If you're interested in using this layer, please let me know where to go next.
Just vote here for upcoming features.
This layer does offer some static code analysis tools, which can be easily configured and integrated into YOCTO/Open-Embedded build system. The layer is designed to be easy to integrate (and fully configurable). All results are stored to SCA_EXPORT_DIR (which defaults to ${DEPLOY_DIR_IMAGE}/sca). The results will be stored in the raw-format of the corresponding tool and in checkstyle-format. Any result-file can be easily integrated into e.g. Jenkins or other CI-tools
This project is meant to stay - first of all this project is for you! As long as technically possible you can expect package updates and bugfixes to this layer for all poky-releases after thud.
It's advised to use the tagged source versions in productive environment.
You can expect a new tagged build every 4-6 weeks. Planning is done by milestone features on GitHub.
If there is a technical issue that might break backward compatibility it will be mentioned in release note of the corresponding milestone release.
As in every community project feedback is always welcome...
This layer does only provide open source tools. The layer itself is licensed under BSD.
This layer provides only -native tools, so actually none of the build binaries will be deployed to your target. Everything happens on the build machine.
You need the current standard poky-layer installed onto your local build environment
In your bblayers.conf-file add the following line
BBLAYERS += "<full path to sca-layer>/meta-sca"The layer can check on a recipe-level or on an image-level. On image-level the whole root-filesystem could be taken into account, which in most cases can't be granted on a recipe-level. On the other hand some static code analysis does not make any sense on an image-level - so this layer does have different tools for both level available. In square brackets the corresponding setting in this layer is given
| Module | C/C++ | Python | Shell | Javascript | PHP | Go | Images | Spelling | Metrics | Packages | Other Formats | Security scope | Functional scope | Style scope |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| alexkohler | ✓ | ✓ | ||||||||||||
| ansible | ✓ | ✓ | ||||||||||||
| ansiblelint | ✓ | ✓ | ✓ | ✓ | ||||||||||
| bandit | ✓ | ✓ | ||||||||||||
| bashate | ✓ | ✓ | ✓ | |||||||||||
| bitbake | ✓ | ✓ | ||||||||||||
| checkbashism | ✓ | ✓ | ✓ | |||||||||||
| clang | ✓ | ✓ | ||||||||||||
| cppcheck | ✓ | ✓ | ✓ | ✓ | ||||||||||
| cpplint | ✓ | ✓ | ✓ | ✓ | ||||||||||
| cqmetrics | ✓ | ✓ | ✓ | |||||||||||
| cspell | ✓ | ✓ | ||||||||||||
| cvecheck | ✓ | ✓ | ||||||||||||
| darglint | ✓ | ✓ | ||||||||||||
| dennis | ✓ | ✓ | ✓ | |||||||||||
| detectsecrets | ✓ | ✓ | ||||||||||||
| eslint | ✓ | ✓ | ||||||||||||
| flake8 | ✓ | ✓ | ✓ | |||||||||||
| flint | ✓ | ✓ | ||||||||||||
| gcc | ✓ | ✓ | ✓ | |||||||||||
| gixy | ✓ | ✓ | ||||||||||||
| golint | ✓ | ✓ | ||||||||||||
| gosec | ✓ | ✓ | ||||||||||||
| govet | ✓ | ✓ | ||||||||||||
| htmllint | ✓ | ✓ | ✓ | |||||||||||
| ikos | ✓ | ✓ | ||||||||||||
| jsonlint | ✓ | ✓ | ||||||||||||
| kconfighard | ✓ | ✓ | ✓ | |||||||||||
| npmaudit | ✓ | ✓ | ||||||||||||
