opensourcemirror
/
fdroid-server
mirror of https://gitlab.com/fdroid/fdroidserver.git
1
0
Fork 0
Code Issues Releases Wiki Activity
fdroid-server/fdroidserver/scanner.py

455 lines
18 KiB
Python
Raw Normal View History

Switch all headers to python3
2016-01-04 16:33:20 +01:00
#!/usr/bin/env python3
Basic source code scanner, doesn't do much yet
2012-01-03 16:37:29 +01:00
#
# scanner.py - part of the FDroid server tools
Handle repo config in a more sensible way
2013-10-31 16:37:39 +01:00
# Copyright (C) 2010-13, Ciaran Gultnieks, ciaran@ciarang.com
Basic source code scanner, doesn't do much yet
2012-01-03 16:37:29 +01:00
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
scanner: ignore well known image types that are set executable
2020-06-03 14:34:21 +02:00
import imghdr
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
import json
Basic source code scanner, doesn't do much yet
2012-01-03 16:37:29 +01:00
import os
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
import re
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
import sys
Various fixes and improvements, and git-svn support
2012-01-04 22:37:11 +01:00
import traceback
replace deprecated optparse with argparse following guidelines from: https://docs.python.org/2/library/argparse.html#upgrading-optparse-code except, still using option = parse.parse_args() instead of args = ... - using the following script in folder fdroidserver: for i in *.py; do sed -i -e 's/optparse/argparse/' \ -e 's/OptionParser/ArgumentParser/' \ -e 's/OptionError/ArgumentError/' \ -e 's/add_option/add_argument/' \ -e 's/(options, args) = parser/options = parser/' \ -e 's/options, args = parser/options = parser/' \ -e 's/Usage: %prog/%(prog)s/' $i; done - use ArgumentParser argument to replace (option, args) = parser.parse() call - use parser.error(msg) instead of raise ArgumentException as suggested in https://docs.python.org/2/library/argparse.html#exiting-methods - in fdroid catch ArgumentError instead of OptionError
2015-09-04 11:37:05 +02:00
from argparse import ArgumentParser
Half-way done switching prints for logs
2014-01-27 16:56:55 +01:00
import logging
scanner: properly combine all gradle compile commands with flavors
2018-07-25 18:59:22 +02:00
import itertools
Half-way done switching prints for logs
2014-01-27 16:56:55 +01:00
implement gettext localization This allows all the text to be localized via Weblate. This is a quick overview of all the strings, but there are certainly some that were left out. closes #342
2017-09-13 18:03:57 +02:00
from . import _
Port all imports to python3
2016-01-04 17:37:35 +01:00
from . import common
from . import metadata
Replace sys.exit() in non-main functions by exceptions Also move all exceptions into one module
2017-05-22 21:33:52 +02:00
from .exception import BuildException, VCSException
Basic source code scanner, doesn't do much yet
2012-01-03 16:37:29 +01:00
Start rewriting options and config as common.py globals
2013-11-01 12:10:57 +01:00
config = None
options = None
Handle repo config in a more sensible way
2013-10-31 16:37:39 +01:00
scanner: always setup JSON data structure so functions work as API
2020-06-03 15:45:39 +02:00
DEFAULT_JSON_PER_BUILD = {'errors': [], 'warnings': [], 'infos': []}
json_per_build = DEFAULT_JSON_PER_BUILD
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
scanner: fix regex for matching URLs in gradle maven{} blocks closes #465 This script generated gradle-maven-blocks.yaml: ```python import os import re import yaml pat = re.compile(r'\smaven\s*{[^}]+}') finds = set() for root, dirs, files in os.walk('.'): for f in files: if '.gradle' in f: with open(os.path.join(root, f), errors='surrogateescape') as fp: contents = fp.read() for m in pat.findall(contents): finds.add(m) with open('finds.yaml', 'w') as fp: yaml.dump(sorted(finds), fp, default_flow_style=False) ```
2020-06-03 23:40:01 +02:00
MAVEN_URL_REGEX = re.compile(r"""\smaven\s*{.*?(?:setUrl|url)\s*=?\s*(?:uri)?\(?\s*["']?([^\s"']+)["']?[^}]*}""",
re.DOTALL)
fix PEP8 "E302 expected 2 blank lines, found 1"
2014-05-02 05:39:33 +02:00
Rework build into a class This simplifies usage, goes from build['flag'] to build.flag Also makes static analyzers able to detect invalid attributes as the set is now limited in the class definition. As a bonus, setting of the default field values is now done in the constructor, not separately and manually. While at it, unify "build", "thisbuild", "info", "thisinfo", etc into just "build".
2015-11-28 17:55:27 +01:00
def get_gradle_compile_commands(build):
fix PEP8 formatting issue fdroidserver/scanner.py:35:34: E241 multiple spaces after ',' fdroidserver/scanner.py:36:35: E241 multiple spaces after ',' fdroidserver/scanner.py:37:30: E241 multiple spaces after ',' fdroidserver/scanner.py:38:41: E241 multiple spaces after ',' fdroidserver/scanner.py:39:30: E241 multiple spaces after ',' fdroidserver/scanner.py:40:38: E241 multiple spaces after ',' fdroidserver/scanner.py:41:38: E241 multiple spaces after ','
2018-03-08 13:55:07 +01:00
compileCommands = ['compile',
scanner: fix reformatting fail This was broken by 44e8f425d :-(.
2018-07-25 18:05:04 +02:00
'provided',
'apk',
'implementation',
'api',
'compileOnly',
scanner: properly combine all gradle compile commands with flavors
2018-07-25 18:59:22 +02:00
'runtimeOnly']
buildTypes = ['', 'release']
flavors = ['']
Rework build into a class This simplifies usage, goes from build['flag'] to build.flag Also makes static analyzers able to detect invalid attributes as the set is now limited in the class definition. As a bonus, setting of the default field values is now done in the constructor, not separately and manually. While at it, unify "build", "thisbuild", "info", "thisinfo", etc into just "build".
2015-11-28 17:55:27 +01:00
if build.gradle and build.gradle != ['yes']:
scanner: properly combine all gradle compile commands with flavors
2018-07-25 18:59:22 +02:00
flavors += build.gradle
Added support for gradle flavor specific dependencies in usual suspects check.
2015-09-18 17:22:34 +02:00
scanner: properly combine all gradle compile commands with flavors
2018-07-25 18:59:22 +02:00
commands = [''.join(c) for c in itertools.product(flavors, buildTypes, compileCommands)]
return [re.compile(r'\s*' + c, re.IGNORECASE) for c in commands]
Added support for gradle flavor specific dependencies in usual suspects check.
2015-09-18 17:22:34 +02:00
scanner: add a simple scan for blacklisted classes after build step add com.android.billing to blacklist, see https://gitlab.com/fdroid/fdroiddata/-/issues/2070#note_360611289
2020-06-15 20:03:19 +02:00
def scan_binary(apkfile):
usual_suspects = {
# The `apkanalyzer dex packages` output looks like this:
# M d 1 1 93 <packagename> <other stuff>
# The first column has P/C/M/F for package, class, methos or field
# The second column has x/k/r/d for removed, kept, referenced and defined.
# We already filter for defined only in the apkanalyzer call. 'r' will be
# for things referenced but not distributed in the apk.
exp: re.compile(r'.[\s]*d[\s]*[0-9]*[\s]*[0-9*][\s]*[0-9]*[\s]*' + exp, re.IGNORECASE) for exp in [
r'(com\.google\.firebase[^\s]*)',
r'(com\.google\.android\.gms[^\s]*)',
r'(com\.google\.tagmanager[^\s]*)',
r'(com\.google\.analytics[^\s]*)',
r'(com\.android\.billing[^\s]*)',
]
}
logging.info("Scanning APK for known non-free classes.")
result = common.SdkToolsPopen(["apkanalyzer", "dex", "packages", "--defined-only", apkfile], output=False)
problems = 0
for suspect, regexp in usual_suspects.items():
matches = regexp.findall(result.output)
if matches:
for m in set(matches):
logging.debug("Found class '%s'" % m)
problems += 1
if problems:
logging.critical("Found problems in %s" % apkfile)
return problems
scanner: allow running without versionCode and as API This lets `fdroid scanner my.package.name` run without requiring that the versionCode is also specified. It also allows scanner.scan_source() to be called as a function in the public API of fdroidserver.
2018-01-23 21:55:37 +01:00
def scan_source(build_dir, build=metadata.Build()):
fix pylint unused-argument
2017-04-13 12:30:04 +02:00
"""Scan the source code in the given directory (and all subdirectories)
and return the number of fatal problems encountered
"""
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
count = 0
# Common known non-free blobs (always lower case):
scanner: improve usual suspect output
2015-09-17 02:13:54 +02:00
usual_suspects = {
exp: re.compile(r'.*' + exp, re.IGNORECASE) for exp in [
r'flurryagent',
r'paypal.*mpl',
r'admob.*sdk.*android',
r'google.*ad.*view',
r'google.*admob',
r'google.*play.*services',
r'crittercism',
r'heyzap',
r'jpct.*ae',
r'youtube.*android.*player.*api',
r'bugsense',
r'crashlytics',
r'ouya.*sdk',
r'libspen23',
scanner: add firebase to usual suspect list, closes #259
2017-02-23 00:40:55 +01:00
r'firebase',
scanner: add facebook sdk to forbidden libraries These are sourceavailable but not under a free license. I made sure that this matches only the facebook sdk's from here: https://github.com/facebook/facebook-android-sdk and not some real open source libraries by facebook (fresco, stetho, ...). These seem to be under a different namespace. fdroid/fdroidserver#534
2018-07-27 18:01:01 +02:00
r'''["']com.facebook.android['":]''',
Add cloudrail to blacklist
2019-02-07 10:26:03 +01:00
r'cloudrail',
scanner: blacklist Bugly The artifact is licensed under "The Bugly Software License, Version 1.0" [1], but link to the full text [2] is broken. LICENSE file in the source code repository is empty. I guess this library is non-free. [1] https://mvnrepository.com/artifact/com.tencent.bugly/crashreport/2.8.6.0 [2] http://bugly.qq.com/licenses/LICENSE-1.0.txt [3] https://github.com/BuglyDevTeam/Bugly-Android
2019-09-28 06:49:02 +02:00
r'com.tencent.bugly',
scanner: allow microsoft appcenter, except appcenter-push This sdk is open source. It was added because appcenter has a dependency to play-services. It's possible though to build an app using appcenter that doesn't pull in play services, so we can't blanket ban the sdk. The appcenter-push modules has obvious refenrences to firebase, so it's safe to error on that. Ref: https://phabricator.wikimedia.org/T254980
2020-06-11 12:28:52 +02:00
r'appcenter-push',
scanner: improve usual suspect output
2015-09-17 02:13:54 +02:00
]
}
whitelist some open-source firebase libs
2017-12-14 21:58:06 +01:00
whitelisted = [
'firebase-jobdispatcher', # https://github.com/firebase/firebase-jobdispatcher-android/blob/master/LICENSE
'com.firebaseui', # https://github.com/firebase/FirebaseUI-Android/blob/master/LICENSE
'geofire-android' # https://github.com/firebase/geofire-java/blob/master/LICENSE
]
def is_whitelisted(s):
return any(wl in s for wl in whitelisted)
scanner: improve usual suspect output
2015-09-17 02:13:54 +02:00
def suspects_found(s):
Replace iteritems() with items()
2016-01-04 17:02:28 +01:00
for n, r in usual_suspects.items():
whitelist some open-source firebase libs
2017-12-14 21:58:06 +01:00
if r.match(s) and not is_whitelisted(s):
scanner: improve usual suspect output
2015-09-17 02:13:54 +02:00
yield n
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
scanner: only allow HTTPS versions of the whitelist
2019-11-06 09:00:32 +01:00
allowed_repos = [re.compile(r'^https://' + re.escape(repo) + r'/*') for repo in [
scanner: escape urls
2015-10-22 12:22:46 +02:00
'repo1.maven.org/maven2', # mavenCentral()
'jcenter.bintray.com', # jcenter()
'jitpack.io',
scanner: whitelist www.jitpack.io Only the non-www version was recognized so far. Closes #498
2018-06-11 12:40:55 +02:00
'www.jitpack.io',
scanner: allow apache.org maven repo Since it has the same free software and source code publishing requirements that oss.sonatype and maven.org repos have.
2015-10-31 09:59:38 +01:00
'repo.maven.apache.org/maven2',
scanner: allow oss.jfrog.org/artifactory/oss-snapshot-local
2017-02-13 20:24:35 +01:00
'oss.jfrog.org/artifactory/oss-snapshot-local',
scanner: escape urls
2015-10-22 12:22:46 +02:00
'oss.sonatype.org/content/repositories/snapshots',
'oss.sonatype.org/content/repositories/releases',
scanner: allow sonatype groups/public repo See http://central.sonatype.org/pages/ossrh-guide.html
2015-10-22 12:23:57 +02:00
'oss.sonatype.org/content/groups/public',
scanner: Allow clojars.org maven repository See https://github.com/inorichi/tachiyomi/issues/46.
2016-01-24 19:13:45 +01:00
'clojars.org/repo', # Clojure free software libs
Allow commonsware and gradle plugin repos
2016-02-17 14:00:05 +01:00
's3.amazonaws.com/repo.commonsware.com', # CommonsWare
'plugins.gradle.org/m2', # Gradle plugin repo
scanner: allow google maven
2017-05-25 20:55:50 +02:00
'maven.google.com', # Google Maven Repo, https://developer.android.com/studio/build/dependencies.html#google-maven
scanner: fix local Debian Maven repo handling The resulting regex was 'https?://file:///usr/share/maven-repo' causing scanner error.
