README
¶
stank: shell script linters
ABOUT
stank is a library and collection of command line utilities for sniffing files to identify shell scripts like bash, sh, zsh, ksh and so on, those funky farmfresh gobs of garbaggio; versus other more palatable files like rb, py, pl.
Believe it or not, shell scripts are notoriously difficult to write well, so it behooves a developer to either write shell scripts in safer languages, or else wargame your scripts with an armada of linters. Trouble is, in large projects one can never be too sure which files are honest to dog POSIX compliant shell scripts, and which are pretenders. csh, tcsh, fish, ion, rc, and most other nonderivatives of bash tend to be NOT POSIX compatible. If you're geeky enough to have followed thus far, let's get crackalackin with some fruity examples dammit!
EXAMPLES
The stank system includes the stank Go library as well as several command line utilities for convenience. The stank application scans directories and files for POSIX-derived shell scripts and prints their paths, designed as a convenient standalone filter for linting large collections of source code.
$ cd examples
$ stank .
.profile
.shrc
.zlogin
...
The stank command line utility searches file paths for shell scripts that may warrant linting.
stank integrates with external linters, helping to feed them a more focused set of file paths to analyze within larger project directories.
$ stank -print0 . | xargs -0 -n 1 shellcheck
In welcome.sh line 1:
#!bash
^----^ SC2239 (error): Ensure the shebang uses an absolute path to the interpreter.
For more information:
https://www.shellcheck.net/wiki/SC2239 -- Ensure the shebang uses an absolu...
Machine-generated files, including git hook default *.sample files, are automatically skipped.
See stank -help for additional options.
DOCKER HUB
https://hub.docker.com/r/n4jm4/stank
DOWNLOAD
https://github.com/mcandre/stank/releases
INSTALL FROM SOURCE
$ go install github.com/mcandre/stank/...@latest
DOCUMENTATION
https://pkg.go.dev/github.com/mcandre/stank
MORE EXAMPLES
The funk linter reports strange odors emanating from scripts, such as improper line endings, the presence of Byte Order Marker's in some Unicode scripts.
$ funk examples
Ambiguous launch style. Either feature a file extensions, or else feature executable bits: examples/.shrc
Tokenize like `unset IFS` at the top of executable scripts: examples/.shrc
Control program flow like `set -euf` at the top of executable scripts: examples/.shrc
Tokenize like `unset IFS` at the top of executable scripts: examples/badconfigs/zprofile
Control program flow like `set -euf` at the top of executable scripts: examples/badconfigs/zprofile
Missing shebang: examples/blank.bash
Traps may reset in subshells: examples/cleanup.sh
Missing shebang: examples/goodbye.sh
Missing shebang: examples/greetings.bash
Control program flow like `set -euf` at the top of executable scripts: examples/hello-commented
$ funk -modulino examples
Configuration features shebang: examples/badconfigs/.bash_profile
Configuration features executable permissions: examples/badconfigs/zprofile
Missing final end of line sequence: examples/blank.bash
Missing shebang: examples/blank.bash
Interpreter mismatch between shebang and extension: examples/derp.zsh
Missing shebang: examples/greetings.bash
Missing final end of line sequence: examples/hello-crlf.sh
CR/CRLF line ending detected: examples/hello-crlf.sh
Modulino ambiguity. Either have owner executable permissions with no extension, or else remove executable bits and use an extension like .lib.sh: examples/hello-crlf.sh
Modulino ambiguity. Either have owner executable permissions with no extension, or else remove executable bits and use an extension like .lib.sh: examples/howdy
Missing shebang: examples/howdy.zsh
Missing shebang: examples/just-eol.bash
Modulino ambiguity. Either have owner executable permissions with no extension, or else remove executable bits and use an extension like .lib.sh: examples/lo
Missing final end of line sequence: examples/lo-cr.csh
CR/CRLF line ending detected: examples/lo-cr.csh
Modulino ambiguity. Either have owner executable permissions with no extension, or else remove executable bits and use an extension like .lib.sh: examples/pipefail
Modulino ambiguity. Either have owner executable permissions with no extension, or else remove executable bits and use an extension like .lib.sh: examples/shout.sh
Modulino ambiguity. Either have owner executable permissions with no extension, or else remove executable bits and use an extension like .lib.sh: examples/wednesday
Modulino ambiguity. Either have owner executable permissions with no extension, or else remove executable bits and use an extension like .lib.sh: examples/wednesday-bom
Leading BOM reduces portability: examples/wednesday-bom
Modulino ambiguity. Either have owner executable permissions with no extension, or else remove executable bits and use an extension like .lib.sh: examples/welcome
$ funk -help
-cr
Report presence/absence of final end of line sequence (default true)
-eol
Report presence/absence of final end of line sequence (default true)
-help
Show usage information
-modulino
Enforce strict separation of application scripts vs. library scripts
-version
Show version information
Both stank and funk have the ability to select low level, nonPOSIX scripts as well, such as csh/tcsh scripts used in FreeBSD.
