meta-sca

For the list of current findings from pipelines see meta-sca report

Table of content

Purpose
Getting started
Installation
Web monitor
Support
- Release cycle
  - Releases
- Compatibility
Licensing
Zero impact
Available tools
- Overview of tools
Further documentation
Contributing
- Get involved
- Security Policy

Purpose

Purpose of this layer is to provide a proper set of static analysis tools for your YOCTO build. All provided tools can be easily configured and integrated into any CI service (like e.g. Jenkins).

All results are stored to SCA_EXPORT_DIR (which defaults to ${DEPLOY_DIR_IMAGE}/sca). The results will be stored in the raw-format of the corresponding tool and in checkstyle-format.

Getting started

For a quick start how to use this layer see getting started guide

Installation

To install clone the needed branch(es) to any path on your local system.

Prerequisites

You need the current standard poky-layer installed onto your local build environment.
You need at least python 3.5 to be installed on your build host.
You need glib-2.0-dev package installed on your build host (used for e.g. configcheck, lynis, tiger, upc)

Use of containers

It is recommended to use privkweihmann/yocto-sca-minimal:latest docker container for building, which has all necessary requirements already installed.

Setup

In your bblayers.conf-file add the following line

BBLAYERS += "<full path to sca-layer>/meta-sca"

or with poky layer already setup run in shell

bitbake-layers add-layer "<full path to sca-layer>/meta-sca"

Optional layer

meta-clang

To make the integration of clang (clang-tidy) work you need to add the meta-clang layer to your bblayer-file.

meta-oe

To enable the php/lua support you need to add the meta-oe layer to your bblayer-file.

meta-rubygems

To enable the ruby support you need to add the meta-rubygems layer to your bblayer-file.

Web monitor

If you're not quite convinced what this layer can do for you, have a look at the web monitor, where all findings from the layer CI pipelines are publically available.

Support

Actively maintained branches will receive feature and package updates according to the release cycle. Unmaintained branches will only receive package updates on demand.

Status of the branches is described at SECURITY.md.

It's advised to use the tagged source versions in productive environment.

Release cycle

You can expect a new tagged build every 4-6 weeks for every actively maintained branch. Planning is done by milestone features on GitHub.

Releases

See SECURITY.md for details

Compatibility

If there is a technical issue that might break backward compatibility it will be mentioned in release note of the corresponding milestone release.

Licensing

This layer does only provide open source tools. The layer itself is licensed under BSD.

If individual files are licensed under different terms, terms and conditions can be found in the individual file header

Zero impact

This layer provides only -native tools, so actually none of the build binaries will be deployed to your target. Everything happens on the build machine.

There are some excludes to this rule (e.g. lynis) as they need to be cross-compiled to make use of them, nevertheless none of these tools will be installed automatically to your build.

Available tools

The layer can check on a recipe-level or on an image-level.

On image-level the whole root-filesystem could be taken into account, which in most cases can't be granted on a recipe-level.
On the other hand some static code analysis does not make any sense on an image-level - so this layer does have different tools for both level available.

