Commit 6f63295d authored by Leo's avatar Leo

Add secfixes-check

parent d54f82c8
#!/usr/bin/lua5.3
function violation(str, line, tag, sevcer)
io.stderr:write(sevcer..":".."[AL"..tag.."]:"..apkbuild..":"..line..":"..str.."\n")
end
function readFile(file)
local linenum = 0
local f = io.open(file)
if f == nil then
return
end
while true do
line = f:read("*line")
if line == nil then
break
end
if line:match("^# secfixes") then
-- Table that holds lots of important values
local y = {}
---
-- The yaml key will hold the yaml to be loaded and processed by the
-- verify function
---
y["yaml"] = ""
---
-- The str table will hold the keys that are the linenumber of a string
-- in relation to the general apkbuild and the value are the contents
-- of the string
---
y["str"] = {}
linenum = linenum + 1
---
-- Check if the secfixes: table header is missing a colon at the end
-- to represent a table
---
if line:match("^# secfixes$") then
violation("missing colon on '"..line.."'", linenum, "37", "SC")
---
-- Rewrite the string to be valid yaml after triggering a violation
---
line = "# secfixes:"
end
while line ~= nil and line:match("^#") do
local l = line:gsub("^# ", "")
if l == nil then
break
end
---
-- Check if the PKGVER-PKGREL: table header is missing a colon at
-- the end, match anything since we check later if this key is
-- actually writen with a valid pkgver and pkgrel
---
if l:match("^%s%s%S*[^:]$") then
violation("missing colon on '"..l:gsub("%s%s", "").."'", linenum, "38", "SC")
-- Add the colon at the end to represent a string
l = l..":"
end
---
-- Check if the CVE Identifier has a prefixed hyphen to indicate it
-- is a value inside the table
---
if l:match("^%s%s%s%s") then
if not l:match("^%s%s%s%s%- ") then
violation("missing hyphen on '"..l:gsub("^%s+", "").."'", linenum, "41", "SC")
l = l:gsub("^ ", " - ")
end
end
y["yaml"] = y["yaml"]..l.."\n"
y["str"][linenum] = l
line = f:read("*line")
linenum = linenum + 1
end
f:close()
return y
end
linenum = linenum + 1
end
f:close()
end
-- Check a release key of secfixes, e.g. 1.0.0-r0
function checkRel(str, line)
-- Check if the pkgrel value is made up of only digits
if not str:match("%-r[%d]+:$") then
violation("invalid pkgrel", line, "40", "SC")
end
-- Check if the pkgver value is made up only of valid charachters
if not str:match("^[%d%.%-%_a-zA-Z]*%-r") then
violation("invalid pkgver", line, "39", "SC")
end
end
--- Check the CVE identifier for validity
function checkCVE(str, line)
-- Check if we have the CVE- prefix
if not str:match("^CVE%-") then
violation("missing CVE- prefix", line, "42", "SC")
str = "CVE-"..str
end
-- CVE Identifirs are made up of only integers and hyphens after the CVE- prefix
if not str:match("^CVE%-[%d%-]*$") then
violation("only integers and hyphens are valid after CVE-", line, "43", "SC")
end
-- The value right after CVE- is the year which must always be 4 digits (YYYY)
if not str:match("^CVE%-%d%d%d%d%-*") then
violation("CVE identifiers have 4 digit year between the first and second hyphens", line, "44", "SC")
end
-- The last value of a CVE identifier is a collection of AT LEAST 4 digits
if not str:match("^CVE%-.*%-%d%d%d%d+$") then
violation("CVE IDs are at least 4 digits", line, "45", "SC")
end
end
function verify(str)
---
-- We do this because we expect that we are run from apkbuild-lint
-- which sources the apkbuild
---
local pkgname = os.getenv("pkgname")
if pkgname == nil then
return 1
end
local yaml = require "lyaml"
local data = yaml.load(str)
assert(type(data.secfixes) == "table", pkgname .. ": secfixes is not a table")
for k,v in pairs(data.secfixes) do
assert(type(k) == "string", pkgname..": not a string: "..tostring(k))
assert(string.match(k, "^[%d]+"), pkgname..": "..tostring(k))
assert(type(v) == "table", pkgname..": "..k..": not a table")
end
end
apkbuild = arg[1]
local table = readFile(apkbuild)
-- Verify that the yaml is valid
verify(table.yaml)
for k, v in pairs(table.str) do
---
-- Uncomment this once we have a use of checking the secfixes header
-- if v:match("^%S") then
-- checkHeader(v, k)
-- end
---
if v:match("^%s%s%S") then
checkRel(v:gsub("^%s+", ""), k)
elseif v:match("^%s%s%s%s%S") then
checkCVE(v:gsub("^%s+ %- ", ""), k)
end
end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment