From 5a6f6c2fc853449eb1e38db781c787d7b244af2b Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sun, 13 Feb 2022 07:49:52 +0000
Subject: [PATCH] CI: add shellcheck job, with minimum severity set to error

We have way too many warnings to enable lower severity levels,
but let's at least we don't introduce new errors.
---
 .gitlab-ci.yml              | 15 +++++++++++++
 tests/bin/shellcheck-tree   | 32 +++++++++++++++++++++++++++
 tests/checkstyle2junit.xslt | 44 +++++++++++++++++++++++++++++++++++++
 3 files changed, 91 insertions(+)
 create mode 100755 tests/bin/shellcheck-tree
 create mode 100644 tests/checkstyle2junit.xslt

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index da2f6e93b..472578b83 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -37,6 +37,7 @@ build-all:
 
 test-all:
   stage: test
+  needs: ["build-all"]
   script:
       - make -C libraries/libapparmor check
       - make -C parser check
@@ -51,6 +52,20 @@ test-all:
       - utils/test/htmlcov/
     when: always
 
+shellcheck:
+  stage: test
+  needs: []
+  script:
+  - apt-get install --no-install-recommends -y file shellcheck xmlstarlet
+  - shellcheck --version
+  - './tests/bin/shellcheck-tree --format=checkstyle --severity=error
+       | xmlstarlet tr tests/checkstyle2junit.xslt
+       > shellcheck.xml'
+  artifacts:
+    when: always
+    reports:
+      junit: shellcheck.xml
+
 # Disabled due to aa-logprof dependency on /sbin/apparmor_parser existing
 #      - make -C profiles check-profiles
 
diff --git a/tests/bin/shellcheck-tree b/tests/bin/shellcheck-tree
new file mode 100755
index 000000000..7a5dab250
--- /dev/null
+++ b/tests/bin/shellcheck-tree
@@ -0,0 +1,32 @@
+#!/usr/bin/python3
+
+import glob
+import re
+import subprocess
+import sys
+from pathlib import Path
+
+
+def is_excluded(f):
+    return re.match(r"^([.]git)/",
+                    f) or Path(f).is_dir()
+
+
+def mimetype(f):
+    return subprocess.run(['file', '--brief', '--mime-type', f],
+                          stdout=subprocess.PIPE,
+                          universal_newlines=True,
+                          check=True).stdout.rstrip()
+
+
+def is_shell_script(f):
+    return mimetype(f) == "text/x-shellscript"
+
+
+shell_scripts = [
+    f for f in glob.glob("**/*", recursive=True)
+    if not is_excluded(f) and is_shell_script(f)
+]
+
+sys.exit(
+    subprocess.run(['shellcheck'] + sys.argv[1:] + shell_scripts).returncode)
diff --git a/tests/checkstyle2junit.xslt b/tests/checkstyle2junit.xslt
new file mode 100644
index 000000000..0fea4528c
--- /dev/null
+++ b/tests/checkstyle2junit.xslt
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+  <xsl:output encoding="UTF-8" method="xml"></xsl:output>
+
+  <xsl:template match="/">
+    <testsuite>
+      <xsl:attribute name="tests">
+        <xsl:value-of select="count(.//file)" />
+      </xsl:attribute>
+      <xsl:attribute name="failures">
+        <xsl:value-of select="count(.//error)" />
+      </xsl:attribute>
+      <xsl:for-each select="//checkstyle">
+        <xsl:apply-templates />
+      </xsl:for-each>
+    </testsuite>
+  </xsl:template>
+
+  <xsl:template match="file">
+    <testcase>
+      <xsl:attribute name="classname">
+        <xsl:value-of select="@name" />
+      </xsl:attribute>
+      <xsl:attribute name="name">
+        <xsl:value-of select="@name" />
+      </xsl:attribute>
+      <xsl:apply-templates select="node()" />
+    </testcase>
+  </xsl:template>
+
+  <xsl:template match="error">
+    <failure>
+      <xsl:attribute name="type">
+        <xsl:value-of select="@source" />
+      </xsl:attribute>
+      <xsl:text>Line </xsl:text>
+      <xsl:value-of select="@line" />
+      <xsl:text>: </xsl:text>
+      <xsl:value-of select="@message" />
+      <xsl:text> See https://www.shellcheck.net/wiki/</xsl:text>
+      <xsl:value-of select="substring(@source, '12')" />
+    </failure>
+  </xsl:template>
+</xsl:stylesheet>