Note that funk cannot reliably warn for missing shebangs if the extension is also missing; typically, script authors use one or the other to mark files as shell scripts. Lacking both a shebang and a file extension, means that a file could contain code for many languages, making it difficult to determine the POSIXy nature of the code. Even if an exhaustive set of ASTs are applied to test the file contents for syntactical validity across the dozens of available shell languages, there is a strong possibility in shorter files that the contents are merely incidentally valid script syntax, though the intent of the file is not to operate as a POSIX shell script. Short, nonPOSIX scripts such as for csh/tcsh could easily trigger a "POSIX" syntax match. In any case, know that the shebang is requisite for ensuring your scripts are properly interpreted.
Note that funk may fail to present permissions warnings if the scripts are housed on non-UNIX file systems such as NTFS, where executable bits are often missing from the file metadata altogether. When storing shell scripts, be sure to set the appropriate file permissions, and transfer files as a bundle in a tarball or similar to safeguard against dropped permissions.
Note that funk may warn of interpreter mismatches for scripts with extraneous dots in the filename. Rather than .envrc.sample, name the file sample.envrc. Rather than wget-google.com, name the file wget-google-com. Appending .sh is also an option, so update.es.cluster renames to update.es.cluster.sh.
The optional -modulino flag to funk enables strict separation of script duties, into distinct application scripts vs. library scripts. Application scripts are generally executed by invoking the path, such as ./hello or ~/bin/hello or simply hello when $PATH is appropriately modified. Application scripts feature owner executable permissions, and perhaps group and other as well depending on system configuration needs. In contrast, library scripts are intended to be imported with dot (.) or source into user shells or other scripts, and should feature a file extension like .lib.sh, .sh, .bash, etc. By using separate naming conventions, we more quickly communicate to downstream users how to interact with a shell script. In particular, by dropping file extensions for shell script applications, we encourage authors to choose more meaningful script names. Instead of the generic build.sh, choose build-docker. Instead of kafka.sh, choose start-kafka, kafka-entrypoint, etc.
Finally, stink prints a record of each file's POSIXyness, including any interesting fields it identified along the way. Note that some fields may be zero valued if the stench of POSIX or rosy waft of nonPOSIX is overwhelming, short-circuiting analysis. This short-circuiting feature dramatically speeds up how stank searches large projects.
Note that permissions are relayed as decimals, due to constraints on JSON integer formatting (we didn't want to use a custom octal string field). Use echo 'obase=8;<some integer> | bc to display these values in octal.
Note that legacy systems, packages, and shell scripts referencing "sh" may refer to a plethora of pre-POSIX shells. Modern systems rename "sh" to "lksh", "tsh", "etsh", etc. to avoid confusion. In general, the stank suite will assume that the majority of scripts being scanned are targeting post-1971 technology, so use your human intuition and context to note any legacy Thompson UNIX v6 "sh", etc. scripts. Most modern linters will neither be able to parse such scripts of any complexity, nor will they recognize them for the legacy scripts that they are, unless the scripts' shebangs are rendered with the modern retro interpreters "lksh", "tsh", "etsh", etc. for deployment on modern UNIX systems. One could almost use the fs stats for modification/change to try to identify these legacy outliers, but this is a practically unrealistic assumption except for the most obsessive archaeologist, diligently ensuring their legacy scripts continue to present 1970's metadata even after experimental content modifications. So the stank system will simply punt and assume sh -> POSIX sh, ksh -> ksh88 / ksh93 for the sake of modernity and balance.
Similarly, the old Bourne shell AKA "sh" AKA "bsh" presents language identification difficulties. Old Bourne shell scripts are most likely to present themselves with "sh" shebangs, which is okay as Bourne sh and ksh88/pdksh/ksh served as the bases for the POSIX sh standard. Some modern systems may present a Bourne shell as a "sh" or "bsh" binary. The former presents few problems for stank identification, though "bsh" is tricky, as the majority of its uses today are not associated with the Bourne shell but with the Java BeanShell. So stank may default to treating bsh scripts as non-POSIXy, and any such Bourne shell scripts are advised to feature either bash or sh shebangs, and perhaps .sh or .bash extensions, in order to self-identify as modern, POSIX compliant scripts.