Overview of tools

Module	Description	Homepage	Requires	Requires inet	Run on image	Run on recipe	C	C++	Python	Shell	Javascript	PHP	Go	Images	LUA	Spelling	Metrics	Binaries	Packages	Other formats	Security scope	Functional scope	Style scope
alexkohler	Suite of GO analysis tools	https://github.com/alexkohler				x							x										x
ansible	Hardening of images with ansible				x									x							x
ansiblelint	Linter for ansible playbooks	https://github.com/ansible/ansible-lint			x	x														x	x	x	x
ansibleroles	Hardening of images with 3rd party ansible roles	e.g. https://github.com/dev-sec			x									x							x
bandit	Scan python code for insecurities	https://github.com/PyCQA/bandit			x	x			x												x
bashate	Shell script linter	http://docs.openstack.org/developer/bashate/			x	x				x												x	x
bitbake	Bitbake issue handling				x	x													x			x	x
cbmc	C Bounded Model Checker	https://github.com/diffblue/cbmc/		x		x	x															x
checkbashisms	Shell script linter	https://manpages.debian.org/jessie/devscripts/checkbashisms.1.en.html			x	x				x												x	x
checksec	check on security issues	https://github.com/slimm609/checksec.sh			x									x							x
clang	C/C++ linter using LLVM	https://clang.llvm.org/extra/clang-tidy/	meta-clang, manual enable				x	x	x														x
configcheck	Check application configurations				x															x		x
cppcheck	C/C++ linter	https://github.com/danmar/cppcheck				x	x	x													x	x	x
cpplint	C/C++ linter	https://github.com/cpplint/cpplint				x	x	x													x	x	x
cspell	Spelling linter	https://github.com/Jason3S/cspell		x		x										x							x
cvecheck	Check for unpatched CVEs	https://github.com/clearlinux/cve-check-tool	manual enable	x		x													x		x
darglint	Python docstring linter	https://github.com/terrencepreilly/darglint				x			x														x
dennis	I18N linter	https://github.com/willkg/dennis/				x														x		x	x
detectsecrets	Detect hardcoded secrets in code	https://github.com/Yelp/detect-secrets			x	x													x		x	x
eslint	Javascript linter	https://github.com/eslint/eslint		x	x	x					x											x
flake8	Python linter	http://flake8.pycqa.org/en/latest/			x	x			x													x	x
flawfinder	C/C++ security linter	https://github.com/david-a-wheeler/flawfinder				x	x	x													x
flint	C/C++ linter	https://github.com/JossWhittle/FlintPlusPlus				x	x	x														x
gcc	GCC compiler issues and hardening					x	x	x													x	x
gixy	NGINX config security linter	https://github.com/yandex/gixy			x															x	x
goconsistent	make your Go programs more consistent	https://github.com/quasilyte/go-consistent				x							x										x
goconst	Find variables that could be constants in GO files	https://github.com/jgautheron/goconst				x							x										x
golicensecheck	Scan code for license information	https://github.com/go-enry/go-license-detector				x														x	x
golint	GO linter	https://github.com/golang/lint				x							x										x
gosec	GO security linter	https://github.com/securego/gosec				x							x								x
htmlhint	HTML linter	https://github.com/htmlhint/HTMLHint		x	x	x														x		x
image-summary	Aggregate all findings for package in an image				x														x		x	x	x
inspec	framework for end-to-end infrastructure tests	https://github.com/inspec/inspec	meta-oe, meta-rubygems, manual enable		x									x							x
jshint	Javascript linter	https://github.com/jshint/jshint		x	x	x					x											x	x
jsonlint	JSON file linter				x	x														x		x
kconfighard	Kernel config hardening checker	https://github.com/a13xp0p0v/kconfig-hardened-check				x														x	x
licensecheck	Scan code for license information	https://github.com/boyter/lc				x														x	x
looong	Find functions with too long arglists	https://github.com/anapaulagomes/looong				x			x														x
lse	check on security issues	https://github.com/diego-treitos/linux-smart-enumeration			x									x							x
luacheck	LUA linter	https://github.com/mpeterv/luacheck	meta-oe, manual enable	x		x									x							x
lynis	Auditing tool for images	https://github.com/CISOfy/lynis			x									x							x
msgcheck	I18n linter	https://github.com/codingjoe/msgcheck				x														x			x
multimetric	Coding metrics	https://github.com/priv-kweihmann/multimetric	manual enable		x	x	x	x	x		x	x	x		x		x						x
mypy	Python linter	https://github.com/python/mypy			x	x			x													x
nixauditor	Auditing tool for images	https://github.com/XalfiE/Nix-Auditor			x									x							x
npmaudit	NPM package auditor	https://docs.npmjs.com/cli/audit		x		x														x	x
oelint	Bitbake recipe linter	https://github.com/priv-kweihmann/oelint-adv			x	x														x			x
perl	Perl warnings check					x														x		x
perlcritic	Perl linter	https://metacpan.org/pod/perlcritic				x														x		x
phan	PHP linter	https://github.com/phan/phan	meta-oe, manual enable	x		x						x											x
phpcodefixer	Find deprecated PHP functions	https://github.com/wapmorgan/PhpCodeFixer	meta-oe, manual enable	x		x						x										x
phpcodesniffer	PHP Js and CSS linter	https://github.com/squizlabs/PHP_CodeSniffer	meta-oe, manual enable	x		x						x
phpmd	PHP Linter	https://github.com/phpmd/phpmd	meta-oe, manual enable	x		x						x										x	x
phpsecaudit	Find vulnerabilities in PHP code	https://github.com/FloeDesignTechnologies/phpcs-security-audit	meta-oe, manual enable	x		x						x									x
phpstan	PHP linter	https://github.com/phpstan/phpstan	meta-oe, manual enable	x		x						x											x
pkgqaenc	Enhanced packge QA					x													x		x
progpilot	PHP linter with security focus	https://github.com/designsecurity/progpilot	meta-oe, manual enable	x		x						x										x
proselint	Spelling and text linter	https://github.com/amperser/proselint/			x	x										x							x
protolint	Lint protobuf files	https://github.com/yoheimuta/protolint				x										x				x			x
pscan	Find insecure printfs	http://deployingradius.com/pscan/				x	x															x
pyfindinjection	Find SQL injections in python code	https://github.com/uber/py-find-injection			x	x			x												x
pylint	Python linter	https://github.com/PyCQA/pylint			x	x			x													x	x
pyright	Python type linter	https://github.com/Microsoft/pyright		x		x			x													x
pysymcheck	Check binaries for forbidden function usage	https://github.com/priv-kweihmann/pysymbolcheck				x												x			x
pytype	Python linter using type-annotations	https://github.com/google/pytype		x		x			x													x
rats	Check on insecurities in several languages	https://github.com/redNixon/rats				x		x	x	x		x									x
reconbf	security audit tool	https://github.com/HewlettPackard/reconbf			x									x							x
reek	Code smell detector for Ruby	https://github.com/troessner/reek	meta-rubygems, manual enable			x														x			x
retire	Check for known vulnerabilities in javascript and NPM	https://retirejs.github.io/retire.js/		x		x					x								x		x
reuse	Scan code for license information	https://github.com/fsfe/reuse-tool				x														x	x
revive	GO linter	https://github.com/mgechev/revive				x							x									x	x
ropgadget	Determine ROP exploitability in binaries	https://github.com/JonathanSalwan/ROPgadget	manual enable			x												x			x
rubycritic	Ruby linter	https://github.com/whitesmith/rubycritic/	meta-rubygems, manual enable			x														x			x
safety	Check for known vulnerabilities in python-packages	https://github.com/pyupio/safety				x			x										x		x
scancode	Scan code for license information	https://github.com/nexB/scancode-toolkit				x														x	x
secretlint	Tool to prevent committing credential	https://github.com/secretlint/secretlint			x	x														x	x
semgrep	Pattern based linting for many formats and languages	https://github.com/returntocorp/semgrep	only avaiable for x86-64 hosts			x	x	x	x		x	x	x							x		x
setuptoolslint	Lint python-setup.py	https://github.com/johnnoone/setuptools-pylint				x			x													x
shellcheck	Shell script linter	https://github.com/koalaman/shellcheck			x	x				x												x	x
slick	Shell script linter	https://github.com/mcandre/slick			x	x				x												x
sparse	C linter	https://sparse.wiki.kernel.org/index.php/Main_Page				x	x															x
standard	Javascript linter	https://github.com/standard/standard		x	x	x					x											x	x
stank	Shell script linter	https://github.com/mcandre/stank			x	x				x												x	x
stylelint	CSS/SCSS linter	https://github.com/stylelint/stylelint			x	x														x			x
sudokiller	check on sudo	https://github.com/TH3xACE/SUDO_KILLER			x									x							x
systemdlint	Systemd unit linter	https://github.com/priv-kweihmann/systemdlint			x	x														x	x	x	x
textlint	Spelling and text linter	https://github.com/textlint/textlint		x		x										x							x
tiger	security audit and intrusion detection tool	http://www.nongnu.org/tiger/			x									x							x
tlv	Find duplicate code	https://github.com/priv-kweihmann/tlv	manual enable		x	x	x	x	x		x	x	x								x		x
tscancode	C and lua linter	https://github.com/Tencent/TscanCode				x	x															x
upc	check for simple privilege escalation vectors	https://github.com/pentestmonkey/unix-privesc-check			x									x							x
vulture	Find dead python code	https://github.com/jendrikseipp/vulture			x	x			x													x
wotan	Typescript/javascript linter	https://github.com/fimbullinter/wotan		x	x	x					x											x	x
xmllint	XML linter	http://xmlsoft.org/xmllint.html			x	x														x		x
yamllint	YAML linter	https://github.com/adrienverge/yamllint			x	x														x			x
yara	Find suspicious pattern in binaries	https://github.com/VirusTotal/yara			x									x							x

each tool does have it's own benefits and flaws so don't be mad if you have 10k+ findings on the initial run.

Further documentation

Global Configuration
- Blacklisting sources
- Configuration wizard
- Custom severity
- Enable SCA locally/globally
- Fatal findings
- Filter findings
- Filter out files to check
- Output formats
- Suppress findings
- Trace source files
- Tools
  - alexkohler
  - ansible
  - ansiblelint
  - ansibleroles
  - bandit
  - bashate
  - bitbake
  - cbmc
  - checkbashism
  - checksec
  - clang
  - configcheck
  - cppcheck
  - cpplint
  - cspell
  - cvecheck
  - darglint
  - dennis
  - detectsecrets
  - eslint
  - flake8
  - flawfinder
  - flint++
  - gcc
  - gixy
  - goconsistent
  - goconst
  - golicensecheck
  - golint
  - gosec
  - htmlhint
  - inspec
  - jshint
  - jsonlint
  - kconfighard
  - licensecheck
  - looong
  - lse
  - luacheck
  - lynis
  - msgcheck
  - multimetric
  - mypy
  - nixauditor
  - npmaudit
  - oelint
  - perl
  - perlcritic
  - phan
  - phpcodefixer
  - phpcodesniffer
  - phpmd
  - phpsecaudit
  - phpstan
  - pkgqaenc
  - progpilot
  - proselint
  - protolint
  - pscan
  - pyfindinjection
  - pylint
  - pyright
  - pysymcheck
  - pytype
  - rats
  - reconbf
  - reek
  - retire
  - reuse
  - revive
  - ropgadget
  - rubycritic
  - safety
  - scancode
  - secretlint
  - semgrep
  - setuptoolslint
  - shellcheck
  - slick
  - sparse
  - standard
  - stank
  - stylelint
  - sudokiller
  - systemdlint
  - textlint
  - tiger
  - tlv
  - tscancode
  - upc
  - vulture
  - wotan
  - xmllint
  - yamllint
  - yara
- Extra modes
  - BestOf
  - Image Summary
Configuration Examples
Results
Build system integration
- Control via command-line
- Jenkins integration
  - Basic jenkins integration
  - Parameterized jenkins build
Application notes
Case studies
- Regression on severe code issues
- Idenfying hardening and security potential

Contributing

Please see the detailed contribution guideline for details

Get involved

To get involved following things can be done

create an issue
fix an issue and create a pull request
see the pinned issues in the bugtracker

Security Policy

For the project's security policy please see here

bachp / meta-sca