Re: [opnfv-tech-discuss] Issues with Anteater pretest process

[SULLIVAN, BRYAN L (BRYAN L)]

Julien,

I figured out how to get it working and developed a script for it. I’ll work on 
making it generic so it can be used by any OPNFV project. I’m working on using 
the tool to scan the code for other projects as well. I did find a bug – the 
project name cannot have a “-“ otherwise the tool throws a python exception. I 
found this when running the tool against non-OPNFV projects. I had to figure 
out how to add them to the master-list.yaml but once that was done, I was able 
to run the tool against any arbitrary git repo.

The script is at https://github.com/opnfv/models/blob/master/tools/anteater.sh

I do think the Anteater tool needs a good bit of work, as evidenced by the long 
list of exceptions I had to create for Models: 
https://github.com/opnfv/models/blob/master/tools/anteater-exceptions.yaml
Most of these are due to the tool’s assumption that certain strings are 
problematic, without considering the context of where those strings appear.

I think other more robust and vulnerability-specific tools may also be needed 
in OPNFV, e.g. OpenSCAP and Fossology as I recommended when the security 
scanning project was first proposed. And we need to support iterative license 
scanning for tightly integrated code, e.g. imported modules, to ensure that 
OPNFV code is compatible with the license of all tightly integrated code. Note 
“tightly integrated” means it becomes part of the application, thus rules 
related to GPL license for example apply. This in comparison to loosely 
integrated code e.g. through APIs, or running as separate processes and 
providing some system service.

Thanks,
Bryan Sullivan | AT

From: Julien [mailto:julien...@gmail.com]
Sent: Tuesday, February 06, 2018 10:20 PM
To: Fatih Degirmenci <fatih.degirme...@ericsson.com>
Cc: SULLIVAN, BRYAN L (BRYAN L) <bryan.sulli...@research.att.com>; 
opnfv-tech-discuss@lists.opnfv.org; Luke Hinds <lhi...@redhat.com>
Subject: Re: [opnfv-tech-discuss] Issues with Anteater pretest process

Hi Bryan,

I have happened to work together with Luke on this project for some time. It's 
really cool.
Thanks for your interests.

For the anteater container is already there in the docker hub, you can directly 
use it without building from the very beginning.
Luke, you can help to verify the steps.

Several steps,
1. docker pull opnfv/releng-anteater
2. take Pharos project for example
3. docker run -it opnfv/releng-anteater -v 
/Users/julien/Documents/git/opnfv/pharos:/home/opnfv/anteater/pharos
   I only map Pharos repo into the container to /home/opnfv/anteater/pharos.
   any target path is OK.
4. /home/opnfv/venv/bin/anteater -p pharos --path pharos/

You can get some helpful info through:

/home/opnfv/venv/bin/anteater -h
Anteater - CI Gate Checks.

Usage:
  anteater (-p |--project)  [(-ps |--patchset) ]
  anteater (-p |--project)  [--path ]
  anteater (-h | --help)
  anteater --version

Options:
  -h --help Show this screen.
  --version Show version.

The only thing I want to mention is that project_path is a  mandatory argument 
when you want to scan for the whole project.
-p project: to indicate which project to scan for we have some exceptions name 
with this project name.

5. You can get the report log in .reports sub-directory besides terminal
[opnfv@c96175c845be anteater]$ ll .reports/
total 76
-rw-rw-r-- 1 opnfv opnfv 48546 Feb  7 06:14 anteater.log
-rw-rw-r-- 1 opnfv opnfv  9444 Feb  7 06:14 binaries-pharos.log
-rw-rw-r-- 1 opnfv opnfv  8630 Feb  7 06:14 contents-pharos.log
-rw-rw-r-- 1 opnfv opnfv  1030 Feb  7 06:14 licence-pharos.log

Regards,
Julien

Fatih Degirmenci 
<fatih.degirme...@ericsson.com<mailto:fatih.degirme...@ericsson.com>>于2018年2月7日周三
 上午3:38写道：
Hi Bryan,

Anteater is used for gating patches coming to OPNFV projects. See the Jenkins 
job configuration to see patches of which projects are gated.

