Re: [opnfv-tech-discuss] Issues with Anteater pretest process
Julien, I figured out how to get it working and developed a script for it. I’ll work on making it generic so it can be used by any OPNFV project. I’m working on using the tool to scan the code for other projects as well. I did find a bug – the project name cannot have a “-“ otherwise the tool throws a python exception. I found this when running the tool against non-OPNFV projects. I had to figure out how to add them to the master-list.yaml but once that was done, I was able to run the tool against any arbitrary git repo. The script is at https://github.com/opnfv/models/blob/master/tools/anteater.sh I do think the Anteater tool needs a good bit of work, as evidenced by the long list of exceptions I had to create for Models: https://github.com/opnfv/models/blob/master/tools/anteater-exceptions.yaml Most of these are due to the tool’s assumption that certain strings are problematic, without considering the context of where those strings appear. I think other more robust and vulnerability-specific tools may also be needed in OPNFV, e.g. OpenSCAP and Fossology as I recommended when the security scanning project was first proposed. And we need to support iterative license scanning for tightly integrated code, e.g. imported modules, to ensure that OPNFV code is compatible with the license of all tightly integrated code. Note “tightly integrated” means it becomes part of the application, thus rules related to GPL license for example apply. This in comparison to loosely integrated code e.g. through APIs, or running as separate processes and providing some system service. Thanks, Bryan Sullivan | AT From: Julien [mailto:julien...@gmail.com] Sent: Tuesday, February 06, 2018 10:20 PM To: Fatih Degirmenci <fatih.degirme...@ericsson.com> Cc: SULLIVAN, BRYAN L (BRYAN L) <bryan.sulli...@research.att.com>; opnfv-tech-discuss@lists.opnfv.org; Luke Hinds <lhi...@redhat.com> Subject: Re: [opnfv-tech-discuss] Issues with Anteater pretest process Hi Bryan, I have happened to work together with Luke on this project for some time. It's really cool. Thanks for your interests. For the anteater container is already there in the docker hub, you can directly use it without building from the very beginning. Luke, you can help to verify the steps. Several steps, 1. docker pull opnfv/releng-anteater 2. take Pharos project for example 3. docker run -it opnfv/releng-anteater -v /Users/julien/Documents/git/opnfv/pharos:/home/opnfv/anteater/pharos I only map Pharos repo into the container to /home/opnfv/anteater/pharos. any target path is OK. 4. /home/opnfv/venv/bin/anteater -p pharos --path pharos/ You can get some helpful info through: /home/opnfv/venv/bin/anteater -h Anteater - CI Gate Checks. Usage: anteater (-p |--project) [(-ps |--patchset) ] anteater (-p |--project) [--path ] anteater (-h | --help) anteater --version Options: -h --help Show this screen. --version Show version. The only thing I want to mention is that project_path is a mandatory argument when you want to scan for the whole project. -p project: to indicate which project to scan for we have some exceptions name with this project name. 5. You can get the report log in .reports sub-directory besides terminal [opnfv@c96175c845be anteater]$ ll .reports/ total 76 -rw-rw-r-- 1 opnfv opnfv 48546 Feb 7 06:14 anteater.log -rw-rw-r-- 1 opnfv opnfv 9444 Feb 7 06:14 binaries-pharos.log -rw-rw-r-- 1 opnfv opnfv 8630 Feb 7 06:14 contents-pharos.log -rw-rw-r-- 1 opnfv opnfv 1030 Feb 7 06:14 licence-pharos.log Regards, Julien Fatih Degirmenci <fatih.degirme...@ericsson.com<mailto:fatih.degirme...@ericsson.com>>于2018年2月7日周三 上午3:38写道: Hi Bryan, Anteater is used for gating patches coming to OPNFV projects. See the Jenkins job configuration to see patches of which projects are gated. https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;a=blob;f=jjb/ci_gate_security/opnfv-ci-gate-security.yml<https://urldefense.proofpoint.com/v2/url?u=https-3A__gerrit.opnfv.org_gerrit_gitweb-3Fp-3Dreleng.git-3Ba-3Dblob-3Bf-3Djjb_ci-5Fgate-5Fsecurity_opnfv-2Dci-2Dgate-2Dsecurity.yml=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0=29tOLifHP4ypkHyoj-0ME63HMvkxwFChpECoenBhUbc=uvfiqxpMlCi8liP2QlYw-LYV3xHmlphuK--TLQN5gLk=> And see the script that is executed by Jenkins job. https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;a=blob;f=jjb/ci_gate_security/anteater-security-audit.sh<https://urldefense.proofpoint.com/v2/url?u=https-3A__gerrit.opnfv.org_gerrit_gitweb-3Fp-3Dreleng.git-3Ba-3Dblob-3Bf-3Djjb_ci-5Fgate-5Fsecurity_anteater-2Dsecurity-2Daudit.sh=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0=29tOLifHP4ypkHyoj-0ME63HMvkxwFChpECoenBhUbc=terU3K4ZCHsx1Vl6jH6coKwOjQ5gRohxDDFRkiNb9Oc=> Adding Luke who is maintaining Anteater. /Fatih From: <opnfv-tech-discuss-boun...@lists.opnfv.org<mailto:opnfv-tech-discuss-boun...@lists.opnfv
Re: [opnfv-tech-discuss] Issues with Anteater pretest process
Hi Bryan, I have happened to work together with Luke on this project for some time. It's really cool. Thanks for your interests. For the anteater container is already there in the docker hub, you can directly use it without building from the very beginning. Luke, you can help to verify the steps. Several steps, 1. docker pull opnfv/releng-anteater 2. take Pharos project for example 3. docker run -it opnfv/releng-anteater -v /Users/julien/Documents/git/opnfv/pharos:/home/opnfv/anteater/pharos I only map Pharos repo into the container to /home/opnfv/anteater/pharos. any target path is OK. 4. /home/opnfv/venv/bin/anteater -p pharos *--path pharos/* You can get some helpful info through: /home/opnfv/venv/bin/anteater -h Anteater - CI Gate Checks. Usage: anteater (-p |--project) [(-ps |--patchset) ] anteater (-p |--project) [--path ] anteater (-h | --help) anteater --version Options: -h --help Show this screen. --version Show version. The only thing I want to mention is that *project_path* is a *mandatory* argument when you want to scan for the whole project. -p project: to indicate which project to scan for we have some exceptions name with this project name. 5. You can get the report log in .reports sub-directory besides terminal [opnfv@c96175c845be anteater]$ ll .reports/ total 76 -rw-rw-r-- 1 opnfv opnfv 48546 Feb 7 06:14 anteater.log -rw-rw-r-- 1 opnfv opnfv 9444 Feb 7 06:14 binaries-pharos.log -rw-rw-r-- 1 opnfv opnfv 8630 Feb 7 06:14 contents-pharos.log -rw-rw-r-- 1 opnfv opnfv 1030 Feb 7 06:14 licence-pharos.log Regards, Julien Fatih Degirmenci <fatih.degirme...@ericsson.com>于2018年2月7日周三 上午3:38写道: > Hi Bryan, > > > > Anteater is used for gating patches coming to OPNFV projects. See the > Jenkins job configuration to see patches of which projects are gated. > > > > > https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;a=blob;f=jjb/ci_gate_security/opnfv-ci-gate-security.yml > > > > And see the script that is executed by Jenkins job. > > > > > https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;a=blob;f=jjb/ci_gate_security/anteater-security-audit.sh > > > > Adding Luke who is maintaining Anteater. > > > > /Fatih > > > > *From: *<opnfv-tech-discuss-boun...@lists.opnfv.org> on behalf of > "SULLIVAN, BRYAN L (BRYAN L)" <bryan.sulli...@research.att.com> > *Date: *Tuesday, 6 February 2018 at 17:54 > *To: *"opnfv-tech-discuss@lists.opnfv.org" < > opnfv-tech-discuss@lists.opnfv.org> > *Subject: *Re: [opnfv-tech-discuss] Issues with Anteater pretest process > > > > Hi all, > > > > Is anyone using this toolset for a project? I am trying to follow the > instructions as below (I did figure out that you have to clone anteater > first… that needs to be updated on the wiki). > > > > But the rest of the instructions just don’t work. It’s not clear how to > run the anteater process once in the container. “anteater” is not in the > path, and running “pip install .” on the root folder seems to build > something, but it’s still not in the path and it’s not clear how to invoke > the tool. > > > > Anyone supporting this tool – please respond asap so I can get an > impression if I should continue down this path. > > > > Thanks, > > Bryan Sullivan | AT > > > > *From:* SULLIVAN, BRYAN L (BRYAN L) > *Sent:* Tuesday, February 06, 2018 6:43 AM > *To:* 'opnfv-tech-discuss@lists.opnfv.org' < > opnfv-tech-discuss@lists.opnfv.org> > *Subject:* Issues with Anteater pretest process > > > > Hi all, > > > > I’m starting to look at the pretest process for Anteater patches as > described under “How can I test my entire project or pretest a patch?” at > https://wiki.opnfv.org/pages/viewpage.action?pageId=11700198. The first > instruction is not working: > > > > if you would like to perform a full retrospective check of your project, > you can do so on any machine capable of running Docker. Follow these steps.. > > Pull the anteater Docker image and build. > > docker build -t anteater . > > > > That command (docker build) is for building a container based upon a > Dockerfile. It seems there’s a missing step – clone the Anteater repo and > cd to the folder that contains the Anteater Dockerfile. Is that what was > intended? > > > > Thanks, > > Bryan Sullivan | AT > > > ___ > opnfv-tech-discuss mailing list > opnfv-tech-discuss@lists.opnfv.org > https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss > ___ opnfv-tech-discuss mailing list opnfv-tech-discuss@lists.opnfv.org https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
Re: [opnfv-tech-discuss] Issues with Anteater pretest process
Hi all, Is anyone using this toolset for a project? I am trying to follow the instructions as below (I did figure out that you have to clone anteater first... that needs to be updated on the wiki). But the rest of the instructions just don't work. It's not clear how to run the anteater process once in the container. "anteater" is not in the path, and running "pip install ." on the root folder seems to build something, but it's still not in the path and it's not clear how to invoke the tool. Anyone supporting this tool - please respond asap so I can get an impression if I should continue down this path. Thanks, Bryan Sullivan | AT From: SULLIVAN, BRYAN L (BRYAN L) Sent: Tuesday, February 06, 2018 6:43 AM To: 'opnfv-tech-discuss@lists.opnfv.org'Subject: Issues with Anteater pretest process Hi all, I'm starting to look at the pretest process for Anteater patches as described under "How can I test my entire project or pretest a patch?" at https://wiki.opnfv.org/pages/viewpage.action?pageId=11700198. The first instruction is not working: if you would like to perform a full retrospective check of your project, you can do so on any machine capable of running Docker. Follow these steps.. Pull the anteater Docker image and build. docker build -t anteater . That command (docker build) is for building a container based upon a Dockerfile. It seems there's a missing step - clone the Anteater repo and cd to the folder that contains the Anteater Dockerfile. Is that what was intended? Thanks, Bryan Sullivan | AT ___ opnfv-tech-discuss mailing list opnfv-tech-discuss@lists.opnfv.org https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
[opnfv-tech-discuss] Issues with Anteater pretest process
Hi all, I'm starting to look at the pretest process for Anteater patches as described under "How can I test my entire project or pretest a patch?" at https://wiki.opnfv.org/pages/viewpage.action?pageId=11700198. The first instruction is not working: if you would like to perform a full retrospective check of your project, you can do so on any machine capable of running Docker. Follow these steps.. Pull the anteater Docker image and build. docker build -t anteater . That command (docker build) is for building a container based upon a Dockerfile. It seems there's a missing step - clone the Anteater repo and cd to the folder that contains the Anteater Dockerfile. Is that what was intended? Thanks, Bryan Sullivan | AT ___ opnfv-tech-discuss mailing list opnfv-tech-discuss@lists.opnfv.org https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss