diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | python-bento-cli.spec | 895 | ||||
| -rw-r--r-- | sources | 1 |
3 files changed, 897 insertions, 0 deletions
@@ -0,0 +1 @@ +/bento-cli-0.12.0.tar.gz diff --git a/python-bento-cli.spec b/python-bento-cli.spec new file mode 100644 index 0000000..5ddc0ff --- /dev/null +++ b/python-bento-cli.spec @@ -0,0 +1,895 @@ +%global _empty_manifest_terminate_build 0 +Name: python-bento-cli +Version: 0.12.0 +Release: 1 +Summary: Free program analysis focused on bugs that matter to you. +License: Proprietary +URL: http://bento.dev +Source0: https://mirrors.nju.edu.cn/pypi/web/packages/5a/fd/09a8c7f1bec079c2c0334f6bed70d999a74e9b59a2cd0c013f9fc744187c/bento-cli-0.12.0.tar.gz +BuildArch: noarch + +Requires: python3-attrs +Requires: python3-click +Requires: python3-docker +Requires: python3-frozendict +Requires: python3-gitpython +Requires: python3-packaging +Requires: python3-pre-commit +Requires: python3-psutil +Requires: python3-pymmh3 +Requires: python3-PyYAML +Requires: python3-semantic-version +Requires: python3-tqdm +Requires: python3-validate-email + +%description +<p align="center"> + <img src="https://raw.githubusercontent.com/returntocorp/bento/master/bento-logo.png" height="100" alt="Bento logo"/> +</p> +<h3 align="center"> + Find Python web-app bugs delightfully fast, without changing your workflow +</h3> + +<p align="center"> + <a href="#installation">Installation</a> + <span> · </span> + <a href="#motivations">Motivations</a> + <span> · </span> + <a href="#code-checks">Code Checks</a> + <span> · </span> + <a href="#usage">Usage</a> + <br/> + <a href="#workflows">Workflows</a> + <span> · </span> + <a href="#running-in-cicd">Integrations</a> + <span> · </span> + <a href="#help-and-community">Help & Community</a> +</p> + +<p align="center"> + <a href="https://pypi.org/project/bento-cli/"> + <img alt="PyPI" src="https://img.shields.io/pypi/v/bento-cli?style=flat-square&color=blue"> + </a> + <a href="https://pypi.org/project/bento-cli/"> + <img alt="PyPI - Downloads" src="https://img.shields.io/pypi/dm/bento-cli?style=flat-square&color=green"> + </a> + <a href="https://github.com/returntocorp/bento/issues/new/choose"> + <img src="https://img.shields.io/badge/issues-welcome-green?style=flat-square" alt="Issues welcome!" /> + </a> + <a href="https://twitter.com/intent/follow?screen_name=r2cdev"> + <img src="https://img.shields.io/twitter/follow/r2cdev?label=Follow%20r2cdev&style=social&color=blue" alt="Follow @r2cdev" /> + </a> +</p> + +Inspired by tools like the ESLint plugin for React, Bento was created for Flask and Django. With Bento you’ll: + +- **Find bugs that matter.** Checks find security and reliability bugs in your code. They’re vetted across thousands of open source projects and never nit your style. +- **Upgrade your tooling.** You don’t have to fix existing bugs to adopt Bento. It’s diff-centric, finding new bugs introduced by your changes. And there’s zero config. +- **Go delightfully fast.** Run Bento automatically locally or in CI. Either way, it runs offline and never sends your code anywhere. + +<p align="center"> + <img src="https://web-assets.r2c.dev/bento-demo.gif" width="100%" alt="Demonstrating Bento running in a terminal"/> +</p> + +## Installation + +Bento is free and requires [Python 3.6+](https://www.python.org/downloads/) and [Docker 19.03+](https://docs.docker.com/get-docker/). It runs on macOS and Linux. + +In a Git project directory: + +```bash +$ pip3 install bento-cli && bento init +``` + +Go forth and write great code! + +## Motivations + +> See our [Bento introductory blog post](https://bento.dev/blog/2019/our-quest-to-make-world-class-security-and-bugfinding-available-to-all-developers/) to learn the full story. + +Bento is part of a quest to make world-class security and bugfinding available to all developers, for free. We’ve learned that most developers have never heard of—let alone tried—tools that find deep flaws in code: like Codenomicon, which found [Heartbleed](http://heartbleed.com/), or Zoncolan at Facebook, which finds more [top-severity security issues](https://cacm.acm.org/magazines/2019/8/238344-scaling-static-analyses-at-facebook/fulltext) than any human effort. These tools find severe issues and also save tons of time, identifying [hundreds of thousands of issues](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43322.pdf) before humans can. Bento is a step towards universal access to tools like these. + +We’re also big proponents of opinionated tools