2019-08-29 20:16:17 +02:00
]
] + [re.compile(r'^file://' + re.escape(repo) + r'/*') for repo in [
'/usr/share/maven-repo', # local repo on Debian installs
scanner: error on unknown maven repos This finds maven repos of the format: maven { url 'http://foo.bar' } And checks if the repository is one that we allow. As usual, scanignore can be used, or the list modified, if there are exceptions or more repositories to allow.
2015-10-07 18:14:11 +02:00
]
]
Rework build into a class This simplifies usage, goes from build['flag'] to build.flag Also makes static analyzers able to detect invalid attributes as the set is now limited in the class definition. As a bonus, setting of the default field values is now done in the constructor, not separately and manually. While at it, unify "build", "thisbuild", "info", "thisinfo", etc into just "build".
2015-11-28 17:55:27 +01:00
scanignore = common.getpaths_map(build_dir, build.scanignore)
scandelete = common.getpaths_map(build_dir, build.scandelete)
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
scanignore_worked = set()
scandelete_worked = set()
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
def toignore(path_in_build_dir):
Replace iteritems() with items()
2016-01-04 17:02:28 +01:00
for k, paths in scanignore.items():
scanner: don't error on partially used globs This meant that using something like `scanignore=*` would error if there were ignores happening in some directories/files, but not all. Fixes #110
2015-10-04 02:00:22 +02:00
for p in paths:
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
if path_in_build_dir.startswith(p):
scanner: don't error on partially used globs This meant that using something like `scanignore=*` would error if there were ignores happening in some directories/files, but not all. Fixes #110
2015-10-04 02:00:22 +02:00
scanignore_worked.add(k)
return True
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
return False
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
def todelete(path_in_build_dir):
Replace iteritems() with items()
2016-01-04 17:02:28 +01:00
for k, paths in scandelete.items():
scanner: don't error on partially used globs This meant that using something like `scanignore=*` would error if there were ignores happening in some directories/files, but not all. Fixes #110
2015-10-04 02:00:22 +02:00
for p in paths:
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
if path_in_build_dir.startswith(p):
scanner: don't error on partially used globs This meant that using something like `scanignore=*` would error if there were ignores happening in some directories/files, but not all. Fixes #110
2015-10-04 02:00:22 +02:00
scandelete_worked.add(k)
return True
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
return False
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
def ignoreproblem(what, path_in_build_dir):
scanner: remove all gradle wrapper files
2020-06-03 16:55:43 +02:00
msg = ('Ignoring %s at %s' % (what, path_in_build_dir))
logging.info(msg)
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
if json_per_build is not None:
scanner: remove all gradle wrapper files
2020-06-03 16:55:43 +02:00
json_per_build['infos'].append([msg, path_in_build_dir])
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
return 0
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
def removeproblem(what, path_in_build_dir, filepath):
scanner: remove all gradle wrapper files
2020-06-03 16:55:43 +02:00
msg = ('Removing %s at %s' % (what, path_in_build_dir))
logging.info(msg)
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
if json_per_build is not None:
scanner: remove all gradle wrapper files
2020-06-03 16:55:43 +02:00
json_per_build['infos'].append([msg, path_in_build_dir])
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
os.remove(filepath)
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
return 0
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
def warnproblem(what, path_in_build_dir):
if toignore(path_in_build_dir):
scanner: error/warn on dex/gz/zip, closes #394
2020-06-03 21:26:03 +02:00
return 0
logging.warn() was deprecated in Python 3.3, use logging.warning() sed -i 's,logging\.warn(,logging.warning(,g' fdroid */*.* https://docs.python.org/3.3/library/logging.html#logging.Logger.warning
2020-05-25 17:36:58 +02:00
logging.warning('Found %s at %s' % (what, path_in_build_dir))
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
if json_per_build is not None:
json_per_build['warnings'].append([what, path_in_build_dir])
scanner: error/warn on dex/gz/zip, closes #394
2020-06-03 21:26:03 +02:00
return 0
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
def handleproblem(what, path_in_build_dir, filepath):
if toignore(path_in_build_dir):
return ignoreproblem(what, path_in_build_dir)
if todelete(path_in_build_dir):
return removeproblem(what, path_in_build_dir, filepath)
scanner: error/warn on dex/gz/zip, closes #394
2020-06-03 21:26:03 +02:00
if 'src/test' in filepath or '/test/' in filepath:
return warnproblem(what, path_in_build_dir)
scanner: fix options handling closes fdroid/fdroidserver#789
2020-06-11 11:43:27 +02:00
if options and 'json' in vars(options) and options.json:
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
json_per_build['errors'].append([what, path_in_build_dir])
scanner: fix options handling closes fdroid/fdroidserver#789
2020-06-11 11:43:27 +02:00
if options and (options.verbose or not ('json' in vars(options) and options.json)):
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
logging.error('Found %s at %s' % (what, path_in_build_dir))
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
return 1
Rewrite scanner logic Initially, the scanner used libmagic which used magic numbers in the file's content to detect what kind of file it appears to be. Since that library isn't available on all systems, we added support for two other libraries, mimetypes amongst them. The issue with mimetypes is that it only uses the file's extension, not its actual content. So this ends in variable behaviour depending on what system you're using fdroidserver on. For example, an executable binary without extension would be ignored if mimetypes was being used. We now drop all libraries - mimetypes too as it depends on the system's mime.types file - and instead check extensions ourselves. On top of that, do a simple binary content check to find binary executables that don't have an extension. The new in-house code without any dependencies doesn't add any new checks, so no builds should break. The current checks still work: % fdroid scanner app.openconnect:1029 [...] Found executable binary at assets/raw/armeabi/curl Found executable binary at assets/raw/mips/curl Found executable binary at assets/raw/x86/curl Found JAR file at lib/XposedBridgeApi-54.jar Found JAR file at libs/acra-4.5.0.jar Found JAR file at libs/openconnect-wrapper.jar Found JAR file at libs/stoken-wrapper.jar Found shared library at libs/armeabi/libopenconnect.so Found shared library at libs/armeabi/libstoken.so Found shared library at libs/mips/libopenconnect.so Found shared library at libs/mips/libstoken.so Found shared library at libs/x86/libopenconnect.so Found shared library at libs/x86/libstoken.so
2015-09-14 07:11:53 +02:00
def is_executable(path):
return os.path.exists(path) and os.access(path, os.X_OK)
textchars = bytearray({7, 8, 9, 10, 12, 13, 27} | set(range(0x20, 0x100)) - {0x7f})
def is_binary(path):
d = None
with open(path, 'rb') as f:
d = f.read(1024)
return bool(d.translate(None, textchars))
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
scanner: Ignore certain binary executable files These were warnings, so the behaviour doesn't really change.
2015-11-10 21:59:54 +01:00
# False positives patterns for files that are binary and executable.
safe_paths = [re.compile(r) for r in [
r".*/drawable[^/]*/.*\.png$", # png drawables
r".*/mipmap[^/]*/.*\.png$", # png mipmaps
]
]
scanner: fix wrong path being passed to function Also make rename the parameter in safe_path to make it clear that this is just a relative path. Closes fdroid/fdroidserver#791.
2020-06-13 02:59:39 +02:00
def is_image_file(path):
scanner: ignore well known image types that are set executable
2020-06-03 14:34:21 +02:00
if imghdr.what(path) is not None:
return True
scanner: fix wrong path being passed to function Also make rename the parameter in safe_path to make it clear that this is just a relative path. Closes fdroid/fdroidserver#791.
2020-06-13 02:59:39 +02:00
def safe_path(path_in_build_dir):
for sp in safe_paths:
if sp.match(path_in_build_dir):
return True
scanner: Ignore certain binary executable files These were warnings, so the behaviour doesn't really change.
2015-11-10 21:59:54 +01:00
return False
Rework build into a class This simplifies usage, goes from build['flag'] to build.flag Also makes static analyzers able to detect invalid attributes as the set is now limited in the class definition. As a bonus, setting of the default field values is now done in the constructor, not separately and manually. While at it, unify "build", "thisbuild", "info", "thisinfo", etc into just "build".
2015-11-28 17:55:27 +01:00
gradle_compile_commands = get_gradle_compile_commands(build)
Added support for gradle flavor specific dependencies in usual suspects check.
2015-09-18 17:22:34 +02:00
def is_used_by_gradle(line):
return any(command.match(line) for command in gradle_compile_commands)
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
# Iterate through all files in the source code
standardize os.walk() var names based on Python 3.5 docs There were multiple conventions used in the code, but mostly it was already using the convention from the docs, so this converts things to using that convention: https://docs.python.org/3/library/os.html#os.walk
2017-09-14 08:44:43 +02:00
for root, dirs, files in os.walk(build_dir, topdown=True):
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
# It's topdown, so checking the basename is enough
for ignoredir in ('.hg', '.git', '.svn', '.bzr'):
standardize os.walk() var names based on Python 3.5 docs There were multiple conventions used in the code, but mostly it was already using the convention from the docs, so this converts things to using that convention: https://docs.python.org/3/library/os.html#os.walk
2017-09-14 08:44:43 +02:00
if ignoredir in dirs:
dirs.remove(ignoredir)
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
standardize os.walk() var names based on Python 3.5 docs There were multiple conventions used in the code, but mostly it was already using the convention from the docs, so this converts things to using that convention: https://docs.python.org/3/library/os.html#os.walk
2017-09-14 08:44:43 +02:00
for curfile in files:
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
scanner: ignore .DS_Store files They are binary and sometimes executable, so they trigger false positives.
2015-11-10 21:49:46 +01:00
if curfile in ['.DS_Store']:
continue
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
# Path (relative) to the file
standardize os.walk() var names based on Python 3.5 docs There were multiple conventions used in the code, but mostly it was already using the convention from the docs, so this converts things to using that convention: https://docs.python.org/3/library/os.html#os.walk
2017-09-14 08:44:43 +02:00
filepath = os.path.join(root, curfile)
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
if os.path.islink(filepath):
scanner: skip symlinks to avoid issues If they resolve to a missing file, we don't care about them. If they resolve to an existing file, we'll scan that file anyway.
2015-09-22 22:03:42 +02:00
continue
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
path_in_build_dir = os.path.relpath(filepath, build_dir)
make _ always be the gettext function, nothing else This avoids hard bugs where the _() function gets overidden by a str or something else.
2017-10-24 16:48:42 +02:00
_ignored, ext = common.get_extension(path_in_build_dir)
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
scanner: remove all gradle wrapper files
2020-06-03 16:55:43 +02:00
if curfile in ('gradle-wrapper.jar', 'gradlew', 'gradlew.bat'):
removeproblem(curfile, path_in_build_dir, filepath)
elif ext == 'apk':
removeproblem(_('Android APK file'), path_in_build_dir, filepath)
elif ext == 'a':
scanner: make problem descriptions translationable
2020-06-03 15:25:26 +02:00
count += handleproblem(_('static library'), path_in_build_dir, filepath)
scanner: make AARs and JARs trigger an error refs #491
2020-06-03 15:12:04 +02:00
elif ext == 'aar':
count += handleproblem(_('Android AAR library'), path_in_build_dir, filepath)
Rewrite scanner logic Initially, the scanner used libmagic which used magic numbers in the file's content to detect what kind of file it appears to be. Since that library isn't available on all systems, we added support for two other libraries, mimetypes amongst them. The issue with mimetypes is that it only uses the file's extension, not its actual content. So this ends in variable behaviour depending on what system you're using fdroidserver on. For example, an executable binary without extension would be ignored if mimetypes was being used. We now drop all libraries - mimetypes too as it depends on the system's mime.types file - and instead check extensions ourselves. On top of that, do a simple binary content check to find binary executables that don't have an extension. The new in-house code without any dependencies doesn't add any new checks, so no builds should break. The current checks still work: % fdroid scanner app.openconnect:1029 [...] Found executable binary at assets/raw/armeabi/curl Found executable binary at assets/raw/mips/curl Found executable binary at assets/raw/x86/curl Found JAR file at lib/XposedBridgeApi-54.jar Found JAR file at libs/acra-4.5.0.jar Found JAR file at libs/openconnect-wrapper.jar Found JAR file at libs/stoken-wrapper.jar Found shared library at libs/armeabi/libopenconnect.so Found shared library at libs/armeabi/libstoken.so Found shared library at libs/mips/libopenconnect.so Found shared library at libs/mips/libstoken.so Found shared library at libs/x86/libopenconnect.so Found shared library at libs/x86/libstoken.so
2015-09-14 07:11:53 +02:00
elif ext == 'class':
scanner: make problem descriptions translationable
2020-06-03 15:25:26 +02:00
count += handleproblem(_('Java compiled class'), path_in_build_dir, filepath)
scanner: error/warn on dex/gz/zip, closes #394
2020-06-03 21:26:03 +02:00
elif ext == 'dex':
count += handleproblem(_('Android DEX code'), path_in_build_dir, filepath)
elif ext == 'gz':
count += handleproblem(_('gzip file archive'), path_in_build_dir, filepath)
scanner: make problem descriptions translationable
2020-06-03 15:25:26 +02:00
elif ext == 'so':
count += handleproblem(_('shared library'), path_in_build_dir, filepath)
scanner: error/warn on dex/gz/zip, closes #394
