koalaman / shellcheck Goto Github PK

View Code? Open in Web Editor NEW

35.0K 419.0 1.7K 5.49 MB

ShellCheck, a static analysis tool for shell scripts

Home Page: https://www.shellcheck.net

License: GNU General Public License v3.0

Haskell 96.76% Shell 2.15% Dockerfile 1.09%

haskell shell static-analysis bash linter developer-tools

shellcheck's Introduction

ShellCheck - A shell script static analysis tool

ShellCheck is a GPLv3 tool that gives warnings and suggestions for bash/sh shell scripts:

The goals of ShellCheck are

To point out and clarify typical beginner's syntax issues that cause a shell to give cryptic error messages.
To point out and clarify typical intermediate level semantic problems that cause a shell to behave strangely and counter-intuitively.
To point out subtle caveats, corner cases and pitfalls that may cause an advanced user's otherwise working script to fail under future circumstances.

See the gallery of bad code for examples of what ShellCheck can help you identify!

How to use
Installing
Compiling from source
Gallery of bad code
Testimonials
Ignoring issues
Reporting bugs
Contributing
Copyright
Other Resources

How to use

There are a number of ways to use ShellCheck!

On the web

Paste a shell script on https://www.shellcheck.net for instant feedback.

ShellCheck.net is always synchronized to the latest git commit, and is the easiest way to give ShellCheck a go. Tell your friends!

From your terminal

Run shellcheck yourscript in your terminal for instant output, as seen above.

In your editor

You can see ShellCheck suggestions directly in a variety of editors.

Vim, through ALE, Neomake, or Syntastic:

Emacs, through Flycheck or Flymake:

Sublime, through SublimeLinter.
Pulsar Edit (former Atom), through linter-shellcheck-pulsar.
VSCode, through vscode-shellcheck.
Most other editors, through GCC error compatibility.

In your build or test suites

While ShellCheck is mostly intended for interactive use, it can easily be added to builds or test suites. It makes canonical use of exit codes, so you can just add a shellcheck command as part of the process.

For example, in a Makefile:

check-scripts:
    # Fail if any of these files have warnings
    shellcheck myscripts/*.sh

or in a Travis CI .travis.yml file:

script:
  # Fail if any of these files have warnings
  - shellcheck myscripts/*.sh

Services and platforms that have ShellCheck pre-installed and ready to use:

Travis CI
Codacy
Code Climate
Code Factor
CircleCI via the ShellCheck Orb
Github (only Linux)
Trunk Check (universal linter; allows you to explicitly version your shellcheck install) via the shellcheck plugin

Most other services, including GitLab, let you install ShellCheck yourself, either through the system's package manager (see Installing), or by downloading and unpacking a binary release.

It's a good idea to manually install a specific ShellCheck version regardless. This avoids any surprise build breaks when a new version with new warnings is published.

For customized filtering or reporting, ShellCheck can output simple JSON, CheckStyle compatible XML, GCC compatible warnings as well as human readable text (with or without ANSI colors). See the Integration wiki page for more documentation.

Installing

The easiest way to install ShellCheck locally is through your package manager.

On systems with Cabal (installs to ~/.cabal/bin):

cabal update
cabal install ShellCheck

On systems with Stack (installs to ~/.local/bin):

stack update
stack install ShellCheck

On Debian based distros:

sudo apt install shellcheck

On Arch Linux based distros:

pacman -S shellcheck

or get the dependency free shellcheck-bin from the AUR.

On Gentoo based distros:

emerge --ask shellcheck

On EPEL based distros:

sudo yum -y install epel-release
sudo yum install ShellCheck

On Fedora based distros:

dnf install ShellCheck

On FreeBSD:

pkg install hs-ShellCheck

On macOS (OS X) with Homebrew:

brew install shellcheck

Or with MacPorts:

sudo port install shellcheck

On OpenBSD:

pkg_add shellcheck

On openSUSE

zypper in ShellCheck

Or use OneClickInstall - https://software.opensuse.org/package/ShellCheck

On Solus:

eopkg install shellcheck

On Windows (via chocolatey):

C:\> choco install shellcheck

Or Windows (via winget):

C:\> winget install --id koalaman.shellcheck

Or Windows (via scoop):

C:\> scoop install shellcheck

From conda-forge:

conda install -c conda-forge shellcheck

From Snap Store:

snap install --channel=edge shellcheck

From Docker Hub:

docker run --rm -v "$PWD:/mnt" koalaman/shellcheck:stable myscript
# Or :v0.4.7 for that version, or :latest for daily builds

or use koalaman/shellcheck-alpine if you want a larger Alpine Linux based image to extend. It works exactly like a regular Alpine image, but has shellcheck preinstalled.

