scripts/checklayer: check for SECURITY.md

Add a check for a SECURITY.md file (or similar) to yocto-check-layer, as knowing where to report security issues is important. (From OE-Core rev: c7cb22ac4ceed60f88452e83c907a4c4f33660e4) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@arm.com> 2024-11-13 17:23:24 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-11-22 16:53:37 +0000
commit: 4336f06475692871efa0f493854019e9b8188848 (patch)
tree: ecc42f8080f6fb71351ee3af61c085e1f9647e30 /scripts/lib/checklayer/cases/common.py
parent: 486ed07bd9e64f25bda5e8e1ed0cdbf9a6bac307 (diff)
download: poky-4336f06475692871efa0f493854019e9b8188848.tar.gz
1 files changed, 33 insertions, 1 deletions
diff --git a/scripts/lib/checklayer/cases/common.py b/scripts/lib/checklayer/cases/common.py
index 97b16f78c8..51233de767 100644
--- a/scripts/lib/checklayer/cases/common.py
+++ b/scripts/lib/checklayer/cases/common.py
@@ -7,7 +7,7 @@ import glob
 import os
 import unittest
 import re
-from checklayer import get_signatures, LayerType, check_command, get_depgraph, compare_signatures
+from checklayer import get_signatures, LayerType, check_command, compare_signatures, get_git_toplevel
 from checklayer.case import OECheckLayerTestCase
 class CommonCheckLayer(OECheckLayerTestCase):
@@ -40,6 +40,38 @@ class CommonCheckLayer(OECheckLayerTestCase):
        email_regex = re.compile(r"[^@]+@[^@]+")
        self.assertTrue(email_regex.match(data))
+    def find_file_by_name(self, globs):
+        """
+        Utility function to find a file that matches the specified list of
+        globs, in either the layer directory itself or the repository top-level
+        directory.
+        """
+        directories = [self.tc.layer["path"]]
+        toplevel = get_git_toplevel(directories[0])
+        if toplevel:
+            directories.append(toplevel)
+        for path in directories:
+            for name in globs:
+                files = glob.glob(os.path.join(path, name))
+                if files:
+                    return sorted(files)[0]
+        return None
+    def test_security(self):
+        """
+        Test that the layer has a SECURITY.md (or similar) file, either in the
+        layer itself or at the top of the containing git repository.
+        """
+        if self.tc.layer["type"] == LayerType.CORE:
+            raise unittest.SkipTest("Core layer's SECURITY is top level")
+        filename = self.find_file_by_name(("SECURITY", "SECURITY.*"))
+        self.assertTrue(filename, msg="Layer doesn't contain a SECURITY.md file.")
+        size = os.path.getsize(filename)
+        self.assertGreater(size, 0, msg=f"{filename} has no content.")
    def test_parse(self):
        check_command('Layer %s failed to parse.' % self.tc.layer['name'],
                      'bitbake -p')
author	Ross Burton <ross.burton@arm.com>	2024-11-13 17:23:24 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-11-22 16:53:37 +0000
commit	4336f06475692871efa0f493854019e9b8188848 (patch)
tree	ecc42f8080f6fb71351ee3af61c085e1f9647e30 /scripts/lib/checklayer/cases/common.py
parent	486ed07bd9e64f25bda5e8e1ed0cdbf9a6bac307 (diff)
download	poky-4336f06475692871efa0f493854019e9b8188848.tar.gz

diff --git a/scripts/lib/checklayer/cases/common.py b/scripts/lib/checklayer/cases/common.py index 97b16f78c8..51233de767 100644 --- a/scripts/lib/checklayer/cases/common.py +++ b/scripts/lib/checklayer/cases/common.py
@@ -7,7 +7,7 @@ import glob
7	import os	7	import os
8	import unittest	8	import unittest
9	import re	9	import re
10	from checklayer import get_signatures, LayerType, check_command, get_depgraph, compare_signatures	10	from checklayer import get_signatures, LayerType, check_command, compare_signatures, get_git_toplevel
11	from checklayer.case import OECheckLayerTestCase	11	from checklayer.case import OECheckLayerTestCase
12		12
13	class CommonCheckLayer(OECheckLayerTestCase):	13	class CommonCheckLayer(OECheckLayerTestCase):
@@ -40,6 +40,38 @@ class CommonCheckLayer(OECheckLayerTestCase):
40	email_regex = re.compile(r"[^@]+@[^@]+")	40	email_regex = re.compile(r"[^@]+@[^@]+")
41	self.assertTrue(email_regex.match(data))	41	self.assertTrue(email_regex.match(data))
42		42
		43	def find_file_by_name(self, globs):
		44	"""
		45	Utility function to find a file that matches the specified list of
		46	globs, in either the layer directory itself or the repository top-level
		47	directory.
		48	"""
		49	directories = [self.tc.layer["path"]]
		50	toplevel = get_git_toplevel(directories[0])
		51	if toplevel:
		52	directories.append(toplevel)
		53
		54	for path in directories:
		55	for name in globs:
		56	files = glob.glob(os.path.join(path, name))
		57	if files:
		58	return sorted(files)[0]
		59	return None
		60
		61	def test_security(self):
		62	"""
		63	Test that the layer has a SECURITY.md (or similar) file, either in the
		64	layer itself or at the top of the containing git repository.
		65	"""
		66	if self.tc.layer["type"] == LayerType.CORE:
		67	raise unittest.SkipTest("Core layer's SECURITY is top level")
		68
		69	filename = self.find_file_by_name(("SECURITY", "SECURITY.*"))
		70	self.assertTrue(filename, msg="Layer doesn't contain a SECURITY.md file.")
		71
		72	size = os.path.getsize(filename)
		73	self.assertGreater(size, 0, msg=f"{filename} has no content.")
		74
43	def test_parse(self):	75	def test_parse(self):
44	check_command('Layer %s failed to parse.' % self.tc.layer['name'],	76	check_command('Layer %s failed to parse.' % self.tc.layer['name'],
45	'bitbake -p')	77	'bitbake -p')