https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;a=blob;f=jjb/ci_gate_security/opnfv-ci-gate-security.yml<https://urldefense.proofpoint.com/v2/url?u=https-3A__gerrit.opnfv.org_gerrit_gitweb-3Fp-3Dreleng.git-3Ba-3Dblob-3Bf-3Djjb_ci-5Fgate-5Fsecurity_opnfv-2Dci-2Dgate-2Dsecurity.yml=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0=29tOLifHP4ypkHyoj-0ME63HMvkxwFChpECoenBhUbc=uvfiqxpMlCi8liP2QlYw-LYV3xHmlphuK--TLQN5gLk=>

And see the script that is executed by Jenkins job.

https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;a=blob;f=jjb/ci_gate_security/anteater-security-audit.sh<https://urldefense.proofpoint.com/v2/url?u=https-3A__gerrit.opnfv.org_gerrit_gitweb-3Fp-3Dreleng.git-3Ba-3Dblob-3Bf-3Djjb_ci-5Fgate-5Fsecurity_anteater-2Dsecurity-2Daudit.sh=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0=29tOLifHP4ypkHyoj-0ME63HMvkxwFChpECoenBhUbc=terU3K4ZCHsx1Vl6jH6coKwOjQ5gRohxDDFRkiNb9Oc=>

Adding Luke who is maintaining Anteater.

/Fatih

From: 
<opnfv-tech-discuss-boun...@lists.opnfv.org<mailto:opnfv-tech-discuss-boun...@lists.opnfv

Re: [opnfv-tech-discuss] Issues with Anteater pretest process

[Julien]

Hi Bryan,

I have happened to work together with Luke on this project for some time.
It's really cool.
Thanks for your interests.

For the anteater container is already there in the docker hub, you can
directly use it without building from the very beginning.
Luke, you can help to verify the steps.

Several steps,
1. docker pull opnfv/releng-anteater
2. take Pharos project for example
3. docker run -it opnfv/releng-anteater -v
/Users/julien/Documents/git/opnfv/pharos:/home/opnfv/anteater/pharos
   I only map Pharos repo into the container to
/home/opnfv/anteater/pharos.
   any target path is OK.
4. /home/opnfv/venv/bin/anteater -p pharos *--path pharos/*

You can get some helpful info through:

/home/opnfv/venv/bin/anteater -h
Anteater - CI Gate Checks.

Usage:
  anteater (-p |--project)  [(-ps |--patchset) ]
  anteater (-p |--project)  [--path ]
  anteater (-h | --help)
  anteater --version

Options:
  -h --help Show this screen.
  --version Show version.

The only thing I want to mention is that *project_path* is a  *mandatory*
argument when you want to scan for the whole project.
-p project: to indicate which project to scan for we have some exceptions
name with this project name.

5. You can get the report log in .reports sub-directory besides terminal
[opnfv@c96175c845be anteater]$ ll .reports/
total 76
-rw-rw-r-- 1 opnfv opnfv 48546 Feb  7 06:14 anteater.log
-rw-rw-r-- 1 opnfv opnfv  9444 Feb  7 06:14 binaries-pharos.log
-rw-rw-r-- 1 opnfv opnfv  8630 Feb  7 06:14 contents-pharos.log
-rw-rw-r-- 1 opnfv opnfv  1030 Feb  7 06:14 licence-pharos.log