2020-06-03 21:26:03 +02:00
elif ext == 'zip':
count += handleproblem(_('ZIP file archive'), path_in_build_dir, filepath)
Rewrite scanner logic Initially, the scanner used libmagic which used magic numbers in the file's content to detect what kind of file it appears to be. Since that library isn't available on all systems, we added support for two other libraries, mimetypes amongst them. The issue with mimetypes is that it only uses the file's extension, not its actual content. So this ends in variable behaviour depending on what system you're using fdroidserver on. For example, an executable binary without extension would be ignored if mimetypes was being used. We now drop all libraries - mimetypes too as it depends on the system's mime.types file - and instead check extensions ourselves. On top of that, do a simple binary content check to find binary executables that don't have an extension. The new in-house code without any dependencies doesn't add any new checks, so no builds should break. The current checks still work: % fdroid scanner app.openconnect:1029 [...] Found executable binary at assets/raw/armeabi/curl Found executable binary at assets/raw/mips/curl Found executable binary at assets/raw/x86/curl Found JAR file at lib/XposedBridgeApi-54.jar Found JAR file at libs/acra-4.5.0.jar Found JAR file at libs/openconnect-wrapper.jar Found JAR file at libs/stoken-wrapper.jar Found shared library at libs/armeabi/libopenconnect.so Found shared library at libs/armeabi/libstoken.so Found shared library at libs/mips/libopenconnect.so Found shared library at libs/mips/libstoken.so Found shared library at libs/x86/libopenconnect.so Found shared library at libs/x86/libstoken.so
2015-09-14 07:11:53 +02:00
elif ext == 'jar':
scanner: improve usual suspect output
2015-09-17 02:13:54 +02:00
for name in suspects_found(curfile):
whitelist some open-source firebase libs
2017-12-14 21:58:06 +01:00
count += handleproblem('usual suspect \'%s\'' % name, path_in_build_dir, filepath)
scanner: remove all gradle wrapper files
2020-06-03 16:55:43 +02:00
count += handleproblem(_('Java JAR file'), path_in_build_dir, filepath)
scanner: warn on aar files
2017-09-04 00:57:38 +02:00
Rewrite scanner logic Initially, the scanner used libmagic which used magic numbers in the file's content to detect what kind of file it appears to be. Since that library isn't available on all systems, we added support for two other libraries, mimetypes amongst them. The issue with mimetypes is that it only uses the file's extension, not its actual content. So this ends in variable behaviour depending on what system you're using fdroidserver on. For example, an executable binary without extension would be ignored if mimetypes was being used. We now drop all libraries - mimetypes too as it depends on the system's mime.types file - and instead check extensions ourselves. On top of that, do a simple binary content check to find binary executables that don't have an extension. The new in-house code without any dependencies doesn't add any new checks, so no builds should break. The current checks still work: % fdroid scanner app.openconnect:1029 [...] Found executable binary at assets/raw/armeabi/curl Found executable binary at assets/raw/mips/curl Found executable binary at assets/raw/x86/curl Found JAR file at lib/XposedBridgeApi-54.jar Found JAR file at libs/acra-4.5.0.jar Found JAR file at libs/openconnect-wrapper.jar Found JAR file at libs/stoken-wrapper.jar Found shared library at libs/armeabi/libopenconnect.so Found shared library at libs/armeabi/libstoken.so Found shared library at libs/mips/libopenconnect.so Found shared library at libs/mips/libstoken.so Found shared library at libs/x86/libopenconnect.so Found shared library at libs/x86/libstoken.so
2015-09-14 07:11:53 +02:00
elif ext == 'java':
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
if not os.path.isfile(filepath):
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
continue
remove redundant open() arg: encoding='utf8' By default, open() returns a str: https://docs.python.org/3/library/functions.html#open By default, str is UTF-8: https://docs.python.org/3/library/stdtypes.html#str This used to matter on Python 2.x, but this code is 3.x only now.
2018-10-19 15:01:34 +02:00
with open(filepath, 'r', errors='replace') as f:
Replace remaining file() usage
2016-01-04 17:59:47 +01:00
for line in f:
if 'DexClassLoader' in line:
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
count += handleproblem('DexClassLoader', path_in_build_dir, filepath)
Replace remaining file() usage
2016-01-04 17:59:47 +01:00
break
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
Rewrite scanner logic Initially, the scanner used libmagic which used magic numbers in the file's content to detect what kind of file it appears to be. Since that library isn't available on all systems, we added support for two other libraries, mimetypes amongst them. The issue with mimetypes is that it only uses the file's extension, not its actual content. So this ends in variable behaviour depending on what system you're using fdroidserver on. For example, an executable binary without extension would be ignored if mimetypes was being used. We now drop all libraries - mimetypes too as it depends on the system's mime.types file - and instead check extensions ourselves. On top of that, do a simple binary content check to find binary executables that don't have an extension. The new in-house code without any dependencies doesn't add any new checks, so no builds should break. The current checks still work: % fdroid scanner app.openconnect:1029 [...] Found executable binary at assets/raw/armeabi/curl Found executable binary at assets/raw/mips/curl Found executable binary at assets/raw/x86/curl Found JAR file at lib/XposedBridgeApi-54.jar Found JAR file at libs/acra-4.5.0.jar Found JAR file at libs/openconnect-wrapper.jar Found JAR file at libs/stoken-wrapper.jar Found shared library at libs/armeabi/libopenconnect.so Found shared library at libs/armeabi/libstoken.so Found shared library at libs/mips/libopenconnect.so Found shared library at libs/mips/libstoken.so Found shared library at libs/x86/libopenconnect.so Found shared library at libs/x86/libstoken.so
2015-09-14 07:11:53 +02:00
elif ext == 'gradle':
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
if not os.path.isfile(filepath):
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
continue
remove redundant open() arg: encoding='utf8' By default, open() returns a str: https://docs.python.org/3/library/functions.html#open By default, str is UTF-8: https://docs.python.org/3/library/stdtypes.html#str This used to matter on Python 2.x, but this code is 3.x only now.
2018-10-19 15:01:34 +02:00
with open(filepath, 'r', errors='replace') as f:
scanner: error on unknown maven repos This finds maven repos of the format: maven { url 'http://foo.bar' } And checks if the repository is one that we allow. As usual, scanignore can be used, or the list modified, if there are exceptions or more repositories to allow.
2015-10-07 18:14:11 +02:00
lines = f.readlines()
for i, line in enumerate(lines):
Added support for gradle flavor specific dependencies in usual suspects check.
