new file mode 100644
@@ -0,0 +1,63 @@
+# Class to scan Python code for security issues, using Bandit.
+#
+# $ bitbake python-foo -c bandit
+#
+# Writes the report to $DEPLOY_DIR/bandit/python-foo.html.
+# No output if no issues found, a warning if issues found.
+#
+# https://github.com/PyCQA/bandit
+
+# Default location of sources, based on standard distutils
+BANDIT_SOURCE ?= "${S}/build"
+
+# The report format to use.
+# https://bandit.readthedocs.io/en/latest/formatters/index.html
+BANDIT_FORMAT ?= "html"
+
+# Whether a scan should be done every time the recipe is built.
+#
+# By default the scanning needs to be done explicitly, but by setting BANDIT_AUTO
+# to 1 the scan will be done whenever the recipe it built. Note that you
+# shouldn't set BANDIT_AUTO to 1 globally as it will then try to scan every
+# recipe, including non-Python recipes, causing circular loops.
+BANDIT_AUTO ?= "0"
+
+# Whether Bandit finding issues results in a warning (0) or an error (1).
+BANDIT_FATAL ?= "0"
+
+do_bandit[depends] = "python3-bandit-native:do_populate_sysroot"
+python do_bandit() {
+ import os, subprocess
+ try:
+ report = d.expand("${DEPLOY_DIR}/bandit/${PN}-${PV}.${BANDIT_FORMAT}")
+ os.makedirs(os.path.dirname(report), exist_ok=True)
+
+ args = ("bandit",
+ "--format", d.getVar("BANDIT_FORMAT"),
+ "--output", report,
+ "-ll",
+ "--recursive", d.getVar("BANDIT_SOURCE"))
+ subprocess.check_output(args, stderr=subprocess.STDOUT)
+ bb.note("Bandit found no issues (report written to %s)" % report)
+ except subprocess.CalledProcessError as e:
+ if e.returncode == 1:
+ if oe.types.boolean(d.getVar("BANDIT_FATAL")):
+ bb.error("Bandit found issues (report written to %s)" % report)
+ else:
+ bb.warn("Bandit found issues (report written to %s)" % report)
+ else:
+ bb.error("Bandit failed:\n" + e.output.decode("utf-8"))
+}
+
+python() {
+ before = "do_build"
+ after = "do_compile"
+
+ if oe.types.boolean(d.getVar("BANDIT_AUTO")):
+ bb.build.addtask("do_bandit", before, after, d)
+ else:
+ bb.build.addtask("do_bandit", None, after, d)
+}
+
+# TODO: store report in sstate
+# TODO: a way to pass extra args or .bandit file, basically control -ll
Add a class to perform security scans of Python code using Bandit. Signed-off-by: Ross Burton <ross.burton@intel.com> --- meta-python/classes/bandit.bbclass | 63 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 meta-python/classes/bandit.bbclass -- 2.11.0 -- _______________________________________________ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel