Module 5 Git hooks

This is the first module in the Auburn ALAMOSE workshop

M5 - GIT HOOKS TO FACILITATE AUTOMATED SECURITY STATIC ANALYSIS
https://sites.google.com/view/alamose-v1/m5-hooks?authuser=0

=>What is Git

=>Why Git

=>Basic Git commands: git init, clone, add, commit, push, pull, status

=>What is Git Hooks? 
 customizable scripts triggers by Git events

=>Security benefit of Git Hooks
 code quality checks, enforce coding standards, run linters and static cocde analyers to indentify potential vulnerabilities. 
 Access control. 

=>Scope and types of Git Hooks
local, remote sides 

=> Use cases: pre-commit hook, commit-msg hook, post-commit hook, pre-receive hook, post-receive hook. 

M5 - GIT HOOKS TO FACILITATE AUTOMATED SECURITY STATIC ANALYSIS

Description

Use an existing tool and Git Hooks to activate a static analysis tool for a popular repository.

Courses Where This Module Is Integrated

Software Quality Assurance (Auburn University, Spring 2023, Fall 2023)
Mobile Security (Tuskegee University, Fall 2023)

Activities 

Pre-lab Content Dissemination

One negative perception of software quality assurance (SQA) is that it prohibits rapid deployment of software. That is why practitioners advocate SQA activities to be integrated into the software development and deployment process. To that end, in modern software engineering, practitioners prefer automated pipelines for security analysis. Instead of asking practitioners to look for security problems themselves, tools should do that for them. 

In that spirit, we as a class will build a mini tool that automatically runs static security analysis for NumCPP, (https://github.com/dpilger26/NumCpp), a popular library developed in C++ that contains a lot of data structure-related implementations. For this workshop, you will use "cppcheck" (https://cppcheck.sourceforge.io/) and `git hooks`. You will build a Git Hook that will help in identifying known security weaknesses automatically for practitioners who develop and use `NumCPP`.  

In-class Hands-on Experience 

Create a GitHub account if you haven't yet 

Install CPPCheck on your computer 

Fork the `NumCPP` repository with your GitHub account

Clone the forked repository on your computer  

Go to `.git/hooks/` in the cloned repository 

Run cp pre-commit.sample pre-commit.

Open `pre-commit` 

Edit `pre-commit` to run `cppcheck -h`

Familiarize yourself with `cppcheck` using any or all of the following links:

https://linux.die.net/man/1/cppcheck 

http://cppcheck.sourceforge.net/manual.pdf 

https://www.mankier.com/1/cppcheck 

Modify any `.c` or `.cpp` file 

Commit the modified file to see the effects of the modified `pre-commit` hook   

A recording of the hands-on experience is available here. 

Post Lab Experience

Modify your `pre-commit` file so that it can scan your `NumCPP` repository whenever you commit any file.

Grab your output by capturing the screenshots.

Modify any CPP file in the `NumCPP` repository.

Complete the survey here: https://auburn.qualtrics.com/jfe/form/SV_bryx8vonSvVmW5o.