Google Git
Sign in
fuchsia / shac-project / shac / 7fafae0f3d68b0a57a4532f7e2bd0fed7a2a1bf3
commit7fafae0f3d68b0a57a4532f7e2bd0fed7a2a1bf3[log] [tgz]
authorOliver Newman <olivernewman@google.com>Fri Aug 18 21:05:34 2023 +0000
committerCQ Bot <fuchsia-internal-scoped@luci-project-accounts.iam.gserviceaccount.com>Fri Aug 18 21:05:34 2023 +0000
tree0b7391b8e2d7cd097f87a4adf63b76e74dcca7bf
parente1684102bf173f61cef146dbc5c1d8b88e0d99a5 [diff]
[engine] Prohibit forking without locking

Calling the `os/exec.Cmd` functions `Run()` or `Start()` without locking
the R/W mutex used to write the nsjail executable causes test flakiness;
see docstring of the command package for more details.

So extract a library that forks safely, and add a check that no unsafe
forks are done.

Change-Id: I926654d38f66fb614e39db5a7d9c3e1e43ebeb4a
Reviewed-on: https://fuchsia-review.googlesource.com/c/shac-project/shac/+/904660
Fuchsia-Auto-Submit: Oliver Newman <olivernewman@google.com>
Commit-Queue: Oliver Newman <olivernewman@google.com>
Reviewed-by: Marc-Antoine Ruel <maruel@google.com>
108 files changed
tree: 0b7391b8e2d7cd097f87a4adf63b76e74dcca7bf
  1. .github/
  2. checks/
  3. cmd/
  4. doc/
  5. images/
  6. internal/
  7. scripts/
  8. vendor/
  9. .gitignore
  10. AUTHORS
  11. codecov.yml
  12. CONTRIBUTING.md
  13. go.mod
  14. go.sum
  15. LICENSE
  16. main.go
  17. OWNERS
  18. PATENTS
  19. README.md
  20. shac.star
  21. shac.textproto
README.md

shac

Shac (Scalable Hermetic Analysis and Checks) is a unified and ergonomic tool and framework for writing and running static analysis checks.

Shac checks are written in Starlark.

usage demonstration

Usage

go install go.fuchsia.dev/shac-project/shac@latest
shac check
shac doc shac.star | less

Documentation

Road map

Planned features/changes, in descending order by priority:

  • [x] Configuring files to exclude from shac analysis in shac.textproto
  • [x] Include unstaged files in analysis, including respecting unstaged shac.star files
  • [x] Automatic fix application with handling for conflicting suggestions
  • [ ] Provide a .shac cache directory that checks can write to
  • [ ] Mount checkout directory read-only
    • [x] By default
    • [ ] Unconditionally
  • [ ] Give checks access to the commit message via ctx.scm
  • [ ] Built-in formatting of Starlark files
  • [ ] Configurable “pass-throughs” - non-default environment variables and mounts that can optionally be passed through to the sandbox
  • [ ] Add glob arguments to ctx.scm.{all,affected}_files() functions for easier filtering
  • [ ] Filesystem sandboxing on MacOS
  • [ ] Windows sandboxing
  • [ ] Testing framework for checks

Contributing

⚠ The source of truth is at https://fuchsia.googlesource.com/shac-project/shac.git and uses Gerrit for code review.

See CONTRIBUTING.md to submit changes.