What's new in Splunk AppInspect

The current version of the Splunk AppInspect CLI tool and API is 1.5.0. This topic summarizes the changes included in each version of the CLI tool and API.

v1.5.0 (2017-08-25)

This section of "What's new" details what has changed in version 1.5.0 of the Splunk AppInspect CLI tool and API:

General improvements

  • Added filtering for package testing to increase notification response time.
  • Improved checks to known list of .conf files in order to improve clarity on what is and isn't allowed.
  • Users can set the number of messages that are returned for any individual check before the messages are suppressed. The default number of messages is set to 25.
    • splunk-appinspect inspect app.tgz - Returns 25 messages before suppressing others.
    • splunk-appinspect inspect --max-messages all app.tgz - Suppresses no messages.
    • splunk-appinspect inspect --max-messages 50 app.tgz - Returns 50 messages before suppressing others.
    • splunk-appinspect inspect --max-messages foo app.tgz - Returns an error to the user and stops the run.

1.5.0 Check changes

  • Added check_that_extracted_splunk_app_contains_default_app_conf_file to check that the extracted Splunk App contains a default/app.conf file.
  • Added check_that_extracted_splunk_app_contains_default_app_conf_file_with_valid_version_number to check that the extracted Splunk App contains a default/app.conf file that contains an [id] or [launcher] stanza with a version property that is formatted as Major.Minor.Revision.
  • Added check_that_extracted_splunk_app_does_not_contain_invalid_directories to check that the extracted Splunk App does not contain any directories with incorrect permissions. Directories must have have the owner's permissions set to r/w/x (700) for all directories.
  • Added check_that_extracted_splunk_app_does_not_contain_prohibited_directories_or_files to check that the extracted Splunk App does not contain any directories or files that start with a ., or directories that start with __MACOSX.
  • Added check_that_splunk_app_package_extracts_to_directory to check that the compressed Splunk App extracts to a directory.
  • Added check_that_splunk_app_package_extracts_to_visible_directory to check that the compressed artifact extracts to a directory that does not start with a . character.
  • Added check_that_splunk_app_package_name_does_not_start_with_period to check that the Splunk app provided does not start with a . character.
  • Added check_no_default_stanzas to check that app does not contain any .conf files that create global definitions using the [default] stanza.
  • Added check_index_definition_does_not_contain_invoke_scripts_options to check that all index definitions does not contain invoke scripts options including: warmToColdScript, coldToFrozenScript, and vix.command.
  • Added check_index_definition_has_required_options to check that all index definitions exist all required options including: homePath, coldPath, and thawedPath.
  • Added check_setup_in_distributed_environment to check that the app can be setup on a distributed system after self-service.
  • Added check_lookup_csv_is_valid to check that .csv files are not empty, have at least two columns, have headers with no more than 4096 characters, do not use Macintosh-style (\r) line endings, have the same number of columns in every row, and contain only UTF-8 characters.
  • Added check_for_sched_saved_searches_earliest_and_latest_time to check that if a savedsearch.conf stanza contains scheduling options it does contain an earliest and latest time.
  • Added check_archived_files to check that any compressed archives within the main release that need extracting are explained in the app's documentation.
  • Added check_authentication_conf_does_not_have_bindDNPassword_property to check that stanzas in authentication.conf do not use the the bindDNpassword property.
  • Added check_authorize_conf_capability_not_modified to check that authorize.conf does not contain any modified capabilities.
  • Added check_audit_conf_black_list to check that app does not contain audit.conf, as it is prohibited in Splunk Cloud due to its ability to configure/disable cryptographic signing and certificates.
  • Added check_authentication_conf_black_list to check that app does not contain authentication.conf, as it is prohibited in Splunk Cloud due to its ability to configure LDAP authentication and could contain LDAP credentials in plain text.
  • Added check_crawl_conf_black_list to check that app does not contain crawl.conf as it was deprecated in Splunk 6.0 and as it allows Splunk to introspect the filesystem which is not permitted in Splunk Cloud.
  • Added check_datatypesbnf_conf_black_list to check that app does not contain datatypesbnf.conf, as it is prohibited in Splunk Cloud.
  • Added check_default_mode_conf_black_list to check that app does not contain default-mode.conf Inputcsvt is prohibited in Splunk Cloud because light forwarders and universal forwarders are not run in Splunk Cloud.
  • Added check_deployment_conf_black_list to check that app does not contain deployment.conf. Apps should leave deployment configuration up to Splunk administrators.
  • Added check_deploymentclient_conf_black_list to check that app does not contain deploymentclient.conf as it configures the deployment server client. Apps should leave deployment configurations to Splunk administrators.
  • Added check_instance_cfg_conf_black_list to check that app does not contain instance.cfg.conf. Apps should not configure server/instance specific settings.
  • Added check_literals_conf_black_list to check that app does not contain literals.conf. Apps should not alter/override text strings displayed in Splunk Web.
  • Added check_messages_conf_black_list to check that app does not contain messages.conf. Apps should not alter/override messages/externalized strings.
  • Added check_outputs_conf_black_list to check that app does not contain outputs.conf as forwarding is not permitted in Splunk Cloud.
  • Added check_pubsub_conf_black_list to check that app does not contain pubsub.conf as it defines a custom client for the deployment server. Apps should leave deployment configuration up to Splunk administrators.
  • Added check_segmenters_conf_black_list to check that app does not contain segmenters.conf. A misconfigured segmenters.conf can result in unsearchable data that could only be addressed by re-indexing and segmenters.conf configuration is system-wide.
  • Added check_server_conf_black_list to check that app does not contain server.conf is as it is prohibited in Splunk Cloud due to its ability to manipulate server settings that are incompatible in Splunk Cloud and can break ingestion.
  • Added check_serverclass_conf_black_list to check that app does not contain serverclass.conf as it defines deployment server classes for use with deployment server. Apps should leave deployment configuration up to Splunk administrators.
  • Added check_serverclass_seed_xml_conf_black_list to check that app does not contain serverclass.seed.xml.conf as it configures deploymentClient to seed a Splunk installation with applications at startup time. Apps should leave deployment configuration up to Splunk administrators.
  • Added check_source_classifier_conf_black_list to check that app does not contain source-classifier.conf as it configures system-wide settings for ignoring terms (such as sensitive data).
  • Added check_sourcetypes_conf_black_list to check that app does not contain sourcetypes.conf as it is a machine-generated file that stores source type learning rules. props.conf should be used to define sourcetypes.
  • Added check_splunk_launch_conf_black_list to check that app does not contain splunk-launch.conf as it defines environment values used at startup time. System-wide environment variables should be left up to Splunk administrators.
  • Added check_telemetry_conf_black_list to check that app does not contain telemetry.conf as it controls a Splunk-internal feature that should not be configured by apps.
  • Added check_user_seed_conf_black_list to check that app does not contain user-seed.conf as it is used to preconfigure default login and password information.
  • Added check_wmi_conf_black_list to check that app does not contain wmi.conf is as it is prohibited in Splunk Cloud due to its ability to configure Splunk to ingest data via Windows Management Instrumentation, which should be done via forwarder. Forwarders are not permitted in Splunk Cloud.
  • Added check_for_default_values_for_modviz to check the property defined in spec file of README/savedsearches.conf.spec if the property is defined in spec file and does not provide a default value in default/savedsearches.conf, this check should fail.
  • Added check_for_formatter_html_bad_nodes to check appserver/static/visualizations/<viz_name>/formatter.html for bad nodes that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.
  • Added check_for_formatter_html_comments to check appserver/static/visualizations/<viz_name>/formatter.html for comments that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.
  • Added check_for_formatter_html_css_expressions to check appserver/static/visualizations/<viz_name>/formatter.html for css expressions from all tags that are replaced by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.
  • Added check_for_formatter_html_inappropriate_attributes to check appserver/static/visualizations/<viz_name>/formatter.html for inappropriate attributes that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.
  • Added check_for_formatter_html_inline_style_attributes to check appserver/static/visualizations/<viz_name>/formatter.html for inline style attributes from all tags that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.
  • Added check_for_required_files_for_visualization to check that for each custom visualization stanza in default/visualizations.conf there is a matching directory in the appserver/static/visualizations/<visualization_name> directory.
  • Added check_for_visualizations_preview_png to check the required file appserver/static/visualizations/<viz_name>/preview.png exists for the visualization.
  • Added check_for_advanced_xml_web_conf_endpoints to check for Module System web.conf endpoints. The Module system was deprecated in Splunk 6.3 as part of the advanced XML deprecation. See: Module System User Manual.
  • Added check_web_conf to check that default/web.conf only defines [endpoint:] and [expose:] stanzas, with [expose:*] only containing pattern= and methods=.
  • Added check_web_conf_expose_patterns_have_restmap_matches to check that apps only expose web endpoints that are defined by the Splunk App within default/restmap.conf. Each default/web.conf [expose:] stanza should have the property pattern= which defines a url pattern to expose. Each url pattern exposed should correspond to a stanza within default/restmap.conf with a url pattern defined with the match= property, or for the case of [admin:] stanzas a combination of match= and members= properties.

