From d2e456b7d8504ad60b0c5bb5694975e6165ef457 Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Thu, 24 Jan 2019 11:11:08 +0100 Subject: [PATCH] IMP: new tag in file to tell that the script should pass shellcheck The `# run-shellchek` tag must be placed in the first 10 lines of the file --- shellcheck/docker_build_and_run_shellcheck.sh | 3 +++ shellcheck/launch_shellcheck.sh | 13 ++++++++++--- tests/docker_build_and_run_tests.sh | 1 + tests/hardening/12.10_find_suid_files.sh | 2 ++ tests/hardening/12.11_find_sgid_files.sh | 1 + tests/hardening/12.7_find_world_writable_file.sh | 1 + tests/hardening/12.8_find_unowned_files.sh | 1 + tests/hardening/12.9_find_ungrouped_files.sh | 1 + .../2.17_sticky_bit_world_writable_folder.sh | 1 + tests/launch_tests.sh | 1 + tests/lib.sh | 1 + tests/run_all_targets.sh | 1 + 12 files changed, 24 insertions(+), 3 deletions(-) diff --git a/shellcheck/docker_build_and_run_shellcheck.sh b/shellcheck/docker_build_and_run_shellcheck.sh index 1ce1aac..b85682c 100755 --- a/shellcheck/docker_build_and_run_shellcheck.sh +++ b/shellcheck/docker_build_and_run_shellcheck.sh @@ -1,4 +1,7 @@ #!/bin/bash +# run-shellcheck +# usage : $0 [shell script to check] +# called without arguments, il will shellcheck any *.sh file found in the project set -e dockerfile="$(dirname "$0")/Dockerfile.shellcheck" diff --git a/shellcheck/launch_shellcheck.sh b/shellcheck/launch_shellcheck.sh index f6f84e1..20f38c7 100755 --- a/shellcheck/launch_shellcheck.sh +++ b/shellcheck/launch_shellcheck.sh @@ -1,7 +1,9 @@ #!/bin/bash - +# run-shellcheck +# please do not run this script directly but `docker_build_and_run_shellcheck.sh` files="" +retval=0 if [ $# -eq 0 ]; then files=$(find . -name "*.sh") @@ -10,6 +12,11 @@ else fi for f in $files; do - printf "\e[1;36mRunning shellcheck on: %s \e[0m\n" "$f" - /usr/bin/shellcheck --color=always --external-sources --shell=bash "$f" + if head "$f" | grep -qE "^# run-shellcheck$"; then + printf "\e[1;36mRunning shellcheck on: %s \e[0m\n" "$f" + if ! /usr/bin/shellcheck --color=always --external-sources --shell=bash "$f"; then + retval=$((retval + 1)) + fi + fi done +exit "$retval" diff --git a/tests/docker_build_and_run_tests.sh b/tests/docker_build_and_run_tests.sh index 252f1a3..4a816f3 100755 --- a/tests/docker_build_and_run_tests.sh +++ b/tests/docker_build_and_run_tests.sh @@ -1,5 +1,6 @@ #! /bin/bash # This file builds a docker image for testing the targeted debian version +# run-shellcheck set -e target="" diff --git a/tests/hardening/12.10_find_suid_files.sh b/tests/hardening/12.10_find_suid_files.sh index 47e820d..41a0eb7 100755 --- a/tests/hardening/12.10_find_suid_files.sh +++ b/tests/hardening/12.10_find_suid_files.sh @@ -1,7 +1,9 @@ +# run-shellcheck test_audit() { describe Running void to generate the conf file that will later be edited # shellcheck disable=2154 /opt/debian-cis/bin/hardening/"${script}".sh || true + # shellcheck disable=2016 echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg describe Running on blank host diff --git a/tests/hardening/12.11_find_sgid_files.sh b/tests/hardening/12.11_find_sgid_files.sh index 0a2d798..215028e 100755 --- a/tests/hardening/12.11_find_sgid_files.sh +++ b/tests/hardening/12.11_find_sgid_files.sh @@ -1,3 +1,4 @@ +# run-shellcheck test_audit() { describe Running on blank host register_test retvalshouldbe 0 diff --git a/tests/hardening/12.7_find_world_writable_file.sh b/tests/hardening/12.7_find_world_writable_file.sh index ec1a699..2b5b92d 100755 --- a/tests/hardening/12.7_find_world_writable_file.sh +++ b/tests/hardening/12.7_find_world_writable_file.sh @@ -1,3 +1,4 @@ +# run-shellcheck test_audit() { describe Running on blank host register_test retvalshouldbe 0 diff --git a/tests/hardening/12.8_find_unowned_files.sh b/tests/hardening/12.8_find_unowned_files.sh index 36208c5..e789127 100755 --- a/tests/hardening/12.8_find_unowned_files.sh +++ b/tests/hardening/12.8_find_unowned_files.sh @@ -1,3 +1,4 @@ +# run-shellcheck test_audit() { describe Running on blank host register_test retvalshouldbe 0 diff --git a/tests/hardening/12.9_find_ungrouped_files.sh b/tests/hardening/12.9_find_ungrouped_files.sh index 208c736..9fca286 100755 --- a/tests/hardening/12.9_find_ungrouped_files.sh +++ b/tests/hardening/12.9_find_ungrouped_files.sh @@ -1,3 +1,4 @@ +# run-shellcheck test_audit() { describe Running on blank host register_test retvalshouldbe 0 diff --git a/tests/hardening/2.17_sticky_bit_world_writable_folder.sh b/tests/hardening/2.17_sticky_bit_world_writable_folder.sh index 928eb91..1f7c289 100755 --- a/tests/hardening/2.17_sticky_bit_world_writable_folder.sh +++ b/tests/hardening/2.17_sticky_bit_world_writable_folder.sh @@ -1,3 +1,4 @@ +# run-shellcheck test_audit() { describe Running on blank host register_test retvalshouldbe 0 diff --git a/tests/launch_tests.sh b/tests/launch_tests.sh index a51297f..fa7a839 100755 --- a/tests/launch_tests.sh +++ b/tests/launch_tests.sh @@ -1,4 +1,5 @@ #!/bin/bash +# run-shellcheck # stop on any error set -e # stop on undefined variable diff --git a/tests/lib.sh b/tests/lib.sh index 7112734..374ce81 100644 --- a/tests/lib.sh +++ b/tests/lib.sh @@ -1,4 +1,5 @@ # shellcheck shell=bash +# run-shellcheck ########################################### # Assertion functions for funcional tests # ########################################### diff --git a/tests/run_all_targets.sh b/tests/run_all_targets.sh index 2012629..ffc5e84 100755 --- a/tests/run_all_targets.sh +++ b/tests/run_all_targets.sh @@ -1,4 +1,5 @@ #!/bin/bash +# run-shellcheck # usage : $0 [--nodel|--nowait] [1.1_script-to-test.sh...] # --nodel will keep logs # --nowait will not wait for you to see logs