Regards,
Julien

Fatih Degirmenci <fatih.degirme...@ericsson.com>于2018年2月7日周三 上午3:38写道：

> Hi Bryan,
>
>
>
> Anteater is used for gating patches coming to OPNFV projects. See the
> Jenkins job configuration to see patches of which projects are gated.
>
>
>
>
> https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;a=blob;f=jjb/ci_gate_security/opnfv-ci-gate-security.yml
>
>
>
> And see the script that is executed by Jenkins job.
>
>
>
>
> https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;a=blob;f=jjb/ci_gate_security/anteater-security-audit.sh
>
>
>
> Adding Luke who is maintaining Anteater.
>
>
>
> /Fatih
>
>
>
> *From: *<opnfv-tech-discuss-boun...@lists.opnfv.org> on behalf of
> "SULLIVAN, BRYAN L (BRYAN L)" <bryan.sulli...@research.att.com>
> *Date: *Tuesday, 6 February 2018 at 17:54
> *To: *"opnfv-tech-discuss@lists.opnfv.org" <
> opnfv-tech-discuss@lists.opnfv.org>
> *Subject: *Re: [opnfv-tech-discuss] Issues with Anteater pretest process
>
>
>
> Hi all,
>
>
>
> Is anyone using this toolset for a project? I am trying to follow the
> instructions as below (I did figure out that you have to clone anteater
> first… that needs to be updated on the wiki).
>
>
>
> But the rest of the instructions just don’t work. It’s not clear how to
> run the anteater process once in the container. “anteater” is not in the
> path, and running “pip install .” on the root folder seems to build
> something, but it’s still not in the path and it’s not clear how to invoke
> the tool.
>
>
>
> Anyone supporting this tool – please respond asap so I can get an
> impression if I should continue down this path.
>
>
>
> Thanks,
>
> Bryan Sullivan | AT
>
>
>
> *From:* SULLIVAN, BRYAN L (BRYAN L)
> *Sent:* Tuesday, February 06, 2018 6:43 AM
> *To:* 'opnfv-tech-discuss@lists.opnfv.org' <
> opnfv-tech-discuss@lists.opnfv.org>
> *Subject:* Issues with Anteater pretest process
>
>
>
> Hi all,
>
>
>
> I’m starting to look at the pretest process for Anteater patches as
> described under “How can I test my entire project or pretest a patch?” at
> https://wiki.opnfv.org/pages/viewpage.action?pageId=11700198. The first
> instruction is not working:
>
>
>
> if you would like to perform a full retrospective check of your project,
> you can do so on any machine capable of running Docker. Follow these steps..
>
> Pull the anteater Docker image and build.
>
> docker build -t anteater .
>
>
>
> That command (docker build) is for building a container based upon a
> Dockerfile. It seems there’s a missing step – clone the Anteater repo and
> cd to the folder that contains the Anteater Dockerfile. Is that what was
> intended?
>
>
>
> Thanks,
>
> Bryan Sullivan | AT
>
>
> ___
> opnfv-tech-discuss mailing list
> opnfv-tech-discuss@lists.opnfv.org
> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] Issues with Anteater pretest process

[SULLIVAN, BRYAN L (BRYAN L)]

Hi all,

Is anyone using this toolset for a project? I am trying to follow the 
instructions as below (I did figure out that you have to clone anteater 
first... that needs to be updated on the wiki).

But the rest of the instructions just don't work. It's not clear how to run the 
anteater process once in the container. "anteater" is not in the path, and 
running "pip install ." on the root folder seems to build something, but it's 
still not in the path and it's not clear how to invoke the tool.

Anyone supporting this tool - please respond asap so I can get an impression if 
I should continue down this path.

Thanks,
Bryan Sullivan | AT

From: SULLIVAN, BRYAN L (BRYAN L)
Sent: Tuesday, February 06, 2018 6:43 AM
To: 'opnfv-tech-discuss@lists.opnfv.org' 
Subject: Issues with Anteater pretest process

Hi all,

I'm starting to look at the pretest process for Anteater patches as described 
under "How can I test my entire project or pretest a patch?" at 
https://wiki.opnfv.org/pages/viewpage.action?pageId=11700198. The first 
instruction is not working:

if you would like to perform a full retrospective check of your project, you 
can do so on any machine capable of running Docker. Follow these steps..
Pull the anteater Docker image and build.
docker build -t anteater .


That command (docker build) is for building a container based upon a 
Dockerfile. It seems there's a missing step - clone the Anteater repo and cd to 
the folder that contains the Anteater Dockerfile. Is that what was intended?

Thanks,
Bryan Sullivan | AT

___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] Issues with Anteater pretest process

[SULLIVAN, BRYAN L (BRYAN L)]

Hi all,

I'm starting to look at the pretest process for Anteater patches as described 
under "How can I test my entire project or pretest a patch?" at 
https://wiki.opnfv.org/pages/viewpage.action?pageId=11700198. The first 
instruction is not working:

if you would like to perform a full retrospective check of your project, you 
can do so on any machine capable of running Docker. Follow these steps..
Pull the anteater Docker image and build.
docker build -t anteater .


That command (docker build) is for building a container based upon a 
Dockerfile. It seems there's a missing step - clone the Anteater repo and cd to 
the folder that contains the Anteater Dockerfile. Is that what was intended?

Thanks,
Bryan Sullivan | AT

___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss