diff options
| author |   lhinds <lhinds@redhat.com> | 2017-06-25 18:43:51 +0100 |
|---|---|---|
| committer | lhinds <lhinds@redhat.com> | 2017-06-25 18:50:26 +0100 |
| commit | 48ce2a2317eb86b73b6da297c8ed9082b06faf9f (patch) | |
| tree | 7f43ce80b63c0a5662cb8cdd50629c18753a4e2d /anteater/src/patch_scan.py | |
| parent | 0b6fc6f47d2ce40d64659f398d025d5bcf2c7feb (diff) | |
Implements sha256 exception functionality
This patch adds functionality for file checksum verfications for
binary files.
The master_list.yaml binaries yaml directive now only contains
simple exceptions (for common artefacts that are gitignored)
Each project_exception file now has a filename and a sha256 hash.
If a binary file is not found, or the hash is mismatched,
it will output the hash for the user to include in an exception
patch.
This functionality has been added to complete project scans
and patchset scans
JIRA: RELENG-240
Change-Id: Iafa5710f4a0da192fc74335b1200b504413f8a8b
Signed-off-by: lhinds <lhinds@redhat.com>
Diffstat (limited to 'anteater/src/patch_scan.py')
| -rw-r--r-- | anteater/src/patch_scan.py | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/anteater/src/patch_scan.py b/anteater/src/patch_scan.py index 48c78fd..51b3430 100644 --- a/anteater/src/patch_scan.py +++ b/anteater/src/patch_scan.py @@ -21,6 +21,7 @@ from binaryornot.check import is_binary import anteater.utils.anteater_logger as antlog import anteater.src.get_lists as get_lists import ConfigParser +import hashlib import sys import re @@ -30,6 +31,7 @@ config = ConfigParser.RawConfigParser() config.read('anteater.conf') reports_dir = config.get('config', 'reports_dir') failure = False +hasher = hashlib.sha256() def prepare_patchset(project, patchset): @@ -39,7 +41,7 @@ def prepare_patchset(project, patchset): # Get Various Lists / Project Waivers lists = get_lists.GetLists() # Get binary white list - binary_list, binary_project_list = lists.binary_list(project) + binary_list = lists.binary_list(project) # Get file name black list and project waivers file_audit_list, file_audit_project_list = lists.file_audit_list(project) @@ -59,7 +61,7 @@ def prepare_patchset(project, patchset): for line in lines: patch_file = line.strip('\n') # Perform binary and file / content checks - scan_patch(project, patch_file, binary_list, binary_project_list, + scan_patch(project, patch_file, binary_list, file_audit_list, file_audit_project_list, file_content_list, file_content_project_list, licence_ext, licence_ignore) @@ -69,16 +71,26 @@ def prepare_patchset(project, patchset): process_failure() -def scan_patch(project, patch_file, binary_list, binary_project_list, - file_audit_list, file_audit_project_list, file_content_list, +def scan_patch(project, patch_file, binary_list, file_audit_list, + file_audit_project_list, file_content_list, file_content_project_list, licence_ext, licence_ignore): """ Scan actions for each commited file in patch set """ global failure if is_binary(patch_file): - if not binary_list.search(patch_file) and not binary_project_list\ - .search(patch_file): - logger.error('Non Whitelisted Binary file: {0}'. - format(patch_file)) + hashlist = get_lists.GetLists() + binary_hash = hashlist.binary_hash(project, patch_file) + if not binary_list.search(patch_file): + with open(patch_file, 'rb') as afile: + buf = afile.read() + hasher.update(buf) + if hasher.hexdigest() in binary_hash: + logger.info('Found matching file hash for file: {0}'. + format(patch_file)) + else: + logger.error('Non Whitelisted Binary file: {0}'. + format(patch_file)) + logger.error('Please submit patch with this hash:: {0}'. + format(hasher.hexdigest())) failure = True with open(reports_dir + "binaries-" + project + ".log", "a") \ as gate_report: |