Add option to ignore shell library files for bash-exec

[bewuethr]

Proposed changes

Fix #5212

This introduces a new configuration variable, BASH_EXEC_IGNORE_LIBRARIES. If set to true, the behaviour of bash-exec is modified: if a shell file has a file extension and no shebang line, it is ignored, i.e., allowed to be non-executable. This allows files that are only every sourced from other shell files, acting as libraries and not executables, to have no executable bit set without failing the bash-exec linter.

The rationale for looking at exactly the first two characters of the file and not skipping blank lines or similar is based on this Stack Overflow Q&A.

Readiness checklist

In order to have this pull request merged, complete the following tasks.

Pull request author tasks

• I included all the needed documentation for this change.
• I provided the necessary tests.
• I squashed all the commits into a single commit.
• I followed the Conventional Commit v1.0.0 spec.
• I wrote the necessary upgrade instructions in the upgrade guide.
• If this pull request is about and existing issue,
  I added the Fix #ISSUE_NUMBER label to the description of the pull request.

Marked "upgrade instructions" as done, as none are required; I'll wait with squashing until this is ready to merge.

Super-linter maintainer tasks

• Label as breaking if this change breaks compatibility with the previous released version.
• Label as either: automation, bug, documentation, enhancement, infrastructure.

[bewuethr]

Coming to think of it, I could probably test this with a separate Make target. Would that be an option?

[bewuethr]

I see it also failed shfmt. I can figure that out. What's the preferred way here, add new commits and squash before merging, or always squash into a single commit?

[ferrarimarco]

Thanks for this PR @bewuethr ! Either work. We would need to squash everything in a single commit anyway later, but while we're iterating on the PR, both are fine :)

[ferrarimarco]

Coming to think of it, I could probably test this with a separate Make target. Would that be an option?

I think so :)

Together with the new Make target, there's also the https://github.com/super-linter/super-linter/blob/main/test/run-super-linter-tests.sh script that we're using to reduce duplication in the Makefile. We didn't onboard existing targets yet, but it would be preferable to consider it for new targets.

Thanks!

[ferrarimarco]

Thanks for this PR! A few small things to check.

:)

[ferrarimarco]

Shfmt errors: https://github.com/super-linter/super-linter/actions/runs/7863202043/job/21455961742?pr=5254#step:8:3858

(minor formatting issue)

[bewuethr]

I have addressed all comments, except the tests, which I'll work on next.

Regarding the Makefile, I don't think .phony does anything; it has to be .PHONY. Should I just do it for my target, update all targets, or should it be fixed in a separate PR?

[ferrarimarco]

Regarding the Makefile, I don't think .phony does anything; it has to be .PHONY. Should I just do it for my target, update all targets, or should it be fixed in a separate PR?

Good catch. Can you please fix it for all the targets?

[ferrarimarco]

Ah! We're almost there, nice work. Can you please also rebase on top of the latest main so we can shorten the build time thanks to the build cache?

Thanks!

[ferrarimarco]

Thanks @bewuethr, this is really awesome.

There's only one small thing left to check, and we should be good to go.

[bewuethr]

Commit linting fails because the test data doesn't pass ShellCheck, shfmt and other linters, what's a good way around that?

[ferrarimarco]

I think there are two issues at play:

• There seems to be an unbound variable in bash-exec. (Update: Ah I think you solved this with your last commit)
• The one that you mention about linting

I didn't have a look at the first one, but you can solve the second by doing this:

1. Move the contents of the test/data/detect-files directory to the test/linters/bash_exec/libraries directory (create it because libraries doesn't exist, while test/linters/bash_exec does).
2. Rename these files to have the bad string in their names. Example: comment.sh -> comment_bad.sh
3. Adjust test/libdetectFilesTest.sh to use files in test/linters/bash_exec

By doing this you:

• Ignore these files when linting the code base, as we do with other test cases. See here.
• Run these files as test cases for BASH_EXEC, and expect them to fail because we didn't enable BASH_EXEC_IGNORE_LIBRARIES.

There's only one thing left to test: the BASH_EXEC_IGNORE_LIBRARIES option. To do this, we need two new targets plus some modifications to the test runner, but I can help you doing that. Having these test cases all in the test/linters/bash_exec/libraries directory is going to help with this.

[ferrarimarco]

Ok, for test-bash-exec-library-expect-success, skipping the libraries is expected because they all have bad in their file name, on purpose.

[ferrarimarco]

This is for the "expect failures" case:

2024-02-20T10:39:52.1979326Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   Started GitHub Actions log group: BASH_EXEC�[0m
2024-02-20T10:39:52.1980567Z �[0m2024-02-20 10:39:11 [INFO]�[0m   Linting BASH_EXEC items...�[0m
2024-02-20T10:39:52.1982069Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   PARALLEL_RESULTS_FILE_PATH for BASH_EXEC: /tmp/super-linter-worker-results-BASH_EXEC.json�[0m
2024-02-20T10:39:52.1983683Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   LOG_DEBUG is enabled. Enable verbose ouput for parallel�[0m
2024-02-20T10:39:52.1985893Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   PARALLEL_COMMAND for BASH_EXEC: parallel --will-cite --keep-order --max-procs 4 --xargs --results /tmp/super-linter-worker-results-BASH_EXEC.json --verbose�[0m
2024-02-20T10:39:52.1988475Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   BASH_EXEC doesn't support linting files in batches. Configure the linter to run over the files to lint one by one�[0m
2024-02-20T10:39:52.1991684Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   PARALLEL_COMMAND for BASH_EXEC after updating the number of files to lint per process: parallel --will-cite --keep-order --max-procs 4 --xargs --results /tmp/super-linter-worker-results-BASH_EXEC.json --verbose --max-lines 1�[0m
2024-02-20T10:39:52.1994227Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   LINTER_WORKING_DIRECTORY for BASH_EXEC: /tmp/lint�[0m
2024-02-20T10:39:52.1997009Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   PARALLEL_COMMAND for BASH_EXEC after updating the working directory: parallel --will-cite --keep-order --max-procs 4 --xargs --results /tmp/super-linter-worker-results-BASH_EXEC.json --verbose --max-lines 1 --workdir /tmp/lint�[0m
2024-02-20T10:39:52.1999690Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   Enabling bash-exec option to ignore shell library files.�[0m
2024-02-20T10:39:52.2001691Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   Checking if /tmp/lint/.github/linters/.checkov-test-linters-failure.yaml contains a 'directory:' configuration option�[0m
2024-02-20T10:39:52.2003949Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   /tmp/lint/.github/linters/.checkov-test-linters-failure.yaml contains a 'directory:' statement�[0m
2024-02-20T10:39:52.2005942Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   Consume the input of the Checkov command because we don't need to add it as an argument.�[0m
2024-02-20T10:39:52.2007669Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   LINTER_COMMAND_ARRAY for BASH_EXEC has 3 elements: bash-exec {} true�[0m
2024-02-20T10:39:52.2010896Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   PARALLEL_COMMAND for BASH_EXEC after LINTER_COMMAND_ARRAY concatenation: parallel --will-cite --keep-order --max-procs 4 --xargs --results /tmp/super-linter-worker-results-BASH_EXEC.json --verbose --max-lines 1 --workdir /tmp/lint bash-exec {} true�[0m
2024-02-20T10:39:52.2014434Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   PARALLEL_COMMAND_OUTPUT for BASH_EXEC (exit code: 7): cd /tmp/lint || exit 255; bash-exec /tmp/lint/test/linters/bash_exec/shell_bad_1.sh true
2024-02-20T10:39:52.2016418Z cd /tmp/lint || exit 255; bash-exec /tmp/lint/test/linters/bash_exec/libraries/comment_bad.sh true
2024-02-20T10:39:52.2018012Z cd /tmp/lint || exit 255; bash-exec /tmp/lint/test/linters/bash_exec/libraries/indentedShebang_bad.sh true
2024-02-20T10:39:52.2019608Z cd /tmp/lint || exit 255; bash-exec /tmp/lint/test/linters/bash_exec/libraries/noShebang_bad.sh true
2024-02-20T10:39:52.2021496Z cd /tmp/lint || exit 255; bash-exec /tmp/lint/test/linters/bash_exec/libraries/secondLineShebang_bad.sh true
2024-02-20T10:39:52.2023170Z cd /tmp/lint || exit 255; bash-exec /tmp/lint/test/linters/bash_exec/libraries/shebangWithBlank_bad.sh true
2024-02-20T10:39:52.2024783Z cd /tmp/lint || exit 255; bash-exec /tmp/lint/test/linters/bash_exec/libraries/shebang_bad.sh true�[0m
2024-02-20T10:39:52.2026606Z �[0m2024-02-20 10:39:11 [DEBUG]�[0m   Parallel output file (/tmp/super-linter-worker-results-BASH_EXEC.json) contents for BASH_EXEC:
2024-02-20T10:39:52.2030481Z { \"Seq\": 1, \"Host\": \":\", \"Starttime\": 1708425551.497, \"JobRuntime\": 0.029, \"Send\": 0, \"Receive\": 80, \"Exitval\": 1, \"Signal\": 0, \"Command\": \"bash-exec /tmp/lint/test/linters/bash_exec/shell_bad_1.sh true\", \"V\": [ \"/tmp/lint/test/linters/bash_exec/shell_bad_1.sh\" ], \"Stdout\": \"Error: File:[/tmp/lint/test/linters/bash_exec/shell_bad_1.sh] is not executable
2024-02-20T10:39:52.2033342Z \", \"Stderr\": \"\" }
2024-02-20T10:39:52.2036416Z { \"Seq\": 2, \"Host\": \":\", \"Starttime\": 1708425551.507, \"JobRuntime\": 0.045, \"Send\": 0, \"Receive\": 0, \"Exitval\": 1, \"Signal\": 0, \"Command\": \"bash-exec /tmp/lint/test/linters/bash_exec/libraries/comment_bad.sh true\", \"V\": [ \"/tmp/lint/test/linters/bash_exec/libraries/comment_bad.sh\" ], \"Stdout\": \"\", \"Stderr\": \"environment: line 6: B: unbound variable
2024-02-20T10:39:52.2039133Z \" }
2024-02-20T10:39:52.2042270Z { \"Seq\": 3, \"Host\": \":\", \"Starttime\": 1708425551.526, \"JobRuntime\": 0.053, \"Send\": 0, \"Receive\": 0, \"Exitval\": 1, \"Signal\": 0, \"Command\": \"bash-exec /tmp/lint/test/linters/bash_exec/libraries/indentedShebang_bad.sh true\", \"V\": [ \"/tmp/lint/test/linters/bash_exec/libraries/indentedShebang_bad.sh\" ], \"Stdout\": \"\", \"Stderr\": \"environment: line 6: B: unbound variable
2024-02-20T10:39:52.2045122Z \" }
2024-02-20T10:39:52.2048180Z { \"Seq\": 4, \"Host\": \":\", \"Starttime\": 1708425551.534, \"JobRuntime\": 0.029, \"Send\": 0, \"Receive\": 0, \"Exitval\": 1, \"Signal\": 0, \"Command\": \"bash-exec /tmp/lint/test/linters/bash_exec/libraries/noShebang_bad.sh true\", \"V\": [ \"/tmp/lint/test/linters/bash_exec/libraries/noShebang_bad.sh\" ], \"Stdout\": \"\", \"Stderr\": \"environment: line 6: B: unbound variable
2024-02-20T10:39:52.2050917Z \" }
2024-02-20T10:39:52.2054110Z { \"Seq\": 5, \"Host\": \":\", \"Starttime\": 1708425551.542, \"JobRuntime\": 0.047, \"Send\": 0, \"Receive\": 0, \"Exitval\": 1, \"Signal\": 0, \"Command\": \"bash-exec /tmp/lint/test/linters/bash_exec/libraries/secondLineShebang_bad.sh true\", \"V\": [ \"/tmp/lint/test/linters/bash_exec/libraries/secondLineShebang_bad.sh\" ], \"Stdout\": \"\", \"Stderr\": \"environment: line 6: B: unbound variable
2024-02-20T10:39:52.2056989Z \" }
2024-02-20T10:39:52.2060665Z { \"Seq\": 6, \"Host\": \":\", \"Starttime\": 1708425551.563, \"JobRuntime\": 0.026, \"Send\": 0, \"Receive\": 99, \"Exitval\": 1, \"Signal\": 0, \"Command\": \"bash-exec /tmp/lint/test/linters/bash_exec/libraries/shebangWithBlank_bad.sh true\", \"V\": [ \"/tmp/lint/test/linters/bash_exec/libraries/shebangWithBlank_bad.sh\" ], \"Stdout\": \"Error: File:[/tmp/lint/test/linters/bash_exec/libraries/shebangWithBlank_bad.sh] is not executable
2024-02-20T10:39:52.2063893Z \", \"Stderr\": \"\" }
2024-02-20T10:39:52.2067485Z { \"Seq\": 7, \"Host\": \":\", \"Starttime\": 1708425551.568, \"JobRuntime\": 0.027, \"Send\": 0, \"Receive\": 90, \"Exitval\": 1, \"Signal\": 0, \"Command\": \"bash-exec /tmp/lint/test/linters/bash_exec/libraries/shebang_bad.sh true\", \"V\": [ \"/tmp/lint/test/linters/bash_exec/libraries/shebang_bad.sh\" ], \"Stdout\": \"Error: File:[/tmp/lint/test/linters/bash_exec/libraries/shebang_bad.sh] is not executable
2024-02-20T10:39:52.2070554Z \", \"Stderr\": \"\" }�[0m

