Skip to content

Commit

Permalink
reviewdog: add fickling support
Browse files Browse the repository at this point in the history
  • Loading branch information
thypon committed Nov 9, 2024
1 parent 9a88980 commit fded7e2
Show file tree
Hide file tree
Showing 7 changed files with 56 additions and 5 deletions.
2 changes: 1 addition & 1 deletion actions/main/action.cjs
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ module.exports = async ({ github, context, inputs, actionPath, core, debug = fal

// Install semgrep & pip-audit
await runCommand(`pip install --disable-pip-version-check -r ${actionPath}/requirements.txt`, { shell: true })
debugLog('Installed semgrep & pip-audit')
debugLog('Installed semgrep & pip-audit & fickling')
// Install xmllint for safesvg
await runCommand('sudo apt-get install -y libxml2-utils', { shell: true })
debugLog('Installed xmllint')
Expand Down
26 changes: 26 additions & 0 deletions assets/fickling-audit.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
import fickling
from fickling.fickle import PickleDecodeError, EmptyPickleError

from os import environ, path
import sys

def is_pickle_unsafe(file_path):
try:
return not fickling.is_likely_safe(file_path)
except (NotImplementedError, PickleDecodeError, EmptyPickleError):
return False
except Exception as e:
# print exception on stderr
print("%s: (%s) %s" % (e.__class__.__qualname__, file_path, e), file=sys.stderr)
return False

def main():
with open(path.join(environ["SCRIPTPATH"], "all_changed_files.txt")) as all_changed_files:
all_changed_files = [f for f in all_changed_files.read().split("\x00")]

for f in all_changed_files:
if is_pickle_unsafe(f):
print("""M:%s:0 This pickle might contain unsafe contructs\n""" % (f))

if __name__ == "__main__":
main()
20 changes: 17 additions & 3 deletions assets/reviewdog.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,18 +7,32 @@ export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
export SEC_ACTION_DEBUG=$SEC_ACTION_DEBUG
export ASSIGNEES=$(echo "$ASSIGNEES" | sed 's|\([^ ]\)|@\1|' | tr -s '\n' ' ')
export GITHUB_REPORTER=github-pr-review

RUNNERS="safesvg tfsec semgrep sveltegrep npm-audit pip-audit fickling" # disabled: brakeman
# redefine RUNNERS with $1 if it is set
if [ -n "$1" ]; then
RUNNERS=$1
fi
# if GITHUB_OUTPUT is not set, set it to /dev/stdout
if [ -z "$GITHUB_OUTPUT" ]; then
GITHUB_OUTPUT=/dev/stdout
GITHUB_REPORTER=local
fi

RUNNERS="safesvg tfsec semgrep sveltegrep npm-audit pip-audit" # disabled: brakeman

if [ -n "${GITHUB_BASE_REF+set}" ]; then
for runner in $RUNNERS; do
reviewdog -reporter=local -runners=$runner -conf="$SCRIPTPATH/reviewdog/reviewdog.yml" -diff="git diff origin/$GITHUB_BASE_REF" > $runner.log 2>> reviewdog.log || true
SCRIPTPATH=$SCRIPTPATH reviewdog -reporter=local -runners=$runner -conf="$SCRIPTPATH/reviewdog/reviewdog.yml" -filter-mode=nofilter > $runner.log 2>> reviewdog.log || true
grep -H "" reviewdog.$runner.stderr.log >> reviewdog.fail.log || true
[[ ${SEC_ACTION_DEBUG:-false} == 'true' ]] && grep -H "" reviewdog.$runner.stderr.log || true
done

for runner in $RUNNERS; do
cat $runner.log | reviewdog -reporter=github-pr-review -efm='%f:%l: %m' \
# replace anything that has not the number in the beginning of the line with zero
sed -i sed 's/^\([^:]*\): /\1:0: /' $runner.log

cat $runner.log | reviewdog -reporter=$GITHUB_REPORTER -efm='%f:%l: %m' \
|| cat $runner.log >> reviewdog.fail.log
grep -H "" $runner.log >> reviewdog.log || true
echo -n "$runner: "
Expand Down
5 changes: 5 additions & 0 deletions assets/reviewdog/reviewdog.yml
Original file line number Diff line number Diff line change
Expand Up @@ -85,3 +85,8 @@ runner:
cmd: "set -e\n(python3 $SCRIPTPATH/pip-audit.py \\\n| $SCRIPTPATH/cleaner.rb) 2> /dev/null # reviewdog.pip-audit.stderr.log \n"
errorformat:
- "%t:%f:%l %m"
fickling:
name: fickling
cmd: "set -e\npython $SCRIPTPATH/fickling-audit.py | $SCRIPTPATH/cleaner.rb 2> reviewdog.fickling.stderr.log"
errorformat:
- "%t:%f:%l %m"
3 changes: 2 additions & 1 deletion requirements.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Also alter semgrep self test yml
semgrep~=1.95.0
pip-audit~=2.7.0
pip-audit~=2.7.0
fickling~=0.1.3
Binary file added scripttagextractor.pkl
Binary file not shown.
5 changes: 5 additions & 0 deletions src/pullRequestChangedFiles.js
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ export default async function pullRequestChangedFIles ({ github, githubToken, ow
path
additions
deletions
changeType
}
}
}
Expand All @@ -49,6 +50,10 @@ export default async function pullRequestChangedFIles ({ github, githubToken, ow
// check for additions only, deletions are not relevant, in this case
paths = paths.concat(
files.nodes.filter(file => file.additions /* + file.deletions */ > 0).map(file => file.path))

// add binary files too
paths = paths.concat(
files.nodes.filter(file => file.additions === 0 && file.deletions === 0 && file.changeType === 'ADDED').map(file => file.path))
}

return paths
Expand Down

0 comments on commit fded7e2

Please sign in to comment.