| mypy | ✓ | ✓ | ||||||||||||
| oclint | ✓ | ✓ | ||||||||||||
| oelint | ✓ | ✓ | ||||||||||||
| phan | ✓ | ✓ | ||||||||||||
| phpcodefixer | ✓ | ✓ | ||||||||||||
| phpstan | ✓ | ✓ | ||||||||||||
| progpilot | ✓ | ✓ | ||||||||||||
| proselint | ✓ | ✓ | ||||||||||||
| pyfindinjection | ✓ | ✓ | ||||||||||||
| pylint | ✓ | ✓ | ✓ | |||||||||||
| pysymcheck | ✓ | ✓ | ||||||||||||
| pytype | ✓ | ✓ | ||||||||||||
| radon | ✓ | ✓ | ✓ | |||||||||||
| rats | ✓ | ✓ | ✓ | ✓ | ||||||||||
| retire | ✓ | ✓ | ||||||||||||
| revive | ✓ | ✓ | ✓ | |||||||||||
| ropgadget | ✓ | ✓ | ||||||||||||
| safety | ✓ | ✓ | ||||||||||||
| sheckcheck | ✓ | ✓ | ✓ | |||||||||||
| sparse | ✓ | ✓ | ||||||||||||
| splint | ✓ | ✓ | ✓ | ✓ | ||||||||||
| standard | ✓ | ✓ | ✓ | |||||||||||
| stank | ✓ | ✓ | ✓ | |||||||||||
| stylelint | ✓ | ✓ | ||||||||||||
| systemdlint | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||||
| textlint | ✓ | ✓ | ||||||||||||
| tlv | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| tscancode | ✓ | ✓ | ||||||||||||
| vulture | ✓ | ✓ | ||||||||||||
| wotan | ✓ | ✓ | ✓ | |||||||||||
| xmllint | ✓ | ✓ | ||||||||||||
| yamllint | ✓ | ✓ | ||||||||||||
| zrd | ✓ | ✓ |
- ansible (security) [ansible]
- ansible-lint (ansible) [ansiblelint]
- bandit (python/security) [bandit]
- bashate (shell) [bashate]
- checkbashisms (shell) [checkbashism]
- bitbake (handle bitbake issues) [bitbake]
- detect-secrets (detecting and preventing secrets in code) [detectsecrets]
- eslint (javascript/html) [eslint]
- flake8 (python) [flake8]
- gixy (nginx-config security) [gixy]
- htmlhint (html) [htmlhint]
- image-summary (aggregate all findings for package in an image) [image-summary]
- json-parser (json) [jsonlint]
- mypy (python) [mypy]
- oelint-adv (linting bitbake recipes) [oelint]
- proselint (spelling) [proselint]
- py-find-injection (find SQL injections in python) [pyfindinjection]
- pylint (python) [pylint]
- shellcheck (shell) [shellcheck]
- standard (javascript) [standard]
- stank (shell) [stank]
- stylelint (css, scss) [stylelint]
- systemdlint (systemd) [systemdlint]
- tlv (duplicate code) [tlv] disabled by default
- vulture (python) [vulture]
- wotan (javascript, typescript) [wotan]
- xmllint (xml) [xmllint]
- yamllint (yaml) [yamllint]
- alexkohler (different tools for go) [alexkohler]
- ansible-lint (ansible) [ansiblelint]
- bandit (python/security) [bandit]
- bashate (shell) [bashate]
- bitbake (handle bitbake issues) [bitbake]
- checkbashisms (shell) [checkbashism]
- clang-tidy (c/c++) [clang] disabled by default
- cppcheck (c/c++) [cppcheck]
- cpplint (c/c++) [cpplint]
- cqmetrics (metrics for c/c++) [cqmetrics]
- cspell (spelling in c/c++/html/python/txt/md) [cspell]
- cve-check (check for unpatched cve's) [cvecheck]
- darglint (python-docstrings) [darglint]
- dennis (i18n) [dennis]
- detect-secrets (detecting and preventing secrets in code) [detectsecrets]
- eslint (javascript/html) [eslint]
- flake8 (python) [flake8]
- flint++ (c/c++) [flint]
- gcc (getting compiler warnings/errors) [gcc]
- golint (go) [golint]
- gosec (go) [gosec]
- govet (go) [govet]
- htmlhint (html) [htmlhint]
- ikos (c) [ikos] disabled by default
- json-parser (json) [jsonlint]