2015-09-18 17:22:34 +02:00
if is_used_by_gradle(line):
for name in suspects_found(line):
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
count += handleproblem("usual suspect \'%s\'" % (name),
path_in_build_dir, filepath)
fix pep8 E741 ambiguous variable name 'l'
2020-05-14 11:54:32 +02:00
noncomment_lines = [line for line in lines if not common.gradle_comment.match(line)]
scanner: fix regex for matching URLs in gradle maven{} blocks closes #465 This script generated gradle-maven-blocks.yaml: ```python import os import re import yaml pat = re.compile(r'\smaven\s*{[^}]+}') finds = set() for root, dirs, files in os.walk('.'): for f in files: if '.gradle' in f: with open(os.path.join(root, f), errors='surrogateescape') as fp: contents = fp.read() for m in pat.findall(contents): finds.add(m) with open('finds.yaml', 'w') as fp: yaml.dump(sorted(finds), fp, default_flow_style=False) ```
2020-06-03 23:40:01 +02:00
no_comments = re.sub(r'/\*.*?\*/', '', ''.join(noncomment_lines), flags=re.DOTALL)
for url in MAVEN_URL_REGEX.findall(no_comments):
scanner: error on unknown maven repos This finds maven repos of the format: maven { url 'http://foo.bar' } And checks if the repository is one that we allow. As usual, scanignore can be used, or the list modified, if there are exceptions or more repositories to allow.
2015-10-07 18:14:11 +02:00
if not any(r.match(url) for r in allowed_repos):
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
count += handleproblem('unknown maven repo \'%s\'' % url, path_in_build_dir, filepath)
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
scanner: use a blacklist instead of a whitelist This is much closer to what we did before with mimetypes. Using a whitelist turns out to be a bad idea since repositories seem to be randomly filled with executable images and documents, which trigger the scanner. In an ideal world the scanner would complain about all of those. For now, just warn about the possibility of them being hidden binaries.
2015-09-17 02:20:22 +02:00
elif ext in ['', 'bin', 'out', 'exe']:
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
if is_binary(filepath):
count += handleproblem('binary', path_in_build_dir, filepath)
scanner: use a blacklist instead of a whitelist This is much closer to what we did before with mimetypes. Using a whitelist turns out to be a bad idea since repositories seem to be randomly filled with executable images and documents, which trigger the scanner. In an ideal world the scanner would complain about all of those. For now, just warn about the possibility of them being hidden binaries.
2015-09-17 02:20:22 +02:00
scanner: rename variables, use os.path.relpath * rename fd -> path_in_build_dir * rename fp -> filepath * use os.path.reldir instead of string manipulation
2017-09-11 16:46:54 +02:00
elif is_executable(filepath):
scanner: fix wrong path being passed to function Also make rename the parameter in safe_path to make it clear that this is just a relative path. Closes fdroid/fdroidserver#791.
2020-06-13 02:59:39 +02:00
if is_binary(filepath) and not (safe_path(path_in_build_dir) or is_image_file(filepath)):
scanner: make problem descriptions translationable
2020-06-03 15:25:26 +02:00
warnproblem(_('executable binary, possibly code'), path_in_build_dir)
Rewrite scanner logic Initially, the scanner used libmagic which used magic numbers in the file's content to detect what kind of file it appears to be. Since that library isn't available on all systems, we added support for two other libraries, mimetypes amongst them. The issue with mimetypes is that it only uses the file's extension, not its actual content. So this ends in variable behaviour depending on what system you're using fdroidserver on. For example, an executable binary without extension would be ignored if mimetypes was being used. We now drop all libraries - mimetypes too as it depends on the system's mime.types file - and instead check extensions ourselves. On top of that, do a simple binary content check to find binary executables that don't have an extension. The new in-house code without any dependencies doesn't add any new checks, so no builds should break. The current checks still work: % fdroid scanner app.openconnect:1029 [...] Found executable binary at assets/raw/armeabi/curl Found executable binary at assets/raw/mips/curl Found executable binary at assets/raw/x86/curl Found JAR file at lib/XposedBridgeApi-54.jar Found JAR file at libs/acra-4.5.0.jar Found JAR file at libs/openconnect-wrapper.jar Found JAR file at libs/stoken-wrapper.jar Found shared library at libs/armeabi/libopenconnect.so Found shared library at libs/armeabi/libstoken.so Found shared library at libs/mips/libopenconnect.so Found shared library at libs/mips/libstoken.so Found shared library at libs/x86/libopenconnect.so Found shared library at libs/x86/libstoken.so
2015-09-14 07:11:53 +02:00
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
for p in scanignore:
if p not in scanignore_worked:
scanner: make problem descriptions translationable
2020-06-03 15:25:26 +02:00
logging.error(_('Unused scanignore path: %s') % p)
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
count += 1
for p in scandelete:
if p not in scandelete_worked:
scanner: make problem descriptions translationable
2020-06-03 15:25:26 +02:00
logging.error(_('Unused scandelete path: %s') % p)
Move scan_source into scanner.py Not really a common.py thing.
2015-08-29 04:20:39 +02:00
count += 1
return count
All callable scripts now implement main()
2012-02-26 15:18:58 +01:00
def main():
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
global config, options, json_per_build
Basic source code scanner, doesn't do much yet
2012-01-03 16:37:29 +01:00
All callable scripts now implement main()
2012-02-26 15:18:58 +01:00
# Parse command line...
replace deprecated optparse with argparse following guidelines from: https://docs.python.org/2/library/argparse.html#upgrading-optparse-code except, still using option = parse.parse_args() instead of args = ... - using the following script in folder fdroidserver: for i in *.py; do sed -i -e 's/optparse/argparse/' \ -e 's/OptionParser/ArgumentParser/' \ -e 's/OptionError/ArgumentError/' \ -e 's/add_option/add_argument/' \ -e 's/(options, args) = parser/options = parser/' \ -e 's/options, args = parser/options = parser/' \ -e 's/Usage: %prog/%(prog)s/' $i; done - use ArgumentParser argument to replace (option, args) = parser.parse() call - use parser.error(msg) instead of raise ArgumentException as suggested in https://docs.python.org/2/library/argparse.html#exiting-methods - in fdroid catch ArgumentError instead of OptionError
2015-09-04 11:37:05 +02:00
parser = ArgumentParser(usage="%(prog)s [options] [APPID[:VERCODE] [APPID[:VERCODE] ...]]")
all: deduplicate -v/-q setup
2015-09-12 08:42:50 +02:00
common.setup_global_opts(parser)
rename 'app-id' to standard Android 'applicationId' * https://developer.android.com/studio/build/application-id.html * https://sites.google.com/a/android.com/tools/tech-docs/new-build-system/applicationid-vs-packagename This only changes the term in the human texts, not var names or CLI flags.
2017-09-15 11:41:39 +02:00
parser.add_argument("appid", nargs='*', help=_("applicationId with optional versionCode in the form APPID[:VERCODE]"))
scanner: add --force option for scanning disabled apps/builds
2020-02-05 20:30:16 +01:00
parser.add_argument("-f", "--force", action="store_true", default=False,
help=_("Force scan of disabled apps and builds."))
