|
| 1 | +# How to contribute to Flawfinder |
| 2 | + |
| 3 | +We love contributions! Here's how to do them in a way that will |
| 4 | +make everyone's lives easy. |
| 5 | + |
| 6 | +Flawfinder has long been maintained on SourceForge. |
| 7 | +We now support reporting and changes using either SourceForge or GitHub. |
| 8 | + |
| 9 | +## Reporting |
| 10 | + |
| 11 | +For normal problems, bugs, and feature requests, *except* for |
| 12 | +vulnerabilities, please file a |
| 13 | +[GitHub issue](https://github.com/david-a-wheeler/flawfinder/issues) or |
| 14 | +[SourceForge ticket](https://sourceforge.net/p/flawfinder/_list/tickets). |
| 15 | + |
| 16 | +If you find a vulnerability, please separately send a private email to |
| 17 | +[David A. Wheeler](https://dwheeler.com/contactme.html). |
| 18 | +To maintain confidentiality, |
| 19 | +please use an email system that implements STARTTLS hop-by-hop email |
| 20 | +encryption on outgoing email (many do, including |
| 21 | +Gmail, hotmail.com, live.com, outlook.com, and runbox.com). |
| 22 | +For more about STARTTLS, see the |
| 23 | +EFF's [STARTTLS Everywhere](https://www.starttls-everywhere.org/) project. |
| 24 | +We plan to handle vulnerabilities separately, fixing them and *then* |
| 25 | +telling the world. We will gladly provide credit to vulnerability reporters |
| 26 | +(unless you don't want the credit). We've never had a vulnerability |
| 27 | +report, so this is theoretical at this time. |
| 28 | + |
| 29 | +## Change process |
| 30 | + |
| 31 | +We use "git" to track changes. To propose a change, create a fork |
| 32 | +(copy) of the repository, make your changes, and create a |
| 33 | +GitHub pull request or SourceForge merge request (they are the same thing). |
| 34 | + |
| 35 | +If you're not familiar with the process, here's some |
| 36 | +documentation for |
| 37 | +[GitHub](https://help.github.com/articles/about-pull-requests/) |
| 38 | +and |
| 39 | +[SourceForge](https://sourceforge.net/p/forge/documentation/Git/). |
| 40 | + |
| 41 | +## License and DCO |
| 42 | + |
| 43 | +All proposed changes must be released under at least the project license, |
| 44 | +in this case the GNU GPL version 2 or later (GPL-2.0+). |
| 45 | + |
| 46 | +Proposers must agree to the |
| 47 | +[Developer's Certificate of Origin](https://developercertificate.org/), |
| 48 | +aka DCO. |
| 49 | +The DCO basically says that you assert that you're legally allowed to |
| 50 | +provide the commit. Please include in your commit a statement of the |
| 51 | +form to confirm this ("git commit -s" will do this): |
| 52 | + |
| 53 | +> Signed-off-by: Your-name \<your-email-address\> |
| 54 | +
|
| 55 | +You must include the DCO in your first commit proposal. |
| 56 | +If you forget occasionally, we'll assume that you just forgot, but |
| 57 | +please try to not forget. |
| 58 | + |
| 59 | +## Development environment setup |
| 60 | + |
| 61 | +As always, if you're modifying the software, you'll need to have |
| 62 | +your development environment set up. You need: |
| 63 | + |
| 64 | +* make |
| 65 | +* python2 (invokable as "python2") |
| 66 | +* python3 (invokable as "python3") |
| 67 | +* pylint (see below) |
| 68 | + |
| 69 | +An easy way to install pylint is to use pip. |
| 70 | +Most python installs have pip, but if yours does not |
| 71 | +(e.g., Cygwin), install pip with: |
| 72 | + |
| 73 | +~~~~ |
| 74 | +python -m ensurepip |
| 75 | +~~~~ |
| 76 | + |
| 77 | +You may want to upgrade pip with: |
| 78 | + |
| 79 | +~~~~ |
| 80 | +pip install --upgrade pip |
| 81 | +~~~~ |
| 82 | + |
| 83 | +Finally, you can actually install pylint using: |
| 84 | + |
| 85 | +~~~~ |
| 86 | +pip install pylint |
| 87 | +~~~~ |
| 88 | + |
| 89 | +## Code Conventions |
| 90 | + |
| 91 | +To make the program easy to install everywhere, the main executable |
| 92 | +is exactly one self-contained file. That involves some compromises, |
| 93 | +but for now, please keep it that way. |
| 94 | + |
| 95 | +We generally use the code conventions of |
| 96 | +[PEP 8](https://www.python.org/dev/peps/pep-0008/). |
| 97 | +The Python code uses 4-space indents (we used to use 2-space indents). |
| 98 | +Do not use tabs. In some cases the code doesn't yet comply; |
| 99 | +patches to improve that are often welcome. |
| 100 | + |
| 101 | +The code must run on both Python 2.7 and Python 3. |
| 102 | +To check that it works on both, run: |
| 103 | + |
| 104 | +~~~~ |
| 105 | +make check |
| 106 | +~~~~ |
| 107 | + |
| 108 | +We use "pylint" to check for style and other generic quality problems. |
| 109 | +To check that the code passes these quality tests, run: |
| 110 | + |
| 111 | +~~~~ |
| 112 | +make pylint |
| 113 | +~~~~ |
| 114 | + |
| 115 | +We require that the pylint results for contributions be at least 9.5/10 as |
| 116 | +configured with the provided "pylintrc" file, without any errors ("E"). |
| 117 | +Better is better. The current version *does* cause some pylint reports |
| 118 | +(patches to fix those are welcome!). Note that we configure pylint |
| 119 | +with the included "pylintrc" file. |
| 120 | +We intentionally disable some checks as being "less important", |
| 121 | +for example, the current code has many lines longer than 80 characters. |
| 122 | +That said, patches to make lines fit in 80 characters are welcome. |
| 123 | + |
| 124 | +## Tests |
| 125 | + |
| 126 | +Make *sure* that your code passes the automated tests. |
| 127 | +As noted above, invoke tests with |
| 128 | +"make check", which tests the code using both Python2 and Python3. |
| 129 | + |
| 130 | +It's our policy that as major new functionality is added to the software |
| 131 | +produced by the project, tests of that functionality should be added to |
| 132 | +the automated test suite. |
| 133 | + |
| 134 | +## Other |
| 135 | + |
| 136 | +Project documentation tends to be in markdown (.md) format. |
| 137 | +We use "~~~~" so that it's easy to cut-and-paste commands if desired. |
| 138 | +The main document is a man page, which is then converted to PDF. |
| 139 | + |
| 140 | +Avoid trailing space or tab on a line in source files - those can create |
| 141 | +hard-to-understand "differences" on lines. |
| 142 | + |
| 143 | +We have earned a |
| 144 | +[CII Best Practices Badge](https://bestpractices.coreinfrastructure.org/projects/323)... make sure we keep it! |
0 commit comments