$ stink examples/hello
{"Path":"examples/hello","Filename":"hello","Basename":"hello","Extension":"","Shebang":"#!/bin/sh","Interpreter":"sh","LineEnding":"\n","FinalEOL":false,"ContainsCR":false
,"Permissions":509,"Directory":false,"OwnerExecutable":true,"BOM":false,"POSIXy":true,"AltShellScript":false}
$ stink -pp examples/hello
{
"Path": "examples/hello",
"Filename": "hello",
"Basename": "hello",
"Extension": "",
"Shebang": "#!/bin/sh",
"Interpreter": "sh",
"LineEnding": "\n",
"FinalEOL": false,
"ContainsCR": false,
"Permissions": 509,
"Directory": false,
"OwnerExecutable": true,
"BOM": false,
"POSIXy": true,
"AltShellScript": false
}
$ stink -pp examples/hello.py
{
"Path": "examples/hello.py",
"Filename": "hello.py",
"Basename": "hello.py",
"Extension": ".py",
"Shebang": "#!/usr/bin/env python",
"Interpreter": "python",
"LineEnding": "\n",
"FinalEOL": false,
"ContainsCR": false,
"Permissions": 420,
"Directory": false,
"OwnerExecutable": false,
"BOM": false,
"POSIXy": false,
"AltShellScript": false
}
$ stink -help
-cr
Report presence/absence of any CR/CRLF's
-eol
Report presence/absence of final end of line sequence
-help
Show usage information
-pp
Prettyprint smell records
-version
Show version information
The included examples/ directory demonstrates many edge cases, such as empty scripts, shebang-less scripts, extensioned and extensionless scripts, and various Hello World applications in across many programming languages. Some files, such as examples/goodbye may contain 100% valid POSIX shell script content, but fail to self-identify with either shebangs or relevant file extensions. In a large project, such files may be mistakenly treated as whoknowswhat format, or simply plain text. Perhaps statistical methods could help identify POSIX grammars, but even an empty file is technically POSIX, which is unhelpful from a reliable classification standpoint. In any case, examples/ hopefully covers the more common edge cases.
One way to think of stank is a bounty hunter for shell scripts.
Given that shell tends to be more fragile than higher level programming languages, then it is a good idea to rewrite shell code as dedicated applications. Go and Rust are especially good choices for application languages.
The Rust programming language has best in class performance, reliability, and security. The Go programming language has comparable performance, reliability, and security in most contexts. Both Rust and Go support cross-compilation and static executables, so that it's much easier to develop, test, package, and distribute Rust/Go applications compared to flaky shell scripts. Most shell coders neglect to consider subtle vendor locking problems with shell syntax and the flags used for individual commands. Rust has a steeper learning curve than some coders are willing to devote time for. Often, Go can serve as a compromise. Being compiled languages, both Rust and Go are protected from many runtime pitfalls that shells and other interpreted languages invite.
Regardless, the particular programming language is a less important, concern, as long as it is not shell. Notoriously hazardous programming languages like JavaScript and Perl, are still safer than shell. Shell (any flavor) is a trash fire waiting for a spark.
Fortunately, the list of shell scripts that stank emits, can help engineers to identify program candidates to rewrite in more mature programming languages.
LICENSE
BSD-2-Clause
RUNTIME REQUIREMENTS
(None)
Recommended
CONTRIBUTING
For more details on developing stank itself, see DEVELOPMENT.md.
WARNING ON FALSE NEGATIVES
Note that very many software components have a bad habit of encouraging embedded, inline shell script snippets into non-shell script files. For example, CI/CD job configurations, Dockerfile RUN steps, Kubernetes resources, and make. Most linter tools (for shell scripts and other languages) have very limited or nonexistent support for linting inline shell script snippets.
Accordingly, move shell script snippets to a dedicated shell script file. And then have the software component execute the shell script. Then you will be able to lint the shell code with more tools, and thereby raise the quality level of your system.
WARNING ON FALSE POSITIVES
Some rather obscure files, such as Common Lisp source code with multiline, polyglot shebangs and no file extension, may falsely trigger the stank library, and the stink and stank applications, which short-circuit on the first line of the hacky shebang. Such files may be falsely identified as "POSIX" code, which is actually the intended behavior! This is because the polyglot shebang is a hack to work around limitations in the Common Lisp language, which ordinarily does not accept POSIX shebang comments, in order to get Common Lisp scripts to be dot-slashable in bash. For this situation, it is best to supply a proper file extension to such files.