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
parser.add_argument("--json", action="store_true", default=False,
help=_("Output JSON to stdout."))
make metadata exceptions optional based on CLI flag In many cases, there are times where metadata errors need to be ignored, or at least not stop the command from running. For example, there will inevitably be new metadata fields added, in which case a packaged version of fdroidserver will throw errors on each one. This adds a standard -W flag to customize the response: ignore, default, or error. * by default, the errors are still errors * `fdroid readmeta -W` will just print errors * `fdroid readmeta -Wignore` will not even print errors https://gitlab.com/fdroid/fdroidserver/issues/150
2016-09-12 12:55:48 +02:00
metadata.add_metadata_arguments(parser)
replace deprecated optparse with argparse following guidelines from: https://docs.python.org/2/library/argparse.html#upgrading-optparse-code except, still using option = parse.parse_args() instead of args = ... - using the following script in folder fdroidserver: for i in *.py; do sed -i -e 's/optparse/argparse/' \ -e 's/OptionParser/ArgumentParser/' \ -e 's/OptionError/ArgumentError/' \ -e 's/add_option/add_argument/' \ -e 's/(options, args) = parser/options = parser/' \ -e 's/options, args = parser/options = parser/' \ -e 's/Usage: %prog/%(prog)s/' $i; done - use ArgumentParser argument to replace (option, args) = parser.parse() call - use parser.error(msg) instead of raise ArgumentException as suggested in https://docs.python.org/2/library/argparse.html#exiting-methods - in fdroid catch ArgumentError instead of OptionError
2015-09-04 11:37:05 +02:00
options = parser.parse_args()
make metadata exceptions optional based on CLI flag In many cases, there are times where metadata errors need to be ignored, or at least not stop the command from running. For example, there will inevitably be new metadata fields added, in which case a packaged version of fdroidserver will throw errors on each one. This adds a standard -W flag to customize the response: ignore, default, or error. * by default, the errors are still errors * `fdroid readmeta -W` will just print errors * `fdroid readmeta -Wignore` will not even print errors https://gitlab.com/fdroid/fdroidserver/issues/150
2016-09-12 12:55:48 +02:00
metadata.warnings_action = options.W
Basic source code scanner, doesn't do much yet
2012-01-03 16:37:29 +01:00
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
json_output = dict()
if options.json:
if options.verbose:
logging.basicConfig(stream=sys.stderr, level=logging.DEBUG)
else:
logging.getLogger().setLevel(logging.ERROR)
Start rewriting options and config as common.py globals
2013-11-01 12:10:57 +01:00
config = common.read_config(options)
Centralise management of srclib metadata
2014-05-20 23:44:47 +02:00
# Read all app and srclib metadata
Adapt scanner, fix some other issues
2013-12-19 23:06:57 +01:00
allapps = metadata.read_metadata()
replace deprecated optparse with argparse following guidelines from: https://docs.python.org/2/library/argparse.html#upgrading-optparse-code except, still using option = parse.parse_args() instead of args = ... - using the following script in folder fdroidserver: for i in *.py; do sed -i -e 's/optparse/argparse/' \ -e 's/OptionParser/ArgumentParser/' \ -e 's/OptionError/ArgumentError/' \ -e 's/add_option/add_argument/' \ -e 's/(options, args) = parser/options = parser/' \ -e 's/options, args = parser/options = parser/' \ -e 's/Usage: %prog/%(prog)s/' $i; done - use ArgumentParser argument to replace (option, args) = parser.parse() call - use parser.error(msg) instead of raise ArgumentException as suggested in https://docs.python.org/2/library/argparse.html#exiting-methods - in fdroid catch ArgumentError instead of OptionError
2015-09-04 11:37:05 +02:00
apps = common.read_app_args(options.appid, allapps, True)
scanner: use -p check like in build.py, give error if package does not exist
2012-03-11 22:59:25 +01:00
scanner: adapt to new scan_source format (fixes #59)
2015-01-10 13:49:54 +01:00
probcount = 0
A better way of dealing with external libraries
2012-01-27 23:10:08 +01:00
Fix standalone scanner bug
2013-10-29 13:23:42 +01:00
build_dir = 'build'
if not os.path.isdir(build_dir):
Half-way done switching prints for logs
2014-01-27 16:56:55 +01:00
logging.info("Creating build directory")
Fix standalone scanner bug
2013-10-29 13:23:42 +01:00
os.makedirs(build_dir)
srclib_dir = os.path.join(build_dir, 'srclib')
extlib_dir = os.path.join(build_dir, 'extlib')
Basic source code scanner, doesn't do much yet
2012-01-03 16:37:29 +01:00
Replace iteritems() with items()
2016-01-04 17:02:28 +01:00
for appid, app in apps.items():
Basic source code scanner, doesn't do much yet
2012-01-03 16:37:29 +01:00
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
json_per_appid = dict()
scanner: add --force option for scanning disabled apps/builds
2020-02-05 20:30:16 +01:00
if app.Disabled and not options.force:
fix string formats that are ambiguous for translators
2017-09-15 23:20:29 +02:00
logging.info(_("Skipping {appid}: disabled").format(appid=appid))
scanner: always setup JSON data structure so functions work as API
2020-06-03 15:45:39 +02:00
json_per_appid['disabled'] = json_per_build['infos'].append('Skipping: disabled')
Adapt scanner, fix some other issues
2013-12-19 23:06:57 +01:00
continue
Basic source code scanner, doesn't do much yet
2012-01-03 16:37:29 +01:00
Adapt scanner, fix some other issues
2013-12-19 23:06:57 +01:00
try:
Rework app into a class This simplifies usage, goes from app['Foo'] to app.Foo Also makes static analyzers able to detect invalid attributes as the set is now limited in the class definition. As a bonus, setting of the default field values is now done in the constructor, not separately and manually.
2015-11-28 13:09:47 +01:00
if app.RepoType == 'srclib':
build_dir = os.path.join('build', 'srclib', app.Repo)
scanner: support apps using srclib repo type
2015-09-14 07:05:41 +02:00
else:
build_dir = os.path.join('build', appid)
Basic source code scanner, doesn't do much yet
2012-01-03 16:37:29 +01:00
scanner: allow running without versionCode and as API This lets `fdroid scanner my.package.name` run without requiring that the versionCode is also specified. It also allows scanner.scan_source() to be called as a function in the public API of fdroidserver.
2018-01-23 21:55:37 +01:00
if app.builds:
logging.info(_("Processing {appid}").format(appid=appid))
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
# Set up vcs interface and make sure we have the latest code...
vcs = common.getvcs(app.RepoType, app.Repo, build_dir)
scanner: allow running without versionCode and as API This lets `fdroid scanner my.package.name` run without requiring that the versionCode is also specified. It also allows scanner.scan_source() to be called as a function in the public API of fdroidserver.
