stank

• Apply Go security patches

Replace zip archive with tarball for ease of Docker container injection.

• stink now recognizes .sample file extension as a machine-generated file, ill suited for linting for most downstream developers.
• The various stank collection CLI tools now skip *.sample git hook dummy files by default, which have a history of tripping ShellCheck and other linters.
• -print0 support added to stank in concert with classic xargs -0, in order to protect against subtle spacing bugs in larger shell commands, scripts, and CI/CD pipelines.

• Update Go

With new and improved zsh scanning!

Update to Go 1.20 for freebsd/riscv64 support.

• Recognize explicitly shimmed Heirloom Shell (hsh) scripts
• funk now treats most traps as hazards
• Update Snyk version
• Provide general warning concerning embedded, inline shell scripts

Upgrade Go to 1.19 for loong64 support in prebuilt binaries.

The internal build process has been enriched to yield more platform ports.

• stank now accepts a flag -exInterp <bash[,zsh[,ksh[,etc]]]> to remove certain results from reports. This is particularly helpful for integrating ShellCheck in large projects, as ShellCheck presents errors when passed zsh scripts.

funk no longer discourages shebangs from non-executable shell scripts.

Before, we were worried that the mere existence of a shebang could confuse some users and lead to mistakes with interpreter flags.

funk will continue to warn on incorrect file mode bits and will continue to warn on flags specified in the interpreter line. That promotes a clear launch style and more reliable runtime behavior in a variety of environments. However, we realized that the presence of a shebang is super helpful to properly read more scripts, even if it might imply to a few novice users that a non-executable (sourcable!) script would invoke the shebang.

Now, funk actively encourages shebangs for all POSIXy shell scripts. This allows for greater clarity when scripts are read by people, text editors, and static analysis tools.

funk now encourages set -euf by default.

For POSIXy scripts, funk attempts to pass file contents through syntax validators (e.g. bash -n).

Generic POSIX sh scripts continue to run through mvdan/sh parser in case of shims replacing sh with a looser parser like bash.

This largely replaces the need for shlint. checkbashisms is still a separate utility, of course.

• funk allows for more whitespace, as well as arbitrary unsets in, above, and around the set / IFS reset top region.

• Expanded and clarified smell fields. Easier to distinguish between skipped final EOL checks versus truly missing final EOL.
• Mark full bash scripts. Mark modern ksh family scripts. Planning later support for language-specific scans.
• Dirty gitignore hack for many shell script projects to cut down warnings for third party projects.
• And the big one:

funk now warns when executable scripts omit set, IFS statements at the top. Along with good exit traps, these statements act similar to use strict; in Perl or 'use strict'; in JavaScript, treating program control flow in shell closer to what we intuitively expect.

For example, the -e option to set exits the program at the point of the first command failure. By default, most shells will continue past the error and run potentially hazardous commands straight through the end of the program. So set -e is highly encouraged for any and all executable POSIXy shell scripts.

The POSIX standard defines other options as well. And if you use a superset shell like bash, zsh, ksh, etc., you may have even more options for tuning how your program responds to different situations.

https://pubs.opengroup.org/onlinepubs/009695399/utilities/set.html

funk expects at least one set command and at least one IFS assignment at the top of all POSIXy shell scripts. Shebang, other trailing or full line comments and/or traps are allowed here. Multiline statements are unfortunately unable to accurately parse here.

The exact order of sets vs. IFSs vs. traps is not enforced by funk; order these according to your semantic and stylistic preferences.

Note that the exact IFS value, exact set flags are not checked, as these are highly language and project specific. We encourage -eu enabled on set and an effective value of \n\t on IFS as a good start to more predictable runtime behavior. The goal is to raise the reliability of our shell scripts without sacrificing too much in terms of flexibility.

In addition to executable scripts IFS and/or set may be customized in core configuration files or other sourceable library scripts, though take care to not break interactive environments.

Enjoy version 0.0.15.

• Expand code smell report data.
• Expand shebang quirk warnings.
• funk scans POSIX sh scripts for parse errors.
• Drop faulty CheckJavaShim.
• No longer assume all osh scripts are POSIXy (oil vs OpenSolaris ambiguity).
• Some early work on disambiguating UNIX expect scripts versus true sh scripts.
• Replace gox with xgo when building ports.
• Register more programming languages.
• More test examples.

The change to xgo drops some platforms, while fixing others. Also, the archive file path structure has changed.

musl Linux and other new targets are now available in the precompiled binaries bundle.

Release notes:

• The stank library and application suite can now report "alt" shell scripts, such as csh/tcsh used in FreeBSD.

Happy linting!

Release notes:

• rosy: bin/ scripts no longer ignored, in case of customized Java shims
• rosy: -ahiru flag added for encouraging shell script portability

funk now offers a -modulino flag to break up modulinos and ambiguous shell scripts into distinct application scripts vs. library scripts. This option is noisy and off by default for now. When enabled, -modulino recommends that executable permissions be reserved for extension-less scripts, and that library scripts be renamed with .lib.sh extensions. This policy is intended to communicate to downstream users whether to ./ (execute) or . (import) a script, and to choose more meaningful names for application scripts.

Release notes:

• continue scanning past BOM's
• rosy: Ignore bin/<script> paths, as these are often Java shims
• rosy: -kame/-usagi flags to recommend either faster or more robust shell languages
• stink, funk: -eol flag to customize scan for existence of a final end of line feed
• stink, funk: -cr flag to customize scan for presence of a carriage return / carriage return line feed
• recognize more exotic shells, including osh, bosh, tsh, etsh, yash
• assorted bugfixes