$ head examples/i-should-have-an-extension
#!/usr/bin/env sh
#|
exec clisp -q -q $0 $0 ${1+"$@"}
|#
(defun hello-main (args)
(format t "Hello from main!~%"))
;;; With help from Francois-Rene Rideau
;;; http://tinyurl.com/cli-args
$ stink -pp examples/i-should-have-an-extension
{
"Path": "examples/i-should-have-an-extension",
"Filename": "i-should-have-an-extension",
"Basename": "i-should-have-an-extension",
"Extension": "",
"BOM": false,
"Shebang": "#!/usr/bin/env sh",
"Interpreter": "sh",
"LineEnding": "\n",
"POSIXy": true
}
Perhaps append a .lisp extension to such files. Or separate the modulino into clear library vs. command line modules. Or extract the shell interaction into a dedicated script. Or convince the language maintainers to treat shebangs as comments. Write your congressman. However you resolve this, know that the current situation is far outside the norm, and likely to break in a suitably arcane and dramatic fashion. With wyverns and flaming seas and portents of all ill manner.
Shell script linters
These bad bois help to shore up ur shell scripts. Though they're designed to work on individual files, so be sure to stank-ify larger projects and pipe the results to xargs [-0] [-n ... shellcheck.
Honorable mentions
ack offers --shell [-f] flags that act similarly to stank, with the caveat that ack includes nonPOSIX shells like csh, tcsh, and fish in these results; but as of this writing fails to include POSIX shells like ash, dash, posh, pdksh, ksh93, and mksh. ack also depends on Perl, making it more heavyweight for Docker microservices and other constrained platforms.
kirill identifies JSON documents.
linguist, GitHub's extraordinary effort to identify which language each of its millions of repositories are written in. While this stanky Go project does not employ linguist in automated analysis, it's worth mentioning for forensic purposes, if you ever come across a strange, unidentified (or misidentified!) source code file.
linters, a wiki of common programming language linters and SAST tools.
periscope warns on unscoped NPM packages.
sail identifies C/C++ source code files.
slick offers sh -n syntax checking against pure POSIX syntax, whereas actual sh on most systems symlinks to bash.
todolint finds bugs by code comments.
unmake, a linter for makefiles.
Documentation
¶
Overview ¶
Package stank provides primitives for analyzing programming scripts, especially shell scripts.
Index ¶
- Constants
- Variables
- func GNUAwkCheckSyntax(smell Smell) error
- func GoCheckSyntax(smell Smell) error
- func Ignore(pth string) bool
- func IsAltShellScript(smell Smell) bool
- func IsBOM(bs []byte) bool
- func PHPCheckSyntax(smell Smell) error
- func POSIXShCheckSyntax(smell Smell) error
- func PerlishCheckSyntax(smell Smell) error
- func PythonCheckSyntax(smell Smell) error
- func UnixCheckSyntax(smell Smell) error
- type Smell
- type SniffConfig
Constants ¶
const Version = "0.0.41"
Version is semver.
Variables ¶
var ALTEXTENSIONS = map[string]bool{ ".csh": true, ".cshrc": true, ".elv": true, ".etsh": true, ".fish": true, ".fishrc": true, ".ion": true, ".ionrc": true, ".lksh": true, ".rc": true, ".rcrc": true, ".tcsh": true, ".tcshrc": true, ".tsh": true, }
ALTEXTENSIONS collects some alternative shell script file extensions.
var ALTFILENAMES = map[string]bool{ "csh.login": true, "csh.logout": true, "rc.elv": true, }
ALTFILENAMES matches some alternative shell script profile filenames.
var ALTINTERPRETERS = map[string]bool{ "csh": true, "elvish": true, "etsh": true, "fish": true, "ion": true, "lksh": true, "rc": true, "tcsh": true, "tsh": true, }
ALTINTERPRETERS collects some alternative shell interpreters.
var BOMS = [][]byte{
{0x00, 0x00, 0xFE, 0xFF},
{0x2B, 0x2F, 0x76, 0x2B},
{0x2B, 0x2F, 0x76, 0x2F},
{0x2B, 0x2F, 0x76, 0x38},
{0x2B, 0x2F, 0x76, 0x39},
{0xFE, 0xFF},
{0xFF, 0xBB, 0xBF},
{0xFF, 0xFE},
{0xFF, 0xFE, 0x00, 0x00},
{0x0E, 0xFE, 0xFF},
{0x2B, 0x2F, 0x76, 0x38, 0x3D},
{0x84, 0x31, 0x95, 0x33},
{0xDD, 0x73, 0x66, 0x73},
{0xF7, 0x64, 0x4C},
{0xFB, 0xEE, 0x28},
}
BOMS acts as a registry set of known Byte Order mark sequences. See https://en.wikipedia.org/wiki/Byte_order_mark for more information.
var FullBashInterpreters = map[string]bool{ "bash": true, "bash4": true, }
FullBashInterpreters note when a shell has the basic modern bash features, as opposed to subsets such as ash, dash, posh, ksh, zsh.
var INTERPRETERS2POSIXyNESS = map[string]bool{ "ash": true, "awk": false, "bash": true, "bash4": true, "bosh": true, "csh": false, "dash": true, "elvish": false, "etsh": false, "expect": false, "fish": false, "gawk": false, "hsh": true, "ion": false, "jruby": false, "jython": false, "ksh": true, "ksh88": true, "ksh93": true, "lksh": false, "lua": false, "mksh": true, "node": false, "oksh": true, "oil": true, "osh": true, "pdksh": true, "perl": false, "perl6": false, "php": false, "posh": true, "python": false, "rc": false, "rksh": true, "ruby": false, "sed": false, "sh": true, "stash": false, "swift": false, "tclsh": false, "tcsh": false, "tsh": false, "yash": true, "ysh": false, "zsh": true, }
INTERPRETERS2POSIXyNESS is a fairly exhaustive map of interpreters to whether or not the interpreter is a POSIX compatible shell. Newly minted interpreters can be added by stank contributors.
var Ignores = []string{
".git",
".venv",
"node_modules",
"vendor",
}
Ignores is a poor man's gitignore.
TODO: https://github.com/mcandre/stank/issues/1
var Interpreter2SyntaxValidator = map[string]func(Smell) error{ "ash": UnixCheckSyntax, "bash": UnixCheckSyntax, "bash4": UnixCheckSyntax, "bmake": UnixCheckSyntax, "bosh": UnixCheckSyntax, "csh": UnixCheckSyntax, "dash": UnixCheckSyntax, "elvish": UnixCheckSyntax, "fish": UnixCheckSyntax, "gawk": GNUAwkCheckSyntax, "generic-sh": POSIXShCheckSyntax, "gmake": UnixCheckSyntax, "go": GoCheckSyntax, "iojs": PerlishCheckSyntax, "ksh": UnixCheckSyntax, "ksh88": UnixCheckSyntax, "ksh93": UnixCheckSyntax, "lksh": UnixCheckSyntax, "make": UnixCheckSyntax, "mksh": UnixCheckSyntax, "node": PerlishCheckSyntax, "oksh": UnixCheckSyntax, "oil": UnixCheckSyntax, "osh": UnixCheckSyntax, "pdksh": UnixCheckSyntax, "perl": PerlishCheckSyntax, "perl6": PerlishCheckSyntax, "php": PHPCheckSyntax, "pmake": UnixCheckSyntax, "posh": UnixCheckSyntax, "python": PythonCheckSyntax, "python3": PythonCheckSyntax, "rc": UnixCheckSyntax, "rksh": UnixCheckSyntax, "ruby": PerlishCheckSyntax, "sh": POSIXShCheckSyntax, "tcsh": UnixCheckSyntax, "yash": UnixCheckSyntax, "ysh": UnixCheckSyntax, "zsh": UnixCheckSyntax, }
Interpreter2SyntaxValidator provides syntax validator delegates, if one is available.
var KshInterpreters = map[string]bool{ "ksh": true, "ksh88": true, "ksh93": true, "mksh": true, "oksh": true, "pdksh": true, "rksh": true, }
KshInterpreters note when a shell is a member of the modern ksh family.
var LOWEREXTENSIONS2CONFIG = map[string]bool{ ".ashrc": true, ".bash_login": true, ".bash_logout": true, ".bash_profile": true, ".bashrc": true, ".cshrc": true, ".dashrc": true, ".fishrc": true, ".ionrc": true, ".kshrc": true, ".profile": true, ".rcrc": true, ".shinit": true, ".shrc": true, ".tcshrc": true, ".zlogin": true, ".zlogout": true, ".zprofile": true, ".zshenv": true, ".zshrc": true, }
LOWEREXTENSIONS2CONFIG is a fairly exhaustive map of lowercase file extensions to whether or not they represent shell script configurations. Newly minted extensions can be added by stank contributors.