2018-01-23 21:55:37 +01:00
else:
logging.info(_("{appid}: no builds specified, running on current source state")
.format(appid=appid))
scanner: always setup JSON data structure so functions work as API
2020-06-03 15:45:39 +02:00
json_per_build = DEFAULT_JSON_PER_BUILD
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
json_per_appid['current-source-state'] = json_per_build
scanner: allow running without versionCode and as API This lets `fdroid scanner my.package.name` run without requiring that the versionCode is also specified. It also allows scanner.scan_source() to be called as a function in the public API of fdroidserver.
2018-01-23 21:55:37 +01:00
count = scan_source(build_dir)
if count > 0:
logging.warn() was deprecated in Python 3.3, use logging.warning() sed -i 's,logging\.warn(,logging.warning(,g' fdroid */*.* https://docs.python.org/3.3/library/logging.html#logging.Logger.warning
2020-05-25 17:36:58 +02:00
logging.warning(_('Scanner found {count} problems in {appid}:')
.format(count=count, appid=appid))
scanner: allow running without versionCode and as API This lets `fdroid scanner my.package.name` run without requiring that the versionCode is also specified. It also allows scanner.scan_source() to be called as a function in the public API of fdroidserver.
2018-01-23 21:55:37 +01:00
probcount += count
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
app.builds = []
Basic source code scanner, doesn't do much yet
2012-01-03 16:37:29 +01:00
Rework build into a class This simplifies usage, goes from build['flag'] to build.flag Also makes static analyzers able to detect invalid attributes as the set is now limited in the class definition. As a bonus, setting of the default field values is now done in the constructor, not separately and manually. While at it, unify "build", "thisbuild", "info", "thisinfo", etc into just "build".
2015-11-28 17:55:27 +01:00
for build in app.builds:
scanner: always setup JSON data structure so functions work as API
2020-06-03 15:45:39 +02:00
json_per_build = DEFAULT_JSON_PER_BUILD
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
json_per_appid[build.versionCode] = json_per_build
Got rid of source preparation code duplication
2012-01-03 22:39:30 +01:00
scanner: add --force option for scanning disabled apps/builds
2020-02-05 20:30:16 +01:00
if build.disable and not options.force:
Half-way done switching prints for logs
2014-01-27 16:56:55 +01:00
logging.info("...skipping version %s - %s" % (
rename Build fields: version -> versionName, vercode -> versionCode Since the YAML/JSON/etc. field names are now exactly the same as the field names used in the internal dict in the Build class, this is a global rename This keeps with the standard names used in Android: https://developer.android.com/guide/topics/manifest/manifest-element.html
2016-11-23 17:52:04 +01:00
build.versionName, build.get('disable', build.commit[1:])))
scanner: allow running without versionCode and as API This lets `fdroid scanner my.package.name` run without requiring that the versionCode is also specified. It also allows scanner.scan_source() to be called as a function in the public API of fdroidserver.
2018-01-23 21:55:37 +01:00
continue
logging.info("...scanning version " + build.versionName)
# Prepare the source code...
common.prepare_source(vcs, app, build,
build_dir, srclib_dir,
extlib_dir, False)
count = scan_source(build_dir, build)
if count > 0:
logging.warn() was deprecated in Python 3.3, use logging.warning() sed -i 's,logging\.warn(,logging.warning(,g' fdroid */*.* https://docs.python.org/3.3/library/logging.html#logging.Logger.warning
2020-05-25 17:36:58 +02:00
logging.warning(_('Scanner found {count} problems in {appid}:{versionCode}:')
.format(count=count, appid=appid, versionCode=build.versionCode))
scanner: allow running without versionCode and as API This lets `fdroid scanner my.package.name` run without requiring that the versionCode is also specified. It also allows scanner.scan_source() to be called as a function in the public API of fdroidserver.
2018-01-23 21:55:37 +01:00
probcount += count
Basic source code scanner, doesn't do much yet
2012-01-03 16:37:29 +01:00
Adapt scanner, fix some other issues
2013-12-19 23:06:57 +01:00
except BuildException as be:
logging.warn() was deprecated in Python 3.3, use logging.warning() sed -i 's,logging\.warn(,logging.warning(,g' fdroid */*.* https://docs.python.org/3.3/library/logging.html#logging.Logger.warning
2020-05-25 17:36:58 +02:00
logging.warning('Could not scan app %s due to BuildException: %s' % (
scanner: adapt to new scan_source format (fixes #59)
2015-01-10 13:49:54 +01:00
appid, be))
probcount += 1
Adapt scanner, fix some other issues
2013-12-19 23:06:57 +01:00
except VCSException as vcse:
logging.warn() was deprecated in Python 3.3, use logging.warning() sed -i 's,logging\.warn(,logging.warning(,g' fdroid */*.* https://docs.python.org/3.3/library/logging.html#logging.Logger.warning
2020-05-25 17:36:58 +02:00
logging.warning('VCS error while scanning app %s: %s' % (appid, vcse))
scanner: adapt to new scan_source format (fixes #59)
2015-01-10 13:49:54 +01:00
probcount += 1
Adapt scanner, fix some other issues
2013-12-19 23:06:57 +01:00
except Exception:
logging.warn() was deprecated in Python 3.3, use logging.warning() sed -i 's,logging\.warn(,logging.warning(,g' fdroid */*.* https://docs.python.org/3.3/library/logging.html#logging.Logger.warning
2020-05-25 17:36:58 +02:00
logging.warning('Could not scan app %s due to unknown error: %s' % (
scanner: adapt to new scan_source format (fixes #59)
2015-01-10 13:49:54 +01:00
appid, traceback.format_exc()))
probcount += 1
All callable scripts now implement main()
2012-02-26 15:18:58 +01:00
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
for k, v in json_per_appid.items():
if len(v['errors']) or len(v['warnings']) or len(v['infos']):
json_output[appid] = json_per_appid
break
implement gettext localization This allows all the text to be localized via Weblate. This is a quick overview of all the strings, but there are certainly some that were left out. closes #342
2017-09-13 18:03:57 +02:00
logging.info(_("Finished"))
scanner: add --json option for outputting machine readable results * makes per-build entries in per-app entries * `fdroid scanner --json --verbose` will output logging messages to stderr * removed " at line N" from one message to make them uniform keys * this will be used in issuebot This is a second attempt with tests for how `fdroid build` calls the scanner functions. closes #771. It was previously merged in !748 then reverted in 68c072c72e2d9c75b5220ea1e95d1773e8ae2723
2020-05-14 16:08:56 +02:00
if options.json:
print(json.dumps(json_output))
else:
print(_("%d problems found") % probcount)
All callable scripts now implement main()
2012-02-26 15:18:58 +01:00
all: make newer pycodestyle happy Apparently the "two empty lines" rule is now stricter.
2016-11-15 21:55:06 +01:00
All callable scripts now implement main()
2012-02-26 15:18:58 +01:00
if __name__ == "__main__":
main()