- kconfig-hardened-check (check hardening of kernel) [kconfighard]
- npmaudit (check for security vulnerabilities in npm packages) [npmaudit]
- mypy (python) [mypy]
- oclint (c/c++/obj-c) [oclint] disabled by default
- oelint-adv (linting bitbake recipes) [oelint]
- py-find-injection (find SQL injections in python) [pyfindinjection]
- phan (PHP) [phan] disabled by default
- phpcodefixer (PHP) [phpcodefixer] disabled by default
- phpstan (PHP) [phpstan] disabled by default
- progpilot (PHP) [progpilot] disabled by default
- proselint (spelling) [proselint]
- pylint (python) [pylint]
- pysymbolcheck (check elf-files for used functions) [pysymcheck]
- pytype (python) [pytype]
- radon (metrics for python) [radon]
- rats (security for c/php/python/perl/ruby) [rats]
- retire (javascript, npm) [retire]
- revive (go) [revive]
- ropgadget (determine exploitability with ROP in binary) [ropgadget]
- safety (python packages) [safety]
- score (calculate a score for a module, like pylint does) [score] disabled by default
- sparse (C) [sparse]
- splint (C) [splint]
- shellcheck (shell) [shellcheck]
- standard (javascript) [standard]
- stank (shell) [stank]
- stylelint (css, scss) [stylelint]
- textlint (spelling) [textlint]
- tlv (duplicate code) [tlv] disabled by default
- tscancode (c,c#,lua) [tscancode]
- vulture (python) [vulture]
- wotan (javascript, typescript) [wotan]
- xmllint [xmllint]
- yamllint (yaml) [yamllint]
- zeroresourcedetector (g18n/i18n) [zrd]
each tool does have it's own benefits and flaws so don't be mad if you have 10k+ findings on the initial run.
To make the integration of clang or ikos-module (clang-tidy) work you need to add the meta-clang layer to your bblayer-file. Additionally you have to add
PREFERRED_VERSION_clang-native = "8.%"to your local.conf-file to make it work. Otherwise the build will fail with an error.
To enable the php support you need to add the meta-oe layer to your bblayer-file. Additionally you have to add
PREFERRED_VERSION_libzip-native = "1.%"
PREFERRED_VERSION_php-native = "7.%"to your local.conf-file to make it work. Otherwise the build will fail with an error.
- Global Configuration
- Blacklisting sources
- Configuration wizard
- Custom severity
- Enable SCA locally/globally
- Fatal findings
- Filter findings
- Filter out files to check
- Suppress findings
- Tools
- alexkohler
- ansible
- ansiblelint
- bandit
- bashate
- bitbake
- checkbashism
- clang
- cppcheck
- cpplint
- cqmetrics
- cspell
- cvecheck
- darglint
- dennis
- detectsecrets
- eslint
- flake8
- flint++
- gcc
- gixy
- golint
- gosec
- govet
- htmlhint
- ikos
- jsonlint
- kconfighard
- npmaudit
- mypy
- oclint
- oelint
- phan
- phpcodefixers
- phpstan
- progpilot
- proselint
- pyfindinjection
- pylint
- pysymcheck
- pytype
- radon
- rats
- retire
- revive
- ropgadget
- safety
- sparse
- splint
- shellcheck
- standard
- stank
- stylelint
- systemdlint
- textlint
- tlv
- tscancode
- vulture
- wotan
- xmllint
- yamllint
- zrd
- Extra modes
- Configuration Examples
- Results
- Build system integration
- Control via command line
- Jenkins integration
- Application notes
- Case studies
Feel free to create pull-requests or create an issue if you think there is something wrong or missing.