17-May-2023 17:55 - edited 17-May-2023 21:41
Hi We are currently uplifting our jenkins pipeline for F5 and there is a requirement for static analysis on the code. Since TCL scripts are not supported by default on Sonar. I am looking for automated linters which can perform the static analysis. Can someone please suggest which one should i use and any documentation reference? Are there any CLI tools which can be used for scanning code for Quality and Security?
23-May-2023 21:12 - last edited on 24-May-2023 20:10 by JRahm
Remember that while F5 implants TCL in irules, there are differences due to the use of trigger methods, and different namespace functions and variables. I am not aware of any lint type of parser here.
Instead, I would suggest considering local traffic policies. Most irules can be converted to local traffic policies, which run natively within TMOS and survice BIGIP code upgrades. Remember the class match debacle a while back? I have been converting many customer irules to local traffic policies to accomplish simplicity and flexibility in terms of updates (by using the draft/publish methodology).
@whisperer has the right advice here where traffic policies can be implemented in lieu of iRules. iRules are great, but should be used only where necessary. For static analysis, I'm not sure there are tools for that for iRules because it's a heavily extended/customized version of Tcl 8.4.6. I'm checking with someone who might have a more definitive answer, will update here when I hear back.
That said, if you have the ability to upload qkviews of BIG-IP systems configs (even if just a dummy config for the purposed of testing), you could use the ihealth API to check for any iRules-related diagnostics/heuristics that might trigger against your configurations.
On the flip side, if you're look for iRules unit testing, you can check out the questionably named TestTcl, um, package.
Asked around internally and there is a package that @Simon_Kowallik put together that might help:
GitHub - simonkowallik/irulescan: irulescan - static security analyzer for iRules
@JRahm mentioned QKView analysis and that is actually an excellent way to check for iRule issues. During the QKView review process, logs are actually trolled to see if there were any iRule execution errors. You can do the same manually in real-time by tailing /var/log/ltm as well. In older versions of BIG-IP the QKView review in iHealth would also alert you to any changes in namespaces and methods in newer code releases. Finally, you can also program against the iHealth API easily using Python or Postman. I have done this to obtain a list of CVEs for example on my current version of BIG-IP. You could simply upload the QKView quarterly, and parse the results for any hits on keywords like "irule" for instance in the returned JSON.
maybe I need do a couple iHealth API examples for articles or live coding session on youtube. Don't see much about it here or anywhere but it's pretty great.