Every tool has the possibility to suppress some of the findings. Besides that some findings could be configured to terminate the build, e.g. when a nullptr-dereference is found in C-code.
For this purpose you can configure global suppression or fatal-error. In the subdirectory recipes-sca-rules you can find rules-files for each tool.
E.g. when you want to configure the behavior of pylint when being invoked on an image, you need to modify (or overload in your own layer) the files from sca-image-pylint.
Each of these rule-recipe consists of two files
- suppress - which adds suppressions
- fatal - which adds fatal errors
In this file you can insert any error ID which should suppressed in output for the given tool and SCA-mode. Per line one error-id could be inserted, which could be a regular expression as well.
In this file you can insert any error ID which terminates the build immediately. Use this for e.g. regression. Per line one error-id could be inserted, which could be a regular expression as well.
Beside the global settings you could use the SCA_<TOOLNAME>_EXTRA_SUPPRESS and SCA_<TOOLNAME>_EXTRA_FATAL variables in each recipe to control the behavior. Both global and local settings are being merged into the effective settings.
The following errors of the tool pylint are not of interest for you: 'warning1', 'someotherinfo', 'notofinteresterror' So put into recipes-sca-rules/sca-recipe-pylint-native/files/suppress and recipes-sca-rules/sca-image-pylint-native/files/suppress
pylint.pylint.warning1
pylint.pylint.someotherinfo
pylint.pylint.notofinteresterrorif you want furthermore suppress the pylint error 'someobscureinfo' for just the recipe 'foo'. Insert into foo.bb
SCA_PYLINT_EXTRA_SUPPRESS += "pylint.pylint.someobscureinfo"if you'd like to suppress a whole range of issue use regular expressions like
pylint.pylint.notofinterest.*or
SCA_PYLINT_EXTRA_SUPPRESS += "pylint.pylint.notofinterest.*"Additionally you can suppress findings on a case-by-case basis within every recipe. Therefore you need to add a variable called SCA_SUPPRESS_LOCALS.
This variable is a space separated list of suppression instructions. Each instruction it build e.g. like this
foo.c,pylint.pylint.warning1,20-30,*This example suppresses any finding in the file foo.c of ID pylint.pylint.warning1 between the source code lines 20-30.
| item | possible values | description |
|---|---|---|
| 1 | regular expression | regular expression that matches the file name (including reletive path from ${S}-directory). All chars like ' or "" or spaces must be URL-coded (e.g. space = %020) |
| 2 | regular expression | regular expression that matched the error ID |
| 3 | int, range or * | specifies the line(s) of the finding which should be suppressed. Ranges should be configured as 'start-end', * means all values are matching |
| 4 | int, range or * | specifies the column(s) of the finding which should be suppressed. Ranges should be configured as 'start-end', * means all values are matching |
SCA_SUPPRESS_LOCALS = "foo.c,pylint.*,0-100,*"suppress all pylint issues between lines 0-100 in file foo.c
SCA_SUPPRESS_LOCALS = "test/.*,pylint.pylint.foowarn,*,*"suppress all pylint.pylint.foowarn issues in any file in folder test/ no matter what line or column they might appear
SCA_SUPPRESS_LOCALS = "foo.c,pylint.pylint.foowarn,50,0-20"suppress pylint.pylint.foowarn in foo.c at line 50, but only if it appears in the first 20 columns
SCA_SUPPRESS_LOCALS = "foo.c,pylint.pylint.foowarn,50,0-20 \
test/.*,pylint.pylint.foowarn,*,*"suppress pylint.pylint.foowarn in foo.c at line 50, but only if it appears in the first 20 columns + suppress all pylint.pylint.foowarn issues in any file in folder test/ no matter what line or column they might appear