No variables or rule-files to control the behavior of gcc

All recipes under recipes-pythons should be replaced by pure native variants because they are only used in native context and should not be deploy to target under any circumstance

If we check all things - why not check bitbake recipes itself

It's quite confusing that sca-modules and python dependencies are mixed up under recipes-sca.
It may be better to move another recipes-subfolder

Any warning, error or fatal should be reported to build console (at least the number of findings).
This isn't working - no output although there are plenty of warnings found during a run

It doesn't make sense if the sca-bitbake is active to issue warnings in other module.
This just leads to double findings without any additional value

Leads to crash of build

http://oclint.org/

SCA_PYLINT_EXTRA_SUPPRESS, SCA_PYLINT_EXTRA_FATAL, SCA_PYLINT_ROOTPATH, SCA_PYLINT_HOMEPATH & SCA_PYLINT_LIBATH are not set when invoking pylint on a recipe.
In pylint-image there are avaiable

Explanation for SCA_AUTO_LICENSE_FILTER is missing in README

Despite quote in the README the additional suppress and fatal variables are not used effectively when checking

It would be nice to filter on the used license of the recipe to decide if (or if not) sca.bbclass should be applied. At least when doing analysis on an image, it would be great to strip out any code not relevant

When doing an incremental build the module sca-cpplint throws the following exception

Exception: File "", line None
xml.etree.ElementTree.ParseError: syntax error: line 2, column

In the checked module no C-code is avaiable

Include https://github.com/yandex/gixy as analyzer

To not break an builds that rely on FOSS only - relicense some on the rule recipes to BSD (as the whole layer already is)

I guess a 'before'-statement is missing

As go seems to grow more and more important esp. in yocto (container-support) it would be nice to have a analysis for go as well.
Maybe a tool from https://github.com/mre/awesome-static-analysis#go would fit the need.

https://github.com/priv-kweihmann/pysymbolcheck

If SCA_AUTO_LICENSE_FILTER is set to ".*" (default) disable the check for LICENSE_CREATE_PACKAGE and COPY_LIC_MANIFEST when scanning images. This check does not make any sense there when all licenses are valid...

As it makes no sense to compile e.g. shellcheck to target-arch, it seems to be a good idea to convert all those recipes to native-only.

In short: replace BBCLASSEXTEND by inherit native

Currently the layer priority is set to 30, which seems to be unreasonable high.
Lowering will also grant the possibility on better overriding things

shellcheck is not the defaut list of modules when running on recipes

A global .gitignore would be nice

I would like have a tool that tell me how much findings have been reported for all components installed into an image.
There should not be any additional checking done by the functionality

https://github.com/PyCQA/bandit

An appropriate README is needed

Extract the information shown at console to common format, so that those won't get lost when running on a headless system like a CI

get_files_by_shabang and get_files_by_extention should not return symlinks

I would like to have a possibility to get a finding only if it has been reported by more than 1 tool (if more than 1 tool exists for the choosen language).
Issues only reported by a single tool shall be omitted.
If only 1 tool exists the original behavior is not altered.

When merging results:

• ID of first tool wins (in alphabetical order)
• Message of first tool wins (in alphabetical order, tool-section in square-brackets is enhanced by used tool)
• highest severity wins

A XML Linter should be included

https://github.com/CISOfy/lynis

In any check tool a fatal error will terminate the build immediately without creating the expected output file at SCA_EXPORT_DIR.
So it would be better to ensure that these files are actually created before terminating the build.

This makes it more usable in a headless CI environment where not everyone can stick down the build console

Convert the output of poky's cve-check-tool to checkstyle-format.
This is not static code analysis in common sense but adds an extra plus regarding security.

This layer does not depend on meta-poky - only on meta from poky.
At https://layers.openembedded.org/layerindex/branch/master/layer/meta-sca/ it is quoted differently.

Add https://github.com/a13xp0p0v/kconfig-hardened-check for checking kernel hardening

Don't invoke analysis tools if the license of the recipe is not configured by SCA_AUTO_LICENSE_FILTER

E.g. do_sca_eslint_core: SCA has following fatal errors:

Not only a single but multiple '--std' arguments are valid according to manpage of cppcheck.
I would be great to support that here as well

Maybe something like https://github.com/zaach/jsonlint should be included

It would be great to use systemd-analyze to verify systemd-unitfiles at buildtime.

It would be nice to globally configure the level from which the results will be put into checkstyle-results.
Mostly it's quite annoying to have all the info/debug-level findings around, when they never will be fixed anyway

Like 'file'-utility on console

Some modules are multi-licensed like "BSD & GPLv2" or similar. This is currently not supported by the SCA_AUTO_LICENSE_FILTER setting.

This should be fixed

https://github.com/JossWhittle/FlintPlusPlus

It would be great to have SCA for javascript as well.
Currently no tool suggestions...

Even if it's set to '.*' it doesn't apply anything to neither images nor recipes