[ferrarimarco]

Ah! I think I got the environment: line 6: B: unbound variable error.

In HasNoShebang, you're calling the debug function, which depends on ${F[B]} (which is an associative array):

super-linter/lib/functions/log.sh

Line 62 in 947c92a

COLOR_MARKER="${F[B]}"

I don't think there's a good way to export Bash associative arrays, but you can solve this in several different ways:

• the bash-exec might source the log.sh file
• remove that debug function call from HasNoShebang
• refactor that debug function call to be echo, and add a comment explaining why, although that would clobber the output a bit.
• refactor log.sh to:
  • remove the B array (and related export) because we don't use it.
  • define the F array and the NC variable inside the log function, and remove the exports related to F and NC.

Refactoring log.sh is probably too much for this PR, which is already big, although seems like the cleanest option. I'll take note of this TODO item, but to unblock this PR is probably easier to just remove that debug call.

[bewuethr]

I saw you just merged the log.sh refactor, I'll rebase this

Edit: done!

[ferrarimarco]

Thanks @bewuethr ! Running workflows now.

[ferrarimarco]

Ok, new failure in the Run test cases (test-bash-exec-library-expect-failure, super-linter-latest, standard) job:

environment: line 28: CREATE_LOG_FILE: unbound variable

Can you please Add export CREATE_LOG_FILE in log.sh?

[ferrarimarco]

The two that are failing are:

• test/linters/bash_exec/shell_bad_1.sh: this is expected
• test/linters/bash_exec/libraries/shebang_bad.sh: this is also expected, I suppose?

