Google Git
Sign in
fuchsia / shac-project / shac / d59a7dbb51268a336eb1df47eaaa683d9ec8a7f9
commitd59a7dbb51268a336eb1df47eaaa683d9ec8a7f9[log] [tgz]
authorOliver Newman <olivernewman@google.com>Thu Aug 31 22:35:58 2023 +0000
committerCQ Bot <fuchsia-internal-scoped@luci-project-accounts.iam.gserviceaccount.com>Thu Aug 31 22:35:58 2023 +0000
tree470a8ee5a4a3748da30fb9e63ac2d8fe2ae33519
parentd40a13fd49f228000ec47f7819ed72af209aeda3 [diff]
[engine] Never evaluate executables relative to cwd

`exec.ErrDot` is the error that `exec.LookPath()` returns when it fails
to look up an executable on $PATH, but finds it in the current working
directory. Notably, the current working directory may be outside the
project root (if the "--root" flag is set), in which case the current
working directory lookup is undesirable, as shac checks should only
depend on tools in $PATH or in the checkout. Therefore, it should be
considered an error if an executable is not found on $PATH.

This means that commands like "foo.sh" that refer to a script in the
repository root must use "./foo.sh" or an absolute path. If that becomes
a pain for users, we could add a check to see if the file exists in the
repository root before falling back to looking it up on $PATH.

Change-Id: I6f3d5555c826c1492a3f40583cfd2ed04ed9b9ce
Reviewed-on: https://fuchsia-review.googlesource.com/c/shac-project/shac/+/909879
Reviewed-by: Marc-Antoine Ruel <maruel@google.com>
Commit-Queue: Auto-Submit <auto-submit@fuchsia-infra.iam.gserviceaccount.com>
Fuchsia-Auto-Submit: Oliver Newman <olivernewman@google.com>
1 file changed
tree: 470a8ee5a4a3748da30fb9e63ac2d8fe2ae33519
  1. .github/
  2. checks/
  3. cmd/
  4. doc/
  5. images/
  6. internal/
  7. scripts/
  8. vendor/
  9. .gitignore
  10. AUTHORS
  11. codecov.yml
  12. CONTRIBUTING.md
  13. go.mod
  14. go.sum
  15. LICENSE
  16. main.go
  17. OWNERS
  18. PATENTS
  19. README.md
  20. shac.star
  21. shac.textproto
README.md

shac

Shac (Scalable Hermetic Analysis and Checks) is a unified and ergonomic tool and framework for writing and running static analysis checks.

Shac checks are written in Starlark.

usage demonstration

Usage

go install go.fuchsia.dev/shac-project/shac@latest
shac check
shac doc shac.star | less

Documentation

Road map

Planned features/changes, in descending order by priority:

  • [x] Configuring files to exclude from shac analysis in shac.textproto
  • [x] Include unstaged files in analysis, including respecting unstaged shac.star files
  • [x] Automatic fix application with handling for conflicting suggestions
  • [ ] Provide a .shac cache directory that checks can write to
  • [ ] Mount checkout directory read-only
    • [x] By default
    • [ ] Unconditionally
  • [ ] Give checks access to the commit message via ctx.scm
  • [ ] Built-in formatting of Starlark files
  • [ ] Configurable “pass-throughs” - non-default environment variables and mounts that can optionally be passed through to the sandbox
  • [ ] Add glob arguments to ctx.scm.{all,affected}_files() functions for easier filtering
  • [ ] Filesystem sandboxing on MacOS
  • [ ] Windows sandboxing
  • [ ] Testing framework for checks

Contributing

⚠ The source of truth is at https://fuchsia.googlesource.com/shac-project/shac.git and uses Gerrit for code review.

See CONTRIBUTING.md to submit changes.