Using the nix package manager:

nix-env -iA nixpkgs.shellcheck

Alternatively, you can download pre-compiled binaries for the latest release here:

Linux, x86_64 (statically linked)
Linux, armv6hf, i.e. Raspberry Pi (statically linked)
Linux, aarch64 aka ARM64 (statically linked)
macOS, aarch64
macOS, x86_64
Windows, x86

or see the GitHub Releases for other releases (including the latest meta-release for daily git builds).

There are currently no official binaries for Apple Silicon, but third party builds are available via ShellCheck for Visual Studio Code.

Distro packages already come with a man page. If you are building from source, it can be installed with:

pandoc -s -f markdown-smart -t man shellcheck.1.md -o shellcheck.1
sudo mv shellcheck.1 /usr/share/man/man1

pre-commit

To run ShellCheck via pre-commit, add the hook to your .pre-commit-config.yaml:

repos:
-   repo: https://github.com/koalaman/shellcheck-precommit
    rev: v0.7.2
    hooks:
    -   id: shellcheck
#       args: ["--severity=warning"]  # Optionally only show errors and warnings

Travis CI

Travis CI has now integrated ShellCheck by default, so you don't need to manually install it.

If you still want to do so in order to upgrade at your leisure or ensure you're using the latest release, follow the steps below to install a binary version.

Installing a pre-compiled binary

The pre-compiled binaries come in tar.xz files. To decompress them, make sure xz is installed. On Debian/Ubuntu/Mint, you can apt install xz-utils. On Redhat/Fedora/CentOS, yum -y install xz.

A simple installer may do something like:

scversion="stable" # or "v0.4.7", or "latest"
wget -qO- "https://github.com/koalaman/shellcheck/releases/download/${scversion?}/shellcheck-${scversion?}.linux.x86_64.tar.xz" | tar -xJv
cp "shellcheck-${scversion}/shellcheck" /usr/bin/
shellcheck --version

Compiling from source

This section describes how to build ShellCheck from a source directory. ShellCheck is written in Haskell and requires 2GB of RAM to compile.

Installing Cabal

ShellCheck is built and packaged using Cabal. Install the package cabal-install from your system's package manager (with e.g. apt-get, brew, emerge, yum, or zypper).

On macOS (OS X), you can do a fast install of Cabal using brew, which takes a couple of minutes instead of more than 30 minutes if you try to compile it from source.

$ brew install cabal-install

On MacPorts, the package is instead called hs-cabal-install, while native Windows users should install the latest version of the Haskell platform from https://www.haskell.org/platform/

Verify that cabal is installed and update its dependency list with

$ cabal update

Compiling ShellCheck

git clone this repository, and cd to the ShellCheck source directory to build/install:

$ cabal install

This will compile ShellCheck and install it to your ~/.cabal/bin directory.

Add this directory to your PATH (for bash, add this to your ~/.bashrc):

export PATH="$HOME/.cabal/bin:$PATH"

Log out and in again, and verify that your PATH is set up correctly:

$ which shellcheck
~/.cabal/bin/shellcheck

On native Windows, the PATH should already be set up, but the system may use a legacy codepage. In cmd.exe, powershell.exe and Powershell ISE, make sure to use a TrueType font, not a Raster font, and set the active codepage to UTF-8 (65001) with chcp:

chcp 65001

In Powershell ISE, you may need to additionally update the output encoding:

[Console]::OutputEncoding = [System.Text.Encoding]::UTF8

Running tests

To run the unit test suite:

$ cabal test

Gallery of bad code

So what kind of things does ShellCheck look for? Here is an incomplete list of detected issues.

Quoting

ShellCheck can recognize several types of incorrect quoting:

echo $1                           # Unquoted variables
find . -name *.ogg                # Unquoted find/grep patterns
rm "~/my file.txt"                # Quoted tilde expansion
v='--verbose="true"'; cmd $v      # Literal quotes in variables
for f in "*.ogg"                  # Incorrectly quoted 'for' loops
touch $@                          # Unquoted $@
echo 'Don't forget to restart!'   # Singlequote closed by apostrophe
echo 'Don\'t try this at home'    # Attempting to escape ' in ''
echo 'Path is $PATH'              # Variables in single quotes
trap "echo Took ${SECONDS}s" 0    # Prematurely expanded trap
unset var[i]                      # Array index treated as glob

Conditionals

ShellCheck can recognize many types of incorrect test statements.

