Add shellcheck

Copy the `shellcheck.sh` script from the SecureDrop server repository and add it to the central `make lint` target. I added SC2164 as a global exclusion since we don't really care about `cd` potentially failing. The following fixes are being made: * client/.githooks/pre-commit: Use $() instead of backticks. * debian/setup-venv.sh: Ignore quoting words, all the variables are a single word only. * proxy/entrypoint.sh: Adjust shebang since we use bashisms. * scripts/build-debs.sh: Set variable and then export it * scripts/fixup-changelog.sh: Quote our variables, don't use `! -z`. Fixes #814.
freedomofpress · Feb 16, 2024 · 5286817 · 5286817
1 parent bb196d2
commit 5286817
Show file tree

Hide file tree

Showing 10 changed files with 66 additions and 8 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -32,7 +32,7 @@ jobs:
     container: debian:${{ matrix.debian_version }}
     steps:
       - run: |
-          apt-get update && apt-get install --yes git make
+          apt-get update && apt-get install --yes git make file
       - uses: actions/checkout@v4
       - name: Install dependencies
         run: |

diff --git a/Makefile b/Makefile
@@ -11,11 +11,14 @@ lint-desktop: ## Lint .desktop files
 	find . -name *.desktop -type f -not -path '*/\.git/*' | xargs desktop-file-validate
 
 .PHONY: lint
-lint: bandit ## Run linters and formatters
+lint: bandit shellcheck ## Run linters and formatters
 
 bandit: ## Run bandit security checks
 	@poetry run bandit -c pyproject.toml -r . --severity-level medium
 
+shellcheck: ## Lint shell scripts
+	@poetry run scripts/shellcheck.sh
+
 safety:  ## Run safety dependency checks on build dependencies
 	find . -name build-requirements.txt | xargs -n1 poetry run safety check --full-report \
 		--ignore 51668 \

diff --git a/client/.githooks/pre-commit b/client/.githooks/pre-commit
@@ -1,4 +1,4 @@
 #!/bin/sh
-TOP=`git rev-parse --show-toplevel`
+TOP=$(git rev-parse --show-toplevel)
 
 make -C "$TOP" check-strings
diff --git a/debian/setup-venv.sh b/debian/setup-venv.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+# shellcheck disable=SC2086
 set -euxo pipefail
 
 NAME=$1

diff --git a/poetry.lock b/poetry.lock
diff --git a/proxy/entrypoint.sh b/proxy/entrypoint.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 cd /home/user/projects/securedrop-proxy
 virtualenv .venv

diff --git a/pyproject.toml b/pyproject.toml
@@ -11,6 +11,7 @@ python = "^3.9"
 [tool.poetry.group.dev.dependencies]
 bandit = "*"
 safety = "*"
+shellcheck-py = "*"
 
 [tool.bandit]
 exclude_dirs = ["client/tests", "export/tests", "log/tests", "proxy/tests"]
diff --git a/scripts/build-debs.sh b/scripts/build-debs.sh
@@ -29,13 +29,14 @@ if test -t 0; then
 fi
 
 # Look for the builder repo with our local wheels
-export BUILDER=$(realpath "${BUILDER:-../securedrop-builder}")
+BUILDER=$(realpath "${BUILDER:-../securedrop-builder}")
 if [[ ! -d $BUILDER ]]; then
     echo "Cannot find securedrop-builder repository, please check it out \
 to ${BUILDER} or set the BUILDER variable"
     exit 1
 fi
 
+export BUILDER
 export DEBIAN_VERSION="${DEBIAN_VERSION:-bullseye}"
 export OCI_RUN_ARGUMENTS
 export OCI_BIN

diff --git a/scripts/fixup-changelog.sh b/scripts/fixup-changelog.sh
@@ -7,13 +7,13 @@ source /etc/os-release
 if [[ "$VERSION_CODENAME" == "" ]]; then
     # PRETTY_NAME="Debian GNU/Linux bookworm/sid"
     # Use awk to split on spaces and /
-    VERSION_CODENAME=$(echo $PRETTY_NAME | awk '{split($0, a, "[ /]"); print a[4]}')
+    VERSION_CODENAME=$(echo "$PRETTY_NAME" | awk '{split($0, a, "[ /]"); print a[4]}')
 fi
 
 VERSION=$(dpkg-parsechangelog -S Version)
 
 NIGHTLY="${NIGHTLY:-}"
-if [[ ! -z $NIGHTLY ]]; then
+if [[ -n $NIGHTLY ]]; then
     NEW_VERSION="${VERSION}.dev$(date +%Y%m%d%H%M%S)"
 else
     NEW_VERSION=$VERSION

diff --git a/scripts/shellcheck.sh b/scripts/shellcheck.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+set -e
+
+EXCLUDE_RULES="SC1090,SC1091,SC2001,SC2064,SC2181,SC1117,SC2164"
+
+# Omitting:
+# - the `.git/` directory since its hooks won't pass # validation, and
+#   we don't maintain those scripts.
+# - the `.venv/` dir because we don't control files in there.
+# - ossec packages because there are a LOT of violations, and we have
+#   a separate issue dedicated to cleaning those up.
+# - Python, JavaScript, YAML, HTML, SASS, PNG files because they're not shell scripts.
+# - Cache directories of mypy, SASS, or Tox.
+# - test results
+FILES=$(find "." \
+     \( \
+        -path '*.mo' \
+        -o -path '*.po' \
+        -o -path '*.py' \
+        -o -path '*.yml' \
+        -o -path '*/.mypy_cache/*' \
+        -o -path '*/.tox/*' \
+        -o -path '*/.venv' \
+        -o -path './.git' \
+        -o -path './build/*' \
+        -o -path './target' \
+     \) -prune \
+     -o -type f \
+     -exec file --mime {} + \
+    | awk '$2 ~ /x-shellscript/ { print $1 }' \
+    | sed 's/://')
+# Turn the multiline find output into a single space-separated line
+FILES=$(echo "$FILES" | tr '\n' ' ')
+
+shellcheck --version
+# $FILES intentionally unquoted so each file is passed as its own argument
+# shellcheck disable=SC2086
+shellcheck -x --exclude="$EXCLUDE_RULES" $FILES