var LOWEREXTENSIONS2INTERPRETER = map[string]string{
".ashrc": "ash",
".awk": "awk",
".bash": "bash",
".bash_login": "bash",
".bash_logout": "bash",
".bash_profile": "bash",
".bashrc": "bash",
".bsdmakefile": "bmake",
".csh": "csh",
".cshrc": "csh",
".dash": "dash",
".dashrc": "dash",
".elv": "elvish",
".fish": "fish",
".fishrc": "fish",
".gawk": "gawk",
".gnumakefile": "gmake",
".hsh": "hsh",
".ion": "ion",
".ionrc": "ion",
".ksh": "ksh",
".ksh88": "ksh",
".ksh93": "ksh93",
".ksh93rc": "ksh93",
".kshrc": "ksh",
".lkshrc": "lksh",
".lua": "lua",
".makefile": "make",
".mf": "make",
".mksh": "mksh",
".mkshrc": "mksh",
".osh": "osh",
".pdksh": "pdksh",
".pdkshrc": "pdksh",
".php": "php",
".pmakefile": "pmake",
".poshrc": "posh",
".profile": "sh",
".rc": "rc",
".rcrc": "rc",
".sed": "sed",
".sh": "sh",
".shinit": "sh",
".shrc": "sh",
".tcsh": "tcsh",
".tcshrc": "tcsh",
".ysh": "ysh",
".zlogin": "zsh",
".zlogout": "zsh",
".zprofile": "zsh",
".zsh": "zsh",
".zshenv": "zsh",
".zshprofile": "zsh",
".zshrc": "zsh",
"ash": "ash",
}
LOWEREXTENSIONS2INTERPRETER is a fairly exhaustive map of lowercase file extensions to their corresponding interpreters. Newly minted config extensions can be added by stank contributors.
var LOWEREXTENSIONS2POSIXyNESS = map[string]bool{}/* 101 elements not displayed */
LOWEREXTENSIONS2POSIXyNESS is a fairly exhaustive map of lowercase file extensions to whether or not they represent POSIX shell scripts. Newly minted extensions can be added by stank contributors.
var LOWERFILENAMES2CONFIG = map[string]bool{ "bash_login": true, "bash_logout": true, "csh.login": true, "csh.logout": true, "login": true, "logout": true, "oilrc": true, "oshrc": true, "profile": true, "rc.elv": true, "rcrc": true, "shinit": true, "shrc": true, "tcsh.login": true, "tcsh.logout": true, "yshrc": true, "zlogin": true, "zlogout": true, "zprofile": true, "zshenv": true, "zshrc": true, }
LOWERFILENAMES2CONFIG is a fairly exhaustive map of lowercase filenames to whether or not they represent shell script configurations. Newly minted config filenames can be added by stank contributors.
var LOWERFILENAMES2INTERPRETER = map[string]string{
".ashrc": "ash",
".bashrc": "bash",
".cshrc": "csh",
".dashrc": "dash",
".fishrc": "fish",
".ionrc": "ion",
".ksh93rc": "ksh93",
".kshrc": "ksh",
".lkshrc": "lksh",
".login": "sh",
".logout": "sh",
".mkshrc": "mksh",
".pdkshrc": "pdksh",
".poshrc": "posh",
".rcrc": "rc",
".shinit": "sh",
".shrc": "sh",
".tcshrc": "tcsh",
".zlogin": "zsh",
".zlogout": "zsh",
".zprofile": "zsh",
".zshenv": "zsh",
".zshrc": "zsh",
"bsdmakefile": "bmake",
"csh.login": "csh",
"csh.logout": "csh",
"gnumakefile": "gmake",
"makefile": "make",
"oilrc": "osh",
"oshrc": "osh",
"pmakefile": "pmake",
"profile": "sh",
"rc.elv": "elvish",
"tcsh.login": "tcsh",
"tcsh.logout": "tcsh",
"yshrc": "ysh",
"zlogin": "zsh",
"zlogout": "zsh",
"zprofile": "zsh",
"zshenv": "zsh",
"zshrc": "zsh",
}
LOWERFILENAMES2INTERPRETER is a fairly exhaustive map of lowercase filenames to their corresponding interpreters. Newly minted config filenames can be added by stank contributors.
var LOWERFILENAMES2POSIXyNESS = map[string]bool{ ".profile": true, "bash_login": true, "bash_logout": true, "changelog": false, "csh.login": false, "csh.logout": false, "login": true, "logout": true, "makefile": false, "oilrc": true, "oshrc": true, "profile": true, "rc.elv": false, "rcrc": false, "readme": false, "shinit": true, "shrc": true, "tcsh.login": false, "tcsh.logout": false, "thumbs.db": false, "yshrc": false, "zlogin": true, "zlogout": true, "zprofile": true, "zshenv": true, "zshrc": true, }
LOWERFILENAMES2POSIXyNESS is a fairly exhaustive map of lowercase filenames to whether or not they represent POSIX shell scripts. Newly minted config filenames can be added by stank contributors.
var LOWERMACHINEEXTENSIONS = map[string]bool{ ".sample": true, }
LOWERMACHINEEXTENSIONS collects a rather truncated survey of machine-generated file extensions likely to not be edited directly by most shell script authors.