like [Black](https://github.com/psf/black) and [Prettier](https://github.com/prettier/prettier). This has two implications: Bento ignores style-related issues and the bikeshedding that comes with them, and it ships with a curated set of checks that we believe are high signal and bug-worthy. See [Three things your linter shouldn’t tell you](https://bento.dev/blog/2019/three-things-your-linter-shouldnt-tell-you/) for more about our decision making process. + +## Code Checks + +Bento’s check focus on security and reliability bugs in Flask and Django projects. + +| | | | +| ---------------------------- | ------------------------------------ | ---------------------------------------------------- | +| **Flask** | **Jinja** | **Django** | +| missing JWT token | href template variable | _coming soon_ | +| secure set cookie | missing noopener | | +| send file open | missing noreferrer | **Docker** | +| unescaped file extension | missing csrf protection | [Hadolint](https://github.com/hadolint/hadolint) | +| use blueprint for modularity | missing doctype | | +| use jsonify | meta charset | **Shell** | +| avoid hardcoded config | meta content-type | [ShellCheck](https://github.com/koalaman/shellcheck) | +| | unquoted attribute template variable | +| **Requests** | | +| no auth over http | **SQLAlchemy** | | +| use scheme | _coming soon_ | | +| use timeout | | + +See the full list of [Bento’s specialty checks](https://bento.dev/checks/). + +## Usage + +Out-of-the-box, Bento is configured for your personal use. See [Team Use](#team-use) to setup Bento for all contributors. + +### Upgrading + +```bash +$ pip3 install --upgrade bento-cli +``` + +### Command Line Options + +``` +$ bento --help +Usage: bento [OPTIONS] COMMAND [ARGS]... + +Options: + -h, --help Show this message and exit. + --version Show the version and exit. + --agree Automatically agree to terms of service. + --email TEXT Email address to use while running this command without global + configs e.g. in CI + +Commands: + archive Suppress current findings. + check Checks for new findings. + disable Turn OFF a Bento feature for this project. + enable Turn ON a Bento feature for this project. + init Autodetects and installs tools. + + To get help for a specific command, run `bento COMMAND --help` +``` + +### Exit Codes + +`bento check` may exit with the following exit codes: + +- `0`: Bento ran successfully and found no errors +- `2`: Bento ran successfully and found issues in your code +- `3`: Bento or one of its underlying tools failed to run + +## Workflows + +### Individual Use + +Bento understands the importance of getting out of the way so you can write your code. It runs at commit-time on your diffs and only affects you; it won’t change anything for other project contributors or modify Git state. + +Initialization enables `autorun` behind the scenes. By default `autorun` blocks the commit if Bento returns findings. To make it non-blocking: + +```bash +$ bento enable autorun --no-block +``` + +You can always manually run Bento on staged files or directories via: + +```bash +$ bento check [PATHS] +``` + +This will show only new findings introduced by these files AND that are not in the archive (`.bento/archive.json`). Use `--all` to check all Git tracked files, not just those that are staged: + +```bash +$ bento check --all [PATHS] +``` + +This feature makes use of Git hooks. If the Bento hook incorrectly blocks your commit, you can skip it by passing the `--no-verify` flag to Git at commit-time (please use this sparingly since all hooks will be skipped): + +```bash +$ git commit --no-verify +``` + +### Team Use + +#### Running Locally + +To setup Bento for all project contributors, add Bento’s configuration to Git (it’s ignored by default): + +```bash +$ cd <PROJECT DIRECTORY> +# Add Bento's cache to the project's .gitignore +$ echo ".bento/cache" >> .gitignore +# Commit Bento's config to your project +$ git add --force .bento .bentoignore +``` + +Contributors can run Bento for themselves using the project’s configuration via: + +```bash +$ bento init +``` + +#### Running in CI/CD + +Bento has first-class support for checking pull requests with GitHub Actions. +Such checks will report only on the bugs introduced by the changes in the pull request. + +To get started, just run `bento enable ci` in your project directory. +This will add a CI configuration file to your repository. + +#### Advanced CI/CD configuration + +You can also configure Bento in CI to analyze your entire project, +instead of only