[[ n != 0 ]]                      # Constant test expressions
[[ -e *.mpg ]]                    # Existence checks of globs
[[ $foo==0 ]]                     # Always true due to missing spaces
[[ -n "$foo " ]]                  # Always true due to literals
[[ $foo =~ "fo+" ]]               # Quoted regex in =~
[ foo =~ re ]                     # Unsupported [ ] operators
[ $1 -eq "shellcheck" ]           # Numerical comparison of strings
[ $n && $m ]                      # && in [ .. ]
[ grep -q foo file ]              # Command without $(..)
[[ "$$file" == *.jpg ]]           # Comparisons that can't succeed
(( 1 -lt 2 ))                     # Using test operators in ((..))
[ x ] & [ y ] | [ z ]             # Accidental backgrounding and piping

Frequently misused commands

ShellCheck can recognize instances where commands are used incorrectly:

grep '*foo*' file                 # Globs in regex contexts
find . -exec foo {} && bar {} \;  # Prematurely terminated find -exec
sudo echo 'Var=42' > /etc/profile # Redirecting sudo
time --format=%s sleep 10         # Passing time(1) flags to time builtin
while read h; do ssh "$h" uptime  # Commands eating while loop input
alias archive='mv $1 /backup'     # Defining aliases with arguments
tr -cd '[a-zA-Z0-9]'              # [] around ranges in tr
exec foo; echo "Done!"            # Misused 'exec'
find -name \*.bak -o -name \*~ -delete  # Implicit precedence in find
# find . -exec foo > bar \;       # Redirections in find
f() { whoami; }; sudo f           # External use of internal functions

Common beginner's mistakes

ShellCheck recognizes many common beginner's syntax errors:

var = 42                          # Spaces around = in assignments
$foo=42                           # $ in assignments
for $var in *; do ...             # $ in for loop variables
var$n="Hello"                     # Wrong indirect assignment
echo ${var$n}                     # Wrong indirect reference
var=(1, 2, 3)                     # Comma separated arrays
array=( [index] = value )         # Incorrect index initialization
echo $var[14]                     # Missing {} in array references
echo "Argument 10 is $10"         # Positional parameter misreference
if $(myfunction); then ..; fi     # Wrapping commands in $()
else if othercondition; then ..   # Using 'else if'
f; f() { echo "hello world; }     # Using function before definition
[ false ]                         # 'false' being true
if ( -f file )                    # Using (..) instead of test

Style

ShellCheck can make suggestions to improve style:

[[ -z $(find /tmp | grep mpg) ]]  # Use grep -q instead
a >> log; b >> log; c >> log      # Use a redirection block instead
echo "The time is `date`"         # Use $() instead
cd dir; process *; cd ..;         # Use subshells instead
echo $[1+2]                       # Use standard $((..)) instead of old $[]
echo $(($RANDOM % 6))             # Don't use $ on variables in $((..))
echo "$(date)"                    # Useless use of echo
cat file | grep foo               # Useless use of cat

Data and typing errors

ShellCheck can recognize issues related to data and typing:

args="$@"                         # Assigning arrays to strings
files=(foo bar); echo "$files"    # Referencing arrays as strings
declare -A arr=(foo bar)          # Associative arrays without index
printf "%s\n" "Arguments: $@."    # Concatenating strings and arrays
[[ $# > 2 ]]                      # Comparing numbers as strings
var=World; echo "Hello " var      # Unused lowercase variables
echo "Hello $name"                # Unassigned lowercase variables
cmd | read bar; echo $bar         # Assignments in subshells
cat foo | cp bar                  # Piping to commands that don't read
printf '%s: %s\n' foo             # Mismatches in printf argument count
eval "${array[@]}"                # Lost word boundaries in array eval
for i in "${x[@]}"; do ${x[$i]}   # Using array value as key

Robustness

ShellCheck can make suggestions for improving the robustness of a script:

rm -rf "$STEAMROOT/"*            # Catastrophic rm
touch ./-l; ls *                 # Globs that could become options
find . -exec sh -c 'a && b {}' \; # Find -exec shell injection
printf "Hello $name"             # Variables in printf format
for f in $(ls *.txt); do         # Iterating over ls output
export MYVAR=$(cmd)              # Masked exit codes
case $version in 2.*) :;; 2.6.*) # Shadowed case branches

Portability

ShellCheck will warn when using features not supported by the shebang. For example, if you set the shebang to #!/bin/sh, ShellCheck will warn about portability issues similar to checkbashisms:

echo {1..$n}                     # Works in ksh, but not bash/dash/sh
echo {1..10}                     # Works in ksh and bash, but not dash/sh
echo -n 42                       # Works in ksh, bash and dash, undefined in sh
expr match str regex             # Unportable alias for `expr str : regex`
trap 'exit 42' sigint            # Unportable signal spec
cmd &> file                      # Unportable redirection operator
read foo < /dev/tcp/host/22      # Unportable intercepted files
foo-bar() { ..; }                # Undefined/unsupported function name
[ $UID = 0 ]                     # Variable undefined in dash/sh
local var=value                  # local is undefined in sh
time sleep 1 | sleep 5           # Undefined uses of 'time'