  2024-02-23 11:29:24 [DEBUG]   Parallel output file (/tmp/super-linter-worker-results-BASH_EXEC.json) contents for BASH_EXEC:
  { \"Seq\": 1, \"Host\": \":\", \"Starttime\": 1708687764.633, \"JobRuntime\": 0.037, \"Send\": 0, \"Receive\": 80, \"Exitval\": 1, \"Signal\": 0, \"Command\": \"bash-exec /tmp/lint/test/linters/bash_exec/shell_bad_1.sh true\", \"V\": [ \"/tmp/lint/test/linters/bash_exec/shell_bad_1.sh\" ], \"Stdout\": \"Error: File:[/tmp/lint/test/linters/bash_exec/shell_bad_1.sh] is not executable
  \", \"Stderr\": \"\" }
  { \"Seq\": 2, \"Host\": \":\", \"Starttime\": 1708687764.637, \"JobRuntime\": 0.082, \"Send\": 0, \"Receive\": 246, \"Exitval\": 0, \"Signal\": 0, \"Command\": \"bash-exec /tmp/lint/test/linters/bash_exec/libraries/comment_bad.sh true\", \"V\": [ \"/tmp/lint/test/linters/bash_exec/libraries/comment_bad.sh\" ], \"Stdout\": \"2024-02-23 11:29:24 [DEBUG]   /tmp/lint/test/linters/bash_exec/libraries/comment_bad.sh doesn't contain a shebang
  /tmp/lint/test/linters/bash_exec/libraries/comment_bad.sh is being ignored because IGNORE_LIBRARY is set to true
  \", \"Stderr\": \"\" }
  { \"Seq\": 3, \"Host\": \":\", \"Starttime\": 1708687764.648, \"JobRuntime\": 0.072, \"Send\": 0, \"Receive\": 262, \"Exitval\": 0, \"Signal\": 0, \"Command\": \"bash-exec /tmp/lint/test/linters/bash_exec/libraries/indentedShebang_bad.sh true\", \"V\": [ \"/tmp/lint/test/linters/bash_exec/libraries/indentedShebang_bad.sh\" ], \"Stdout\": \"2024-02-23 11:29:24 [DEBUG]   /tmp/lint/test/linters/bash_exec/libraries/indentedShebang_bad.sh doesn't contain a shebang
  /tmp/lint/test/linters/bash_exec/libraries/indentedShebang_bad.sh is being ignored because IGNORE_LIBRARY is set to true
  \", \"Stderr\": \"\" }
  { \"Seq\": 4, \"Host\": \":\", \"Starttime\": 1708687764.662, \"JobRuntime\": 0.046, \"Send\": 0, \"Receive\": 250, \"Exitval\": 0, \"Signal\": 0, \"Command\": \"bash-exec /tmp/lint/test/linters/bash_exec/libraries/noShebang_bad.sh true\", \"V\": [ \"/tmp/lint/test/linters/bash_exec/libraries/noShebang_bad.sh\" ], \"Stdout\": \"2024-02-23 11:29:24 [DEBUG]   /tmp/lint/test/linters/bash_exec/libraries/noShebang_bad.sh doesn't contain a shebang
  /tmp/lint/test/linters/bash_exec/libraries/noShebang_bad.sh is being ignored because IGNORE_LIBRARY is set to true
  \", \"Stderr\": \"\" }
  { \"Seq\": 5, \"Host\": \":\", \"Starttime\": 1708687764.690, \"JobRuntime\": 0.024, \"Send\": 0, \"Receive\": 266, \"Exitval\": 0, \"Signal\": 0, \"Command\": \"bash-exec /tmp/lint/test/linters/bash_exec/libraries/secondLineShebang_bad.sh true\", \"V\": [ \"/tmp/lint/test/linters/bash_exec/libraries/secondLineShebang_bad.sh\" ], \"Stdout\": \"2024-02-23 11:29:24 [DEBUG]   /tmp/lint/test/linters/bash_exec/libraries/secondLineShebang_bad.sh doesn't contain a shebang
  /tmp/lint/test/linters/bash_exec/libraries/secondLineShebang_bad.sh is being ignored because IGNORE_LIBRARY is set to true
  \", \"Stderr\": \"\" }
  { \"Seq\": 6, \"Host\": \":\", \"Starttime\": 1708687764.714, \"JobRuntime\": 0.026, \"Send\": 0, \"Receive\": 99, \"Exitval\": 1, \"Signal\": 0, \"Command\": \"bash-exec /tmp/lint/test/linters/bash_exec/libraries/shebangWithBlank_bad.sh true\", \"V\": [ \"/tmp/lint/test/linters/bash_exec/libraries/shebangWithBlank_bad.sh\" ], \"Stdout\": \"Error: File:[/tmp/lint/test/linters/bash_exec/libraries/shebangWithBlank_bad.sh] is not executable
  \", \"Stderr\": \"\" }
  { \"Seq\": 7, \"Host\": \":\", \"Starttime\": 1708687764.719, \"JobRuntime\": 0.027, \"Send\": 0, \"Receive\": 90, \"Exitval\": 1, \"Signal\": 0, \"Command\": \"bash-exec /tmp/lint/test/linters/bash_exec/libraries/shebang_bad.sh true\", \"V\": [ \"/tmp/lint/test/linters/bash_exec/libraries/shebang_bad.sh\" ], \"Stdout\": \"Error: File:[/tmp/lint/test/linters/bash_exec/libraries/shebang_bad.sh] is not executable
  \", \"Stderr\": \"\" }

[bewuethr]

test/linters/bash_exec/libraries/shebang_bad.sh contains a shebang and is not executable, so bash-exec should fail for both values of IGNORE_LIBRARY:

• if IGNORE_LIBRARY is disabled, we fail because the file is not executable
• if IGNORE_LIBRARY is enabled, we check if it's a library file, and it isn't (there's a shebang), so we continue to check if it's executable, and it isn't.

[ferrarimarco]

@bewuethr I think we're good to go then. Anything else left to do?

[bewuethr]

@bewuethr I think we're good to go then. Anything else left to do?

Just rebasing on latest trunk and squashing, I think!

[ferrarimarco]

Just rebasing on latest trunk and squashing, I think!

Ah! You just brought me back to SVN! :D

[bewuethr]

Should I rebase on latest main, or is this good now?

[bewuethr]

@ferrarimarco Thank you for all your patience and responsiveness on this one!

[ferrarimarco]

You're welcome! Thanks for your contributions!