v1.4.1 (2017-03-13)

This section of "What's new" details what has changed in version 1.4.1 of the Splunk AppInspect CLI tool and API:

  • Bug fix: Some users were encountering "ImportError: 'module' object has no attribute 'main'" when running splunk-appinspect in certain environments.

v1.4.0 (2017-02-28)

This section of "What's new" details what has changed in version 1.4.0 of the Splunk AppInspect CLI tool and API:

General improvements

  • AppInspect now generates a clear error when the app fails because default/app.conf is missing instead of silently failing.
  • Previously, if you used the "cloud" tag, the default bin/readme.txt file would be flagged for manual review. This has been removed and apps with just this file in the bin directory will not be flagged for manual review.
  • Checks for Automatic updates and platform specific binaries no longer report a manual check if the bin/ and architecture-specific binary directories are empty or non-existent. In these cases the checks will return not_applicable rather than manual_check.
  • Previously the check check_metadata_white_list returned a manual_check if there were non .meta files in the metadata directory. Now that check correctly returns a failure.
  • Checks in the ITSI group have been improved to reduce false positives. ITSI checks will now run only if the app is an ITSI module.
  • Previous versions of AppInspect returned an exit code that reflected the number of failed checks as the exit code for the app. AppInspect v1.3.0 and later changes this behavior that so that the exit code follows these rules:
    • If AppInspect completes correctly, it returns a error code 0 (zero).
    • If AppInspect has errors but completed the run, return an error code of 1.
    • If AppInspect has errors that prevent it from completing the run, return an error code of 2.
    • If AppInspect is provided an bundle without an app.conf file or the bundle isn't an app at all, return an error code of 3.
  • Empty local/ directories will no longer cause AppInspect to produce a manual_check result.
  • Apps can no longer create create roles that grant administrative permissions. AppInspect prevents apps from defining roles that:
    • Create a role with admin_all_objects = enabled in any stanza.
    • Create a role that inherits from admin: importRoles = admin.
    • Create a role that inherits from sc_admin: importRoles = sc_admin.
    • Create a role with change_authentication = enabled.

