,6 @@ each tool does have it's own benefits and flaws so don't be mad if you have 10k+ - [pysymcheck](docs/conf/module/pysymcheck.md) - [rats](docs/conf/module/rats.md) - [reconbf](docs/conf/module/reconbf.md) - - [retire](docs/conf/module/retire.md) - [reuse](docs/conf/module/reuse.md) - [revive](docs/conf/module/revive.md) - [ropgadget](docs/conf/module/ropgadget.md) diff --git a/classes/sca-blacklist.bbclass b/classes/sca-blacklist.bbclass index 845082b58e..c8bff352dc 100644 --- a/classes/sca-blacklist.bbclass +++ b/classes/sca-blacklist.bbclass @@ -52,7 +52,6 @@ SCA_BLACKLIST_pyright ?= "" SCA_BLACKLIST_pysymcheck ?= "" SCA_BLACKLIST_rats ?= "" SCA_BLACKLIST_reconbf ?= "" -SCA_BLACKLIST_retire ?= "" SCA_BLACKLIST_revive ?= "openssh" SCA_BLACKLIST_ropgadget ?= "linux-.*" SCA_BLACKLIST_rubycritic ?= "" diff --git a/classes/sca-global.bbclass b/classes/sca-global.bbclass index 8897b29ad7..df03e4fdb2 100644 --- a/classes/sca-global.bbclass +++ b/classes/sca-global.bbclass @@ -151,7 +151,6 @@ SCA_AVAILABLE_MODULES ?= "\ " # additional layer requirements SCA_AVAILABLE_MODULES[inspec] = "openembedded-layer rubygems" -SCA_AVAILABLE_MODULES[retire] = "openembedded-layer" SCA_AVAILABLE_MODULES[rubycritic] = "rubygems" SCA_AVAILABLE_MODULES[secretlint] = "openembedded-layer" SCA_AVAILABLE_MODULES[standard] = "openembedded-layer" diff --git a/classes/sca-on-recipe.bbclass b/classes/sca-on-recipe.bbclass index 443b85ca81..51bbcf43af 100755 --- a/classes/sca-on-recipe.bbclass +++ b/classes/sca-on-recipe.bbclass @@ -51,7 +51,6 @@ SCA_ENABLED_MODULES_RECIPE ?= "\ pylint \ pysymcheck \ rats \ - retire \ reuse \ revive \ ropgadget \ diff --git a/classes/sca-retire.bbclass b/classes/sca-retire.bbclass deleted file mode 100755 index 280cd3c16e..0000000000 --- a/classes/sca-retire.bbclass +++ /dev/null @@ -1,109 +0,0 @@ -## SPDX-License-Identifier: BSD-2-Clause -## Copyright (c) 2019, Konrad Weihmann - -## Add ids to lead to a fatal on a recipe level -SCA_RETIRE_EXTRA_FATAL ?= "" -## File extension filter list (whitespace separated) -SCA_RETIRE_FILE_FILTER ?= ".js .json" - -SCA_RAW_RESULT_FILE[retire] = "json" - -inherit sca-conv-to-export -inherit sca-datamodel -inherit sca-global -inherit sca-helper -inherit sca-suppress -inherit sca-image-backtrack -inherit sca-tracefiles - -def do_sca_conv_retire(d): - import os - import json - - package_name = d.getVar("PN") - buildpath = d.getVar("SCA_SOURCES_DIR") - - items = [] - - _findings = [] - - _severity_map = { - "critical" : "error", - "high": "error", - "medium": "warning", - "low": "info" - } - - _suppress = sca_suppress_init(d, "", None) - - if os.path.exists(sca_raw_result_file(d, "retire")): - content = [] - with open(sca_raw_result_file(d, "retire"), "r") as f: - try: - content = json.load(f) - except json.JSONDecodeError as e: - sca_log_note(d, str(e)) - for item in content: - try: - _file = item["file"] - for results in item["results"]: - _component = results["component"] - for vul in results["vulnerabilities"]: - g = sca_get_model_class(d, - PackageName=package_name, - Tool="retire", - BuildPath=buildpath, - File=_file, - Message="{}: Used version has a known vulnerability of {}".format(_component, vul["identifiers"]["summary"]), - ID="knownVulnerability", - Severity=_severity_map[vul["severity"]]) - if _suppress.Suppressed(g): - continue - if g.Scope not in clean_split(d, "SCA_SCOPE_FILTER"): - continue - if g.Severity in sca_allowed_warning_level(d): - _findings += sca_backtrack_findings(d, g) - except