the changes from a pull request. +So that you don’t have to fix all existing issues before making Bento blocking, +its `archive` feature allows historical issues to be tracked and ignored during CI. + +To use the `archive` feature so Bento returns a non-zero exit code only for new issues, rather than all existing issues, first create the archive: + +```bash +$ cd <PROJECT DIRECTORY> +$ bento archive . +``` + +Commit Bento’s configuration to the project: + +```bash +# Add Bento's cache to the project's .gitignore +$ echo ".bento/cache" >> .gitignore +# Commit Bento's config to your project +$ git add --force .bento .bentoignore +``` + +You can then add Bento to your CI scripts: + +```bash +$ pip3 install bento-cli && bento --version +$ bento --agree --email=<YOUR_EMAIL> check --all 2>&1 | cat +``` + +We pipe through `cat` to disable Bento's interactive tty features (e.g. progress bars, using a pager for many findings). + +If you use CircleCI, the above commands become: + +```yaml +version: 2.1 + +jobs: + bentoCheck: + executor: circleci/python:3.7.4-stretch-node + steps: + - checkout + - run: + name: "Install Bento" + command: pip3 install bento-cli && bento --version + - run: + name: "Run Bento check" + command: bento --agree --email=<YOUR_EMAIL> check --all 2>&1 | cat +``` + +`bento check` will exit with a non-zero exit code if it finds issues in your code (see [Exit Codes](#exit-codes)). + +If you need help setting up Bento with another CI provider please [open an issue](https://github.com/returntocorp/bento/issues/new?template=feature_request.md). Documentation PRs welcome if you set up Bento with a CI provider that isn’t documented here! + +## Help and Community + +Need help or want to share feedback? We’d love to hear from you! + +- Email us at [support@r2c.dev](mailto:support@r2c.dev) +- Join #bento in our [community Slack](https://join.slack.com/t/r2c-community/shared_invite/enQtNjU0NDYzMjAwODY4LWE3NTg1MGNhYTAwMzk5ZGRhMjQ2MzVhNGJiZjI1ZWQ0NjQ2YWI4ZGY3OGViMGJjNzA4ODQ3MjEzOWExNjZlNTA) +- [File an issue](https://github.com/returntocorp/bento/issues/new?assignees=&labels=bug&template=bug_report.md&title=) or [submit a feature request](https://github.com/returntocorp/bento/issues/new?assignees=&labels=feature-request&template=feature_request.md&title=) directly on GitHub — we welcome them all! + +We’re constantly shipping new features and improvements. + +- [Sign up for the Bento newsletter](http://eepurl.com/gDeFvL) — we promise not to spam and you can unsubscribe at any time +- See past announcements, releases, and issues [here](https://us18.campaign-archive.com/home/?u=ee2dc8f77e27d3739cf4df9ef&id=d13f5e938e) + +We’re fortunate to benefit from the contributions of the open source community and great projects such as [Bandit](https://pypi.org/project/bandit/), [ESLint](https://eslint.org/), [Flake8](https://pypi.org/project/flake8/), and their plugins. 🙏 + +## License and Legal + +Please refer to the [terms and privacy document](https://github.com/returntocorp/bento/blob/master/PRIVACY.md). + +</br> +</br> +<p align="center"> + <img src="https://web-assets.r2c.dev/r2c-logo-silhouette.png?gh" height="24" alt="r2c logo"/> +</p> +<p align="center"> + Copyright (c) <a href="https://r2c.dev">r2c</a>. +</p> + + +%package -n python3-bento-cli +Summary: Free program analysis focused on bugs that matter to you. +Provides: python-bento-cli +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-pip +%description -n python3-bento-cli +<p align="center"> + <img src="https://raw.githubusercontent.com/returntocorp/bento/master/bento-logo.png" height="100" alt="Bento logo"/> +</p> +<h3 align="center"> + Find Python web-app bugs delightfully fast, without changing your workflow +</h3> + +<p align="center"> + <a href="#installation">Installation</a> + <span> · </span> + <a href="#motivations">Motivations</a> + <span> · </span> + <a href="#code-checks">Code Checks</a> + <span> · </span> + <a href="#usage">Usage</a> + <br/> + <a href="#workflows">Workflows</a> + <span> · </span> + <a href="#running-in-cicd">Integrations</a> + <span> · </span> + <a href="#help-and-community">Help & Community</a> +</p> + +<p align="center"> + <a href="https://pypi.org/project/bento-cli/"> + <img alt="PyPI" src="https://img.shields.io/pypi/v/bento-cli?style=flat-square&color=blue"> + </a> + <a href="https://pypi.org/project/bento-cli/"> + <img alt="PyPI - Downloads" src="https://img.shields.io/pypi/dm/bento-cli?style=flat-square&color=green"> + </a> + <a href="https://github.com/returntocorp/bento/issues/new/choose"> + <img src="https://img.shields.io/badge/issues-welcome-green?style=flat-square" alt="Issues welcome!" /> + </a> + <a href="https://twitter.com/intent/follow?screen_name=r2cdev"> + <img src="https://img.shields.io/twitter/follow/r2cdev?label=Follow%20r2cdev&style=social&color=blue" alt="Follow @r2cdev" /> + </a> +</p> + +Inspired by tools like the ESLint plugin for React, Bento was created for Flask and Django. With Bento you’ll: + +- **Find bugs that matter.** Checks find security and reliability bugs in your code. They’re vetted across thousands of open source projects and never nit your style. +- **Upgrade your tooling.** You don’t have to fix existing bugs to adopt Bento. It’s diff-centric, finding new bugs introduced by your changes. And there’s zero config. +- **Go delightfully fast.** Run Bento automatically locally or in CI. Either way, it runs offline and never sends your code anywhere. + +<p align="center"> + <img src="https://web-assets.r2c.dev/bento-demo.gif" width="100%" alt="Demonstrating Bento running in a terminal"/> +</p> + +## Installation + +Bento is free and requires [Python 3.6+](https://www.python.org/downloads/) and [Docker 19.03+](https://docs.docker.com/get-docker/). It runs on macOS and Linux. + +In a Git project directory: + +```bash +$ pip3 install bento-cli && bento init +``` + +Go forth and write great code! + +## Motivations + +> See our [Bento introductory blog post](https://bento.dev/blog/2019/our-quest-to-make-world-class-security-and-bugfinding-available-to-all-developers/) to learn the full story. + +Bento is part of a quest to make world-class security and bugfinding available to all developers, for free. We’ve learned that most developers have never heard of—let alone tried—tools that find deep flaws in code: like Codenomicon, which found [Heartbleed](http://heartbleed.com/), or Zoncolan at Facebook, which finds more [top-severity security issues](https://cacm.acm.org/magazines/2019/8/238344-scaling-static-analyses-at-facebook/fulltext) than any human effort. These tools find severe issues and also save tons of time, identifying [hundreds of thousands of issues](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43322.pdf) before humans can. Bento is a step towards universal access to tools like these. + +We’re also big proponents of opinionated tools like [Black](https://github.com/psf/black) and [Prettier](https://github.com/prettier/prettier). This has two implications: Bento ignores style-related issues and the bikeshedding that comes with them, and it ships with a curated set of checks that we believe are high signal and bug-worthy. See [Three things your linter shouldn’t tell you](https://bento.dev/blog/2019/three-things-your-linter-shouldnt-tell-you/) for more about our decision making process. + +## Code Checks + +Bento’s check focus on security and reliability bugs in Flask and Django projects. + +| | | | +| ---------------------------- | ------------------------------------ | ---------------------------------------------------- | +| **Flask** | **Jinja** | **Django** | +| missing JWT token | href template variable | _coming soon_ | +| secure set cookie | missing noopener | | +| send file open | missing noreferrer | **Docker** | +| unescaped file extension | missing csrf protection | [Hadolint](https://github.com/hadolint/hadolint) | +| use blueprint for modularity | missing doctype | | +| use jsonify | meta charset | **Shell** | +| avoid hardcoded config | meta content-type | [ShellCheck](https://github.com/koalaman/shellcheck) | +| | unquoted attribute template variable | +| **Requests** | | +| no auth over http | **SQLAlchemy** | | +| use scheme | _coming soon_ | | +| use timeout | | + +See the full list of [Bento’s specialty checks](https://bento.dev/checks/). + +## Usage + +Out-of-the-box, Bento is configured for your personal use. See [Team Use](#team-use) to setup Bento for all contributors. + +### Upgrading + +```bash +$ pip3 install --upgrade bento-cli +``` + +### Command Line Options + +``` +$ bento --help +Usage: bento [OPTIONS] COMMAND [ARGS]... + +Options: + -h, --help Show this message and exit. + --version Show the version and exit. + --agree Automatically agree to terms of service. + --email TEXT Email address to use while running this command without global + configs e.g. in CI + +Commands: + archive Suppress current findings. + check Checks for new findings. + disable Turn OFF a Bento feature for this project. + enable Turn ON a Bento feature for this