Functions ¶
func GNUAwkCheckSyntax ¶ added in v0.0.17
GNUAwkCheckSyntax validates syntax for GNU awk files.
func GoCheckSyntax ¶ added in v0.0.17
GoCheckSyntax validates syntax for Go.
func IsAltShellScript ¶ added in v0.0.12
IsAltShellScript returns whether a smell represents a non-POSIX, but nonetheless similar kind of lowlevel shell script language.
func PHPCheckSyntax ¶ added in v0.0.17
PHPCheckSyntax validates syntax for PHP.
func POSIXShCheckSyntax ¶ added in v0.0.17
POSIXShCheckSyntax validates syntax for strict POSIX sh compliance.
func PerlishCheckSyntax ¶ added in v0.0.17
PerlishCheckSyntax validates syntax for Perl, Ruby, and Node.js.
func PythonCheckSyntax ¶ added in v0.0.17
PythonCheckSyntax validates syntax for Python.
func UnixCheckSyntax ¶ added in v0.0.17
UnixCheckSyntax validates syntax for the wider UNIX shell family.
Types ¶
type Smell ¶
type Smell struct {
Path string `json:"path"`
Filename string `json:"filename"`
Basename string `json:"basename"`
Extension string `json:"extension"`
Symlink bool `json:"symlink"`
Shebang string `json:"shebang"`
Interpreter string `json:"interpreter"`
InterpreterFlags []string `json:"interpreter_flags"`
LineEnding string `json:"line_ending"`
FinalEOL *bool `json:"final_eol"`
ContainsCR bool `json:"contains_cr"`
Permissions os.FileMode `json:"permissions"`
Directory bool `json:"directory"`
OwnerExecutable bool `json:"owner_executable"`
Library bool `json:"library"`
BOM bool `json:"bom"`
POSIXy bool `json:"posixy"`
Bash bool `json:"bash"`
Ksh bool `json:"ksh"`
AltShellScript bool `json:"alt_shell_script"`
CoreConfiguration bool `json:"core_configuration"`
MachineGenerated bool `json:"machine_generated"`
}
Smell describes the overall impression of a file's POSIXyness, using several factors to determine with a reasonably high accuracy whether or not the file is a POSIX compatible shell script.
An idiomatic shebang preferably leads the file, such as #!/bin/bash, #!/bin/zsh, #!/bin/sh, etc. This represents good form when writing shell scripts, in particular ensuring that the script will be evaluated by the right interpreter, even if the extension is omitted or a generic ".sh". Shell scripts, whether executable applications or source'able libraries, should include a shebang. One attribute not analyzed by this library is unix file permission bits. Application shell scripts should set the executable bit(s) to 1, while shell scripts intended to be sourced or imported should not set these bits. Either way, the bits have hardly any correlation with the POSIXyness of a file, as the false positives and false negatives are too frequent.
Common filenames for POSIX compatible scripts include .profile, .login, .bashrc, .bash_profile, .zshrc, .kshrc, .envrc*, and names for git hooks. The stank library will catalog some of these standard names, though application-specific filenames are various and sundry. Ultimately, all files containing POSIX compatible shell content should include a shebang, to help interpreters, editors, and linters identify POSIX shell content.
File extension is another way to estimate a script's POSIXyness. For example, ".bash", ".ksh", ".posh", ".sh", etc. would each indicate a POSIX compatible shell script, whereas ".py", ".pl", ".rb", ".csh", ".rc", and so on would indicate nonPOSIX script. File extensions are often omitted or set to a generic ".sh" for command line applications, in which case the extension is insufficient for establishing the POSIX vs. nonPOSIX nature of the script. This is why shebangs are so important; while file extensions can be helpful, shell scripts really rely moreso on the shebang for self identification, and extensions aren't always desirable, as unix CLI applications prefer to omit the extension from the filename for brevity. Note that some filenames such as ".profile" may be logically considered to have basename "" (blank) and extension ".profile", or basename ".profile" with extension ".profile", or else basename ".profile" and extension "" (blank). In practice, Go treats both the basename and extension for these kinds of files as containing ".profile", and Smell will behave accordingly.
File encoding also sensitive for shell scripts. Generally, ASCII subset is recommended for maximum portability. If your terminal supports it, the LANG environment variable can be altered to accept UTF-8 and other encodings, enabling raw UTF-8 data to be used in script contents. However, this restricts your scripts to running only on systems explicitly configured to match the encoding/locale of your script; and tends to furter limit the platforms for your script to specifically GNU libc Linux distributions, so using nonASCII content in your scripts is inadvisable. Shell scripts conforming to POSIX should really use pure ASCII characters. NonUTF-8 encodings such as UTF-16, UTF-32, and even nonUnicode encodings like EBCDIC, Latin1, and KOI8-R usually indicate a nonPOSIX shell script, even a localization file or other nonscript. These encodings are encountered less often than ASCII and UTF-8, and are generally considered legacy formats. For performance reasons, the stank library will not attempt to discern the exact encoding of a file, but merely report whether the file leads with a byte order marker such as 0xEFBBBF (UTF-8) or 0xFEFF (UTF-16, UTF-32). If BOM, then the file is Unicode, which may lead to a stank warning, as POSIX shell scripts are best written in pure ASCII, for maximum cross-platform compatibliity. BOMs are outside of the 127 max integer range for ASCII values, so a file with a BOM is likely not a POSIX shell script, while a file without a BOM may be a POSIX shell script.
Line endings for POSIX shell scripts should LF="\n" in C-style notation. Alternative line endings such as CRLF="\r\n", ancient Macintosh CR="\r", and bizarre forms like vertical tab (ASCII code 0x0B) or form feed (ASCII code 0x0C) are possible in a fuzzing sense, but may lead to undefined behavior depending on the particular shell interpreter. For the purposes of identifying POSIX vs nonPOSIX scripts, a Smell will look for LF, CRLF, and CR; and ignore the presence or absence of these other exotic whitespace separators. NonPOSIX scripts written in Windows, such as Python and Ruby scripts, are ideally written with LF line endings, though it is common to observe CRLF endings, as Windows users more frequently invoke these as "python script.py", "ruby script.rb", rather than the bare "script" or dot slash "./script" forms typically used by unix administrators. For performance, the stank library will not report possible multiple line ending styles, such as poorly formatted text files featuring both CRLF and LF line endings. The library will simply report the first confirmed line ending style.
Moreover, POSIX line ending LF is expected at the end of a text file, so a final end of line character "\n" is good form. Common unix utilities such as cat expect this final EOL, and will misrender the successive shell prompt when processing files that omit the final EOL. Make expects a final EOL, and gcc may produce malformed .c code if the .h header files neglect to include a final EOL. For performance reasons, the stank library will not attempt to read the entire file to report on the presence/absence of a final EOL. Shell script authors should nonetheless configure their text editors to consistently include a final EOL in the vast majority of text file formats.
A POSIXy flag indicates that, to the best of the stank library's ability, a file is identified as either very likely a POSIX shell script, or something else. Something else encompasses nonPOSIX shell scripts such as Csh, Tcsh, Python, Ruby, Lua scripts; also encompasses nonscript files such as multimedia images, audio, rich text documents, machine code, and other nonUTF-8, nonASCII content.
Scripts referencing "sh" are generally considered to be POSIX sh. Ignoring unmarked legacy Thompson sh scripts.
Unknown, even more obscure languages are assumed to be non-POSIXY.
Languages with duplicate names (e.g. oil shell osh vs. OpenSolaris oil shell) are generally assumed not to be POSIXy. Unable to disambiguate without more specific information (shebang names, file extentions).
func Sniff ¶
func Sniff(pth string, config SniffConfig) (Smell, error)
Sniff analyzes the holistic smell of a given file path, returning a Smell record of key indicators tending towards either POSIX compliance or noncompliance, including a flag for the final "POSIXy" trace scent of the file.
For performance, if the scent of one or more attributes obviously indicates POSIX or nonPOSIX, Sniff() may short-circuit, setting the POSIXy flag and returning a record with some attributes set to zero value.
Polyglot and multiline shebangs are technically possible in languages that do not support native POSIX-style shebang comments ( see https://rosettacode.org/wiki/Multiline_shebang ). However, Sniff() can reliably identify only ^#!.+$ POSIX-style shebangs, and will populate the Shebang field accordingly.
If an I/O problem occurs during analysis, an error value will be set. Otherwise, the error value will be nil.
func (Smell) MarshalJSON ¶ added in v0.0.37
MarshalJSON encodes a Smell as JSON.
func (*Smell) UnmarshalJSON ¶ added in v0.0.37
UnmarshallJSON decodes a Smell from JSON.
type SniffConfig ¶ added in v0.0.9
SniffConfig bundles together the various options when sniffing files for POSIXyNESS.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
funk
command
Package main implements a shell script linter CLI application, with unique checks on fundamental portability, safety, and security concerns.
|
Package main implements a shell script linter CLI application, with unique checks on fundamental portability, safety, and security concerns. |
|
stank
command
Package main implements a CLI application to recursively identify POSIX shell scripts in large, complex directories.
|
Package main implements a CLI application to recursively identify POSIX shell scripts in large, complex directories. |
|
stink
command
Package main implements a CLI application for identifying script metadata.
|
Package main implements a CLI application for identifying script metadata. |