Exception as e: - sca_log_note(d, str(e)) - sca_add_model_class_list(d, _findings) - return sca_save_model_to_string(d) - -python do_sca_retire() { - import os - import subprocess - - _args = ["retire", "-c", "--outputformat", "jsonsimple", "--path", d.getVar("SCA_SOURCES_DIR")] - - _files = get_files_by_extention(d, - d.getVar("SCA_SOURCES_DIR"), - clean_split(d, "SCA_RETIRE_FILE_FILTER"), - sca_filter_files(d, d.getVar("SCA_SOURCES_DIR"), clean_split(d, "SCA_FILE_FILTER_EXTRA"))) - - ## Run - cmd_output = exec_wrap_check_output(d, _args, _files, combine=exec_wrap_combine_json, default_val={}) - - with open(sca_raw_result_file(d, "retire"), "w") as o: - if not cmd_output: - cmd_output = "[]" - o.write(cmd_output) -} - -python do_sca_retire_report() { - import os - ## Create data model - d.setVar("SCA_DATAMODEL_STORAGE", "{}/retire.dm".format(d.getVar("T"))) - dm_output = do_sca_conv_retire(d) - with open(d.getVar("SCA_DATAMODEL_STORAGE"), "w") as o: - o.write(dm_output) - - sca_task_aftermath(d, "retire", get_fatal_entries(d, "SCA_RETIRE_EXTRA_FATAL", - d.expand("${STAGING_DATADIR_NATIVE}/retire-${SCA_MODE}-fatal"))) -} - -do_sca_retire[doc] = "Find vulnerable js code" -do_sca_retire[network] = "1" -do_sca_retire_report[doc] = "Report finding of do_sca_retire" -addtask do_sca_retire after do_install before do_sca_tracefiles -addtask do_sca_retire_report after do_sca_tracefiles before do_sca_deploy - -DEPENDS += "retire-native sca-recipe-retire-rules-native" diff --git a/docs/conf/module/retire.md b/docs/conf/module/retire.md deleted file mode 100644 index 5a89fb35de..0000000000 --- a/docs/conf/module/retire.md +++ /dev/null @@ -1,62 +0,0 @@ -# Configuration for retire - -## Supported environments/languages - -* JavaScript -* NPM - -## Configuration - -| var | purpose | type | default | -| ------------- |:-------------:| -----:| -----: -| SCA_BLACKLIST_retire | Blacklist filter for this tool | space-separated-list | "linux-*" -| SCA_RETIRE_EXTRA_FATAL | Extra error-IDs leading to build termination when found | space-separated-list | "" -| SCA_RETIRE_EXTRA_SUPPRESS | Extra error-IDs to be suppressed | space-separated-list | "" -| SCA_RETIRE_FILE_FILTER | List of file-extensions to be checked | space-separated-list | ".js .json" - -## Supports - -* [ ] suppression of IDs -* [x] terminate build on fatal -* [x] run on recipe -* [ ] run on image -* [ ] run with SCA-layer default settings (see SCA_AVAILABLE_MODULES) - -## Requires - -* [x] requires online access - -## Known error-IDs - -* retire.retire.knownVulnerability - a known vulnerability was found - -## Checking scope - -* [x] security -* [ ] functional defects -* [ ] compliance -* [ ] style issues - -## Statistics - -* ⬛⬛⬛⬛⬜⬜⬜⬜⬜⬜ 04/10 Build Speed -* ⬛⬛⬛⬛⬛⬛⬛⬛⬛⬛ 10/10 Execution Speed -* ⬛⬛⬛⬛⬛⬛⬛⬛⬜⬜ 08/10 Quality - -## Score mapping - -### Error considered as security relevant - -* retire.retire.knownVulnerability - -### Error considered as functional defect - -* n.a. - -### Error consired as compliance issue - -* n.a. - -### Error considered as style issue - -* n.a. diff --git a/dynamic-distro/scatest/code-from-elsewhere/cspell_2.0.3.bb b/dynamic-distro/scatest/code-from-elsewhere/cspell_2.0.3.bb index 5ce21427ed..857b79e0e2 100644 --- a/dynamic-distro/scatest/code-from-elsewhere/cspell_2.0.3.bb +++ b/dynamic-distro/scatest/code-from-elsewhere/cspell_2.0.3.bb @@ -14,4 +14,4 @@ inherit sca SCA_BLACKLIST_proselint += "${PN}" -SCA_ENABLED_MODULES = "bitbake retire" +SCA_ENABLED_MODULES = "bitbake" diff --git a/files/module_list.csv b/files/module_list.csv index d057c65ae5..0df4eeaff7 100644 --- a/files/module_list.csv +++ b/files/module_list.csv @@ -48,7 +48,6 @@ pylint,Python linter,https://github.com/PyCQA/pylint,,,x,x,,,x,,,,,,,,,,,,,x,x pysymcheck,Check binaries for forbidden function usage,https://github.com/priv-kweihmann/pysymbolcheck,,,,x,,,,,,,,,,,,x,,,x,, rats,Check on insecurities in several languages,https://github.com/redNixon/rats,,,,x,,x,x,x,,x,,,,,,,,,x,, reconbf,security audit tool,https://github.com/HewlettPackard/reconbf,,,x,,,,,,,,,x,,,,,,,x,, -retire,Check for known vulnerabilities in javascript and NPM,https://retirejs.github.io/retire.js/,"meta-oe, manual enable",x,,x,,,,,x,,,,,,,,x,,x,, reuse,Scan code for license information,https://github.com/fsfe/reuse-tool,,,,x,,,,,,,,,,,,,,x,x,, revive,GO linter,https://github.com/mgechev/revive,,,,x,,,,,,,x,,,,,,,,,x,x ropgadget,Determine ROP exploitability in binaries,https://github.com/JonathanSalwan/ROPgadget,manual enable,,,x,,,,,,,,,,,,x,,,x,, diff --git a/recipes-sca-rules/sca-recipe-retire-rules-native/files/fatal b/recipes-sca-rules/sca-recipe-retire-rules-native/files/fatal deleted file mode 100755 index e69de29bb2..0000000000 diff --git a/recipes-sca-rules/sca-recipe-retire-rules-native/sca-recipe-retire-rules-native_1.0.bb b/recipes-sca-rules/sca-recipe-retire-rules-native/sca-recipe-retire-rules-native_1.0.bb deleted file mode 100755 index 80cfad6f2e..0000000000 --- a/recipes-sca-rules/sca-recipe-retire-rules-native/sca-recipe-retire-rules-native_1.0.bb +++ /dev/null @@ -1,17 +0,0 @@ -SUMMARY = "SCA ruleset for retire at recipes" -DESCRIPTION = "Rules to configure how retire is affecting the build" - -DEFAULT_PREFERENCE = "${SCA_DEFAULT_PREFERENCE}" -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://${SCA_LAYERDIR}/LICENSE;md5=a4a2bbea1db029f21b3a328c7a059172" - -SRC_URI = "file://fatal" - -inherit native - -do_install() { - install -d "${D}${datadir}" - install "${WORKDIR}/fatal" "${D}${datadir}/retire-recipe-fatal" -} - -FILES:${PN} = "${datadir}" diff --git a/recipes-sca/retire-native/files/retire.sca.description b/recipes-sca/retire-native/files/retire.sca.description deleted file mode 100644 index 68aa1b32bc..0000000000 --- a/recipes-sca/retire-native/files/retire.sca.description +++ /dev/null @@ -1,30 +0,0 @@ -{ - "buildspeed": 4, - "execspeed": 10, - "languages": [ - "javascript" - ], - "uses": [ - "@npm" - ], - "online": true, - "quality": 8, - "scope": [ - "security" - ], - "score": { - "security": [ - "retire.retire..*" - ] - }, - "test": { - "integration": [ - {"cmd": ["retire", "-h"], "returncode": 0} - ], - "findings": [ - ], - "no-findings": [ - "busybox" - ] - } -} \ No newline at end of file diff --git a/recipes-sca/retire-native/retire-native_1.0.bb b/recipes-sca/retire-native/retire-native_1.0.bb deleted file mode 100644 index f70db1a4bf..0000000000 --- a/recipes-sca/retire-native/retire-native_1.0.bb +++ /dev/null @@ -1,12 +0,0 @@ -SUMMARY = "sca definition for retire" - -DEFAULT_PREFERENCE = "${SCA_DEFAULT_PREFERENCE}" -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://${SCA_LAYERDIR}/LICENSE;md5=a4a2bbea1db029f21b3a328c7a059172" - -DEPENDS += "npm-retire-native" - -inherit sca-description -inherit native - -SCA_TOOL_DESCRIPTION = "retire" diff --git a/test/lang_metaoe.txt b/test/lang_metaoe.txt index ef177ddac2..c3b6a070ec 100644 --- a/test/lang_metaoe.txt +++ b/test/lang_metaoe.txt @@ -1,4 +1,3 @@ -retire secretlint standard stylelint