project. + init Autodetects and installs tools. + + To get help for a specific command, run `bento COMMAND --help` +``` + +### Exit Codes + +`bento check` may exit with the following exit codes: + +- `0`: Bento ran successfully and found no errors +- `2`: Bento ran successfully and found issues in your code +- `3`: Bento or one of its underlying tools failed to run + +## Workflows + +### Individual Use + +Bento understands the importance of getting out of the way so you can write your code. It runs at commit-time on your diffs and only affects you; it won’t change anything for other project contributors or modify Git state. + +Initialization enables `autorun` behind the scenes. By default `autorun` blocks the commit if Bento returns findings. To make it non-blocking: + +```bash +$ bento enable autorun --no-block +``` + +You can always manually run Bento on staged files or directories via: + +```bash +$ bento check [PATHS] +``` + +This will show only new findings introduced by these files AND that are not in the archive (`.bento/archive.json`). Use `--all` to check all Git tracked files, not just those that are staged: + +```bash +$ bento check --all [PATHS] +``` + +This feature makes use of Git hooks. If the Bento hook incorrectly blocks your commit, you can skip it by passing the `--no-verify` flag to Git at commit-time (please use this sparingly since all hooks will be skipped): + +```bash +$ git commit --no-verify +``` + +### Team Use + +#### Running Locally + +To setup Bento for all project contributors, add Bento’s configuration to Git (it’s ignored by default): + +```bash +$ cd <PROJECT DIRECTORY> +# Add Bento's cache to the project's .gitignore +$ echo ".bento/cache" >> .gitignore +# Commit Bento's config to your project +$ git add --force .bento .bentoignore +``` + +Contributors can run Bento for themselves using the project’s configuration via: + +```bash +$ bento init +``` + +#### Running in CI/CD + +Bento has first-class support for checking pull requests with GitHub Actions. +Such checks will report only on the bugs introduced by the changes in the pull request. + +To get started, just run `bento enable ci` in your project directory. +This will add a CI configuration file to your repository. + +#### Advanced CI/CD configuration + +You can also configure Bento in CI to analyze your entire project, +instead of only the changes from a pull request. +So that you don’t have to fix all existing issues before making Bento blocking, +its `archive` feature allows historical issues to be tracked and ignored during CI. + +To use the `archive` feature so Bento returns a non-zero exit code only for new issues, rather than all existing issues, first create the archive: + +```bash +$ cd <PROJECT DIRECTORY> +$ bento archive . +``` + +Commit Bento’s configuration to the project: + +```bash +# Add Bento's cache to the project's .gitignore +$ echo ".bento/cache" >> .gitignore +# Commit Bento's config to your project +$ git add --force .bento .bentoignore +``` + +You can then add Bento to your CI scripts: + +```bash +$ pip3 install bento-cli && bento --version +$ bento --agree --email=<YOUR_EMAIL> check --all 2>&1 | cat +``` + +We pipe through `cat` to disable Bento's interactive tty features (e.g. progress bars, using a pager for many findings). + +If you use CircleCI, the above commands become: + +```yaml +version: 2.1 + +jobs: + bentoCheck: + executor: circleci/python:3.7.4-stretch-node + steps: + - checkout + - run: + name: "Install Bento" + command: pip3 install bento-cli && bento --version + - run: + name: "Run Bento check" + command: bento --agree --email=<YOUR_EMAIL> check --all 2>&1 | cat +``` + +`bento check` will exit with a non-zero exit code if it finds issues in your code (see [Exit Codes](#exit-codes)). + +If you need help setting up Bento with another CI provider please [open an issue](https://github.com/returntocorp/bento/issues/new?template=feature_request.md). Documentation PRs welcome if you set up Bento with a CI provider that isn’t documented here! + +## Help and Community + +Need help or want to share feedback? We’d love to hear from you! + +- Email us at [support@r2c.dev](mailto:support@r2c.dev) +- Join #bento in our [community Slack](https://join.slack.com/t/r2c-community/shared_invite/enQtNjU0NDYzMjAwODY4LWE3NTg1MGNhYTAwMzk5ZGRhMjQ2MzVhNGJiZjI1ZWQ0NjQ2YWI4ZGY3OGViMGJjNzA4ODQ3MjEzOWExNjZlNTA) +- [File an issue](https://github.com/returntocorp/bento/issues/new?assignees=&labels=bug&template=bug_report.md&title=) or [submit a feature request](https://github.com/returntocorp/bento/issues/new?assignees=&labels=feature-request&template=feature_request.md&title=) directly on GitHub — we welcome them all! + +We’re constantly shipping new features and improvements. + +- [Sign up for the Bento newsletter](http://eepurl.com/gDeFvL) — we promise not to spam and you can unsubscribe at any time +- See past announcements, releases, and issues [here](https://us18.campaign-archive.com/home/?u=ee2dc8f77e27d3739cf4df9ef&id=d13f5e938e) + +We’re fortunate to benefit from the contributions of the open source community and great projects such as [Bandit](https://pypi.org/project/bandit/), [ESLint](https://eslint.org/), [Flake8](https://pypi.org/project/flake8/), and their plugins. 🙏 + +## License and Legal + +Please refer to the [terms and privacy document](https://github.com/returntocorp/bento/blob/master/PRIVACY.md). + +</br> +</br> +<p align="center"> + <img src="https://web-assets.r2c.dev/r2c-logo-silhouette.png?gh" height="24" alt="r2c logo"/> +</p> +<p align="center"> + Copyright (c) <a href="https://r2c.dev">r2c</a>. +</p> + + +%package help +Summary: Development documents and examples for bento-cli +Provides: python3-bento-cli-doc +%description help +<p align="center"> + <img src="https://raw.githubusercontent.com/returntocorp/bento/master/bento-logo.png" height="100" alt="Bento logo"/> +</p> +<h3 align="center"> + Find Python web-app bugs delightfully fast, without changing your workflow +</h3> + +<p align="center"> + <a href="#installation">Installation</a> + <span> · </span> + <a href="#motivations">Motivations</a> + <span> · </span> + <a href="#code-checks">Code Checks</a> + <span> · </span> + <a href="#usage">Usage</a> + <br/> + <a href="#workflows">Workflows</a> + <span> · </span> + <a href="#running-in-cicd">Integrations</a> + <span> · </span> + <a href="#help-and-community">Help & Community</a> +</p> + +<p align="center"> + <a href="https://pypi.org/project/bento-cli/"> + <img alt="PyPI" src="https://img.shields.io/pypi/v/bento-cli?style=flat-square&color=blue"> + </a> + <a href="https://pypi.org/project/bento-cli/"> + <img alt="PyPI - Downloads" src="https://img.shields.io/pypi/dm/bento-cli?style=flat-square&color=green"> + </a> + <a href="https://github.com/returntocorp/bento/issues/new/choose"> + <img src="https://img.shields.io/badge/issues-welcome-green?style=flat-square" alt="Issues welcome!" /> + </a> + <a href="https://twitter.com/intent/follow?screen_name=r2cdev"> + <img src="https://img.shields.io/twitter/follow/r2cdev?label=Follow%20r2cdev&style=social&color=blue" alt="Follow @r2cdev" /> + </a> +</p> + +Inspired by tools like the ESLint plugin for React, Bento was created for Flask and Django. With Bento you’ll: + +- **Find bugs that matter.** Checks find security and reliability bugs in your code. They’re vetted across thousands of open source projects and never nit your style. +- **Upgrade your tooling.** You don’t have to fix existing bugs to adopt Bento. It’s diff-centric, finding new bugs introduced by your changes. And there’s zero config. +- **Go delightfully fast.** Run Bento automatically locally or in CI. Either way, it runs offline and never sends your code anywhere. + +<p align="center"> + <img src="https://web-assets.r2c.dev/bento-demo.gif" width="100%" alt="Demonstrating Bento running in a terminal"/> +</p> + +## Installation + +Bento is free and requires [Python 3.6+](https://www.python.org/downloads/) and [Docker 19.03+](https://docs.docker.com/get-docker/). It runs on macOS and Linux. + +In a Git project directory: + +```bash +$ pip3 install bento-cli && bento init +``` + +Go forth and write great code! + +## Motivations + +> See our [Bento introductory blog post](https://bento.dev/blog/2019/our-quest-to-make-world-class-security-and-bugfinding-available-to-all-developers/) to learn the full story. + +Bento is part of a quest to make world-class security and bugfinding available to all developers, for free. We’ve learned that most developers have never heard of—let alone tried—tools that find deep flaws in code: like Codenomicon, which found [Heartbleed](http://heartbleed.com/), or Zoncolan at Facebook, which finds more [top-severity security issues](https://cacm.acm.org/magazines/2019/8/238344-scaling-static-analyses-at-facebook/fulltext) than any human effort. These tools find severe issues and also save tons of time, identifying [hundreds of thousands of issues](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43322.pdf) before humans can. Bento is a step towards