Check changes

  • Added check_app_icon_is_png to test whether the image is an image in Portable Network Graphics format ("a PNG").
  • Added check_app_icon_dimensions to test whether the image matches Splunk requirements.
  • Added check_app_icon_2x_is_png to test whether image is a PNG.
  • Added check_app_icon_2x_dimensions to test whether the image matches Splunk requirements.
  • Added check_app_icon_alt_is_png to test whether image is a PNG.
  • Added check_app_icon_alt_dimensions to test whether the image matches Splunk requirements.
  • Added check_app_icon_alt_2x_is_png to test whether image is a PNG.
  • Added check_app_icon_alt_2x_dimensions to test whether the image matches Splunk requirements.
  • Added check_app_logo_is_png to test whether the image is a PNG.
  • Added check_app_logo_dimensions to test whether the image matches Splunk requirements.
  • Added check_app_logo_2x_is_png to test whether the image is a PNG.
  • Added check_app_logo_2x_dimensions to test whether the image matches Splunk requirements.
  • Added check_that_directory_name_matches_package_id in order to confirm that extracted packages match the name listed in the app.conf [package] stanza.
  • Added check_authorize_conf_admin_all_objects_privileges to validate that excessive administrative privileges are not provided.
  • Added check_for_empty_saved_search_description to identify empty descriptions in saved searches.
  • Refined check_for_questionable_commands to match with more accuracy, and a broader set.
  • Refined the check for verifying that the metadata directory only contains *.meta files to return a failure for each non-.meta file rather than a manual check, since these files should never be included.
  • Refined the check for default/limits.conf from a manual check to a failure if the file exists.
  • Refined check for auto-update features output.
  • Refined check_platform_specific_binaries to exclude root level bin directory.
  • Refined check_for_splunk_js_header_and_footer_view to be a warning instead of failure, as deprecation does not mean removed from Splunk core support.
  • Refined check_for_appropiate_inputs_monitor_stanza to provide the application path.
  • Refined ITSI checks to only run on packages starting with DA-ITSI.
  • Refined versioning support for checks.
  • Refined tagging support for checks.
  • Removed the check_app_icon test and replaced it with more rigorous tests.
  • Removed default exclusion of ITSI checks. They will now be run in addition to other tests.

Dependency changes

  • Added dependency for 'dimensions' library.
  • Removed dependency for 'six'.
  • Changed lxml dependency to target newest version for better platform distribution support.

Documentation changes

  • Added documentation and doc strings for testing.
  • Added doc strings to the checks.py class.
  • Added doc strings to the validator.py class
  • Added a doc string for the ModularInputs class.
  • Typo fixes have been applied.
  • Grammar changes have been applied.

User experience changes

  • Added exit code based on app_package_handler being empty.
  • Added exit code based on success execution of AppInspect.
  • Added exit code based on errors in validation_report object.
  • Refined AppInspect to provide more explicit exit codes for failures.
  • Refined help menu output in order to indicate valid values allowed.

v1.3.1 (2016-11-21)

This section of "What's new" details what has changed in version 1.3.1 of the Splunk AppInspect CLI tool and API:

General improvements

  • Improved automated screening of apps for Splunk Cloud. Running the inspect command with the cloud tag will now indicate whether an app will need manual review before it can be installed in Splunk Cloud. For instance:
    splunk-appinspect inspect --mode precert --included-tags cloud <app>
  • Updated validation status to indicate checks complete and in flight.
  • Created the ability to get CLI version using the following command:
    splunk-appinpect list version
  • Added README files to whitelist for root directory and data/ui/views directory.

New checks

  • Added check for whether an app is using features that have been deprecated or removed in Splunk Enterprise 6.5.
  • Refined automated screening of inputs.conf for Splunk Cloud.
  • Added check to verify ITSI module file and folder structure. These checks are excluded by default. Use --included-tag itsi to include.
  • (AppInspect API only.) Added check to determine whether modular inputs (default/inputs.conf) and specification files (README/inputs.conf.spec) match.
  • Added automated detection of JavaScript and Perl to scripting language checks.

Improved checks

  • Changed destructive commands check to a manual check if potential destructive commands are found.
  • Finding the sudo command now reports a manual check rather than a failure.
  • Any link.uri values in workflowactions.conf that do not start with https:// or http:// now report a manual check rather than failure. URIs starting with "http://" still fail this check.
  • Checks to validate lookups now allow .csv.default.
  • Checks for hard coded paths now exclude .csv files.
  • Errors are now returned for the "invalid JSON in JSON files" check to help troubleshoot what caused the malformed issue.
  • Improved exception handling to check for empty lookup files.
  • Improved non-UTF-8 character exception handling.

Bug fixes

  • Fixed issue with Windows environment using the *nix file command.
  • Fixed issue with certain checks overlapping in the final AppInspect report output when run on Windows.

v1.2.0 (2016-09-27)

  • Initial public release.