From 48ce2a2317eb86b73b6da297c8ed9082b06faf9f Mon Sep 17 00:00:00 2001 From: lhinds Date: Sun, 25 Jun 2017 18:43:51 +0100 Subject: Implements sha256 exception functionality This patch adds functionality for file checksum verfications for binary files. The master_list.yaml binaries yaml directive now only contains simple exceptions (for common artefacts that are gitignored) Each project_exception file now has a filename and a sha256 hash. If a binary file is not found, or the hash is mismatched, it will output the hash for the user to include in an exception patch. This functionality has been added to complete project scans and patchset scans JIRA: RELENG-240 Change-Id: Iafa5710f4a0da192fc74335b1200b504413f8a8b Signed-off-by: lhinds --- anteater/src/patch_scan.py | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) (limited to 'anteater/src/patch_scan.py') diff --git a/anteater/src/patch_scan.py b/anteater/src/patch_scan.py index 48c78fd..51b3430 100644 --- a/anteater/src/patch_scan.py +++ b/anteater/src/patch_scan.py @@ -21,6 +21,7 @@ from binaryornot.check import is_binary import anteater.utils.anteater_logger as antlog import anteater.src.get_lists as get_lists import ConfigParser +import hashlib import sys import re @@ -30,6 +31,7 @@ config = ConfigParser.RawConfigParser() config.read('anteater.conf') reports_dir = config.get('config', 'reports_dir') failure = False +hasher = hashlib.sha256() def prepare_patchset(project, patchset): @@ -39,7 +41,7 @@ def prepare_patchset(project, patchset): # Get Various Lists / Project Waivers lists = get_lists.GetLists() # Get binary white list - binary_list, binary_project_list = lists.binary_list(project) + binary_list = lists.binary_list(project) # Get file name black list and project waivers file_audit_list, file_audit_project_list = lists.file_audit_list(project) @@ -59,7 +61,7 @@ def prepare_patchset(project, patchset): for line in lines: patch_file = line.strip('\n') # Perform binary and file / content checks - scan_patch(project, patch_file, binary_list, binary_project_list, + scan_patch(project, patch_file, binary_list, file_audit_list, file_audit_project_list, file_content_list, file_content_project_list, licence_ext, licence_ignore) @@ -69,16 +71,26 @@ def prepare_patchset(project, patchset): process_failure() -def scan_patch(project, patch_file, binary_list, binary_project_list, - file_audit_list, file_audit_project_list, file_content_list, +def scan_patch(project, patch_file, binary_list, file_audit_list, + file_audit_project_list, file_content_list, file_content_project_list, licence_ext, licence_ignore): """ Scan actions for each commited file in patch set """ global failure if is_binary(patch_file): - if not binary_list.search(patch_file) and not binary_project_list\ - .search(patch_file): - logger.error('Non Whitelisted Binary file: {0}'. - format(patch_file)) + hashlist = get_lists.GetLists() + binary_hash = hashlist.binary_hash(project, patch_file) + if not binary_list.search(patch_file): + with open(patch_file, 'rb') as afile: + buf = afile.read() + hasher.update(buf) + if hasher.hexdigest() in binary_hash: + logger.info('Found matching file hash for file: {0}'. + format(patch_file)) + else: + logger.error('Non Whitelisted Binary file: {0}'. + format(patch_file)) + logger.error('Please submit patch with this hash:: {0}'. + format(hasher.hexdigest())) failure = True with open(reports_dir + "binaries-" + project + ".log", "a") \ as gate_report: -- cgit 1.2.3-korg