universal access to tools like these. + +We’re also big proponents of opinionated tools like [Black](https://github.com/psf/black) and [Prettier](https://github.com/prettier/prettier). This has two implications: Bento ignores style-related issues and the bikeshedding that comes with them, and it ships with a curated set of checks that we believe are high signal and bug-worthy. See [Three things your linter shouldn’t tell you](https://bento.dev/blog/2019/three-things-your-linter-shouldnt-tell-you/) for more about our decision making process. + +## Code Checks + +Bento’s check focus on security and reliability bugs in Flask and Django projects. + +| | | | +| ---------------------------- | ------------------------------------ | ---------------------------------------------------- | +| **Flask** | **Jinja** | **Django** | +| missing JWT token | href template variable | _coming soon_ | +| secure set cookie | missing noopener | | +| send file open | missing noreferrer | **Docker** | +| unescaped file extension | missing csrf protection | [Hadolint](https://github.com/hadolint/hadolint) | +| use blueprint for modularity | missing doctype | | +| use jsonify | meta charset | **Shell** | +| avoid hardcoded config | meta content-type | [ShellCheck](https://github.com/koalaman/shellcheck) | +| | unquoted attribute template variable | +| **Requests** | | +| no auth over http | **SQLAlchemy** | | +| use scheme | _coming soon_ | | +| use timeout | | + +See the full list of [Bento’s specialty checks](https://bento.dev/checks/). + +## Usage + +Out-of-the-box, Bento is configured for your personal use. See [Team Use](#team-use) to setup Bento for all contributors. + +### Upgrading + +```bash +$ pip3 install --upgrade bento-cli +``` + +### Command Line Options + +``` +$ bento --help +Usage: bento [OPTIONS] COMMAND [ARGS]... + +Options: + -h, --help Show this message and exit. + --version Show the version and exit. + --agree Automatically agree to terms of service. + --email TEXT Email address to use while running this command without global + configs e.g. in CI + +Commands: + archive Suppress current findings. + check Checks for new findings. + disable Turn OFF a Bento feature for this project. + enable Turn ON a Bento feature for this project. + init Autodetects and installs tools. + + To get help for a specific command, run `bento COMMAND --help` +``` + +### Exit Codes + +`bento check` may exit with the following exit codes: + +- `0`: Bento ran successfully and found no errors +- `2`: Bento ran successfully and found issues in your code +- `3`: Bento or one of its underlying tools failed to run + +## Workflows + +### Individual Use + +Bento understands the importance of getting out of the way so you can write your code. It runs at commit-time on your diffs and only affects you; it won’t change anything for other project contributors or modify Git state. + +Initialization enables `autorun` behind the scenes. By default `autorun` blocks the commit if Bento returns findings. To make it non-blocking: + +```bash +$ bento enable autorun --no-block +``` + +You can always manually run Bento on staged files or directories via: + +```bash +$ bento check [PATHS] +``` + +This will show only new findings introduced by these files AND that are not in the archive (`.bento/archive.json`). Use `--all` to check all Git tracked files, not just those that are staged: + +```bash +$ bento check --all [PATHS] +``` + +This feature makes use of Git hooks. If the Bento hook incorrectly blocks your commit, you can skip it by passing the `--no-verify` flag to Git at commit-time (please use this sparingly since all hooks will be skipped): + +```bash +$ git commit --no-verify +``` + +### Team Use + +#### Running Locally + +To setup Bento for all project contributors, add Bento’s configuration to Git (it’s ignored by default): + +```bash +$ cd <PROJECT DIRECTORY> +# Add Bento's cache to the project's .gitignore +$ echo ".bento/cache" >> .gitignore +# Commit Bento's config to your project +$ git add --force .bento .bentoignore +``` + +Contributors can run Bento for themselves using the project’s configuration via: + +```bash +$ bento init +``` + +#### Running in CI/CD + +Bento has first-class support for checking pull requests with GitHub Actions. +Such checks will report only on the bugs introduced by the changes in the pull request. + +To get started, just run `bento enable ci` in your project directory. +This will add a CI configuration file to your repository. + +#### Advanced CI/CD configuration + +You can also configure Bento in CI to analyze your entire project, +instead of only the changes from a pull request. +So that you don’t have to fix all existing issues before making Bento blocking, +its `archive` feature allows historical issues to be tracked and ignored during CI. + +To use the `archive` feature so Bento returns a non-zero exit code only for new issues, rather than all existing issues, first create the archive: + +```bash +$ cd <PROJECT DIRECTORY> +$ bento archive . +``` + +Commit Bento’s configuration to the project: + +```bash +# Add Bento's cache to the project's .gitignore +$ echo ".bento/cache" >> .gitignore +# Commit Bento's config to your project +$ git add --force .bento .bentoignore +``` + +You can then add Bento to your CI scripts: + +```bash +$ pip3 install bento-cli && bento --version +$ bento --agree --email=<YOUR_EMAIL> check --all 2>&1 | cat +``` + +We pipe through `cat` to disable Bento's interactive tty features (e.g. progress bars, using a pager for many findings). + +If you use CircleCI, the above commands become: + +```yaml +version: 2.1 + +jobs: + bentoCheck: + executor: circleci/python:3.7.4-stretch-node + steps: + - checkout + - run: + name: "Install Bento" + command: pip3 install bento-cli && bento --version + - run: + name: "Run Bento check" + command: bento --agree --email=<YOUR_EMAIL> check --all 2>&1 | cat +``` + +`bento check` will exit with a non-zero exit code if it finds issues in your code (see [Exit Codes](#exit-codes)). + +If you need help setting up Bento with another CI provider please [open an issue](https://github.com/returntocorp/bento/issues/new?template=feature_request.md). Documentation PRs welcome if you set up Bento with a CI provider that isn’t documented here! + +## Help and Community + +Need help or want to share feedback? We’d love to hear from you! + +- Email us at [support@r2c.dev](mailto:support@r2c.dev) +- Join #bento in our [community Slack](https://join.slack.com/t/r2c-community/shared_invite/enQtNjU0NDYzMjAwODY4LWE3NTg1MGNhYTAwMzk5ZGRhMjQ2MzVhNGJiZjI1ZWQ0NjQ2YWI4ZGY3OGViMGJjNzA4ODQ3MjEzOWExNjZlNTA) +- [File an issue](https://github.com/returntocorp/bento/issues/new?assignees=&labels=bug&template=bug_report.md&title=) or [submit a feature request](https://github.com/returntocorp/bento/issues/new?assignees=&labels=feature-request&template=feature_request.md&title=) directly on GitHub — we welcome them all! + +We’re constantly shipping new features and improvements. + +- [Sign up for the Bento newsletter](http://eepurl.com/gDeFvL) — we promise not to spam and you can unsubscribe at any time +- See past announcements, releases, and issues [here](https://us18.campaign-archive.com/home/?u=ee2dc8f77e27d3739cf4df9ef&id=d13f5e938e) + +We’re fortunate to benefit from the contributions of the open source community and great projects such as [Bandit](https://pypi.org/project/bandit/), [ESLint](https://eslint.org/), [Flake8](https://pypi.org/project/flake8/), and their plugins. 🙏 + +## License and Legal + +Please refer to the [terms and privacy document](https://github.com/returntocorp/bento/blob/master/PRIVACY.md). + +</br> +</br> +<p align="center"> + <img src="https://web-assets.r2c.dev/r2c-logo-silhouette.png?gh" height="24" alt="r2c logo"/> +</p> +<p align="center"> + Copyright (c) <a href="https://r2c.dev">r2c</a>. +</p> + + +%prep +%autosetup -n bento-cli-0.12.0 + +%build +%py3_build + +%install +%py3_install +install -d -m755 %{buildroot}/%{_pkgdocdir} +if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi +if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi +if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi +if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi +pushd %{buildroot} +if [ -d usr/lib ]; then + find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/lib64 ]; then + find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/bin ]; then + find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/sbin ]; then + find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst +fi +touch doclist.lst +if [ -d usr/share/man ]; then + find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst +fi +popd +mv %{buildroot}/filelist.lst . +mv %{buildroot}/doclist.lst . + +%files -n python3-bento-cli -f filelist.lst +%dir %{python3_sitelib}/* + +%files help -f doclist.lst +%{_docdir}/* + +%changelog +* Mon May 29 2023 Python_Bot <Python_Bot@openeuler.org> - 0.12.0-1 +- Package Spec generated @@ -0,0 +1 @@ +5568af9bf01cb6b55f7a11a3ebda3b12 bento-cli-0.12.0.tar.gz |