Miscellaneous

ShellCheck recognizes a menagerie of other issues:

PS1='\e[0;32m\$\e[0m '            # PS1 colors not in \[..\]
PATH="$PATH:~/bin"                # Literal tilde in $PATH
rm “file”                         # Unicode quotes
echo "Hello world"                # Carriage return / DOS line endings
echo hello \                      # Trailing spaces after \
var=42 echo $var                  # Expansion of inlined environment
!# bin/bash -x -e                 # Common shebang errors
echo $((n/180*100))               # Unnecessary loss of precision
ls *[:digit:].txt                 # Bad character class globs
sed 's/foo/bar/' file > file      # Redirecting to input
var2=$var2                        # Variable assigned to itself
[ x$var = xval ]                  # Antiquated x-comparisons
ls() { ls -l "$@"; }              # Infinitely recursive wrapper
alias ls='ls -l'; ls foo          # Alias used before it takes effect
for x; do for x; do               # Nested loop uses same variable
while getopts "a" f; do case $f in "b") # Unhandled getopts flags

Testimonials

At first you're like "shellcheck is awesome" but then you're like "wtf are we still using bash"

Alexander Tarasikov, via Twitter

Ignoring issues

Issues can be ignored via environmental variable, command line, individually or globally within a file:

https://github.com/koalaman/shellcheck/wiki/Ignore

Reporting bugs

Please use the GitHub issue tracker for any bugs or feature suggestions:

https://github.com/koalaman/shellcheck/issues

Contributing

Please submit patches to code or documentation as GitHub pull requests! Check out the DevGuide on the ShellCheck Wiki.

Contributions must be licensed under the GNU GPLv3. The contributor retains the copyright.

Copyright

ShellCheck is licensed under the GNU General Public License, v3. A copy of this license is included in the file LICENSE.

Happy ShellChecking!

Other Resources

The wiki has long form descriptions for each warning, e.g. SC2221.
ShellCheck does not attempt to enforce any kind of formatting or indenting style, so also check out shfmt!

shellcheck's People

Contributors

Stargazers

Watchers

Forkers

louiez carenas hnrzsz mcandre mitchellwrosen rjp daniellawrence apennebaker sriram1103 lazysmile jackode cheecheeo optionalg bag-of-projects asmeurer ifixit inthecloud247 h4ck3rm1k3 shrikant-aher ticallion mrmanc jamesbroadhead patmart michaelpereira leoh0 erreur32 bunam chgosportsfan rodrigosetti exceptionzproject wyingquan jbnicolai dreamcat4 persi ngeorgieff anandselva adamjmendoza doniexun sashka vlajos rjmi004 christophgysin karianna dhamodar michft clebeer vejobuj snehalkunjir 18z kenosky matthieugonnet basicsbeauty iosipov chubbymaggie bdkoepke polysquare-builder enramos david-caro antonini davinirjr deryni nanwu johnjohnsp1 dmreiland melbshark v0re cloudxtreme incidunt sitaktif peterpt rustynails8 michael-shipl ifa6 spyc0 sjas chadbrewbaker datachand icyfork nettedfish mbeniamino noscripter waytongxue kathir2903 qsc-plt andrey01 aubreyand zuoguocai mm3 simudream brijen zzzzpaul paul0952710801 traytonwhite fawaf defconcepts jim3ma manuelkasiske haguenau macbash tigerwood

shellcheck's Issues

Add a man page

Hi,

I have packaged ShellCheck for Fedora, it should be available for Fedora 19+ in less than a week :)

Now this is my duty to get a man page in the package, but even if it weren't for Fedora I would've asked. Of course I can help with that, if you're not familiar with it. I'd recommend a markup language such as rst (with rst2man, my favorite one) or markdown (with ronn), but man pages are written in (not so) plain text.

There may also be an existing tool in the Haskell ecosystem that would fit better, I don't know.

Reduce number of false positives for variables in printf strings

There are some legitimate use cases for variables in printf strings, like

printf "%${pad_len}s\n" "pad me"

We should reduce false positives, e.g. by looking for %s or valid format codes in the printf string, indicating that the user is familiar with them

Variables are assumed not to have spaces by default. Maybe they should.

binaries installed in wrong place

On my machine, cabal install puts the Shellcheck binaries in a weird place:

$ cabal install
...
Installing executable(s) in
/Users/apennebaker/Library/Haskell/ghc-7.6.3/lib/ShellCheck-0.2.0/bin

Not sure if this is an error in Shellcheck's Cabal configuration, or an error in Haskell Platform's Cabal configuration.

In any case, I was able to get around this by manually adding export PATH="$PATH:~/Library/Haskell/ghc-7.6.3/lib/ShellCheck-0.2.0/bin" to my ~/.profile.

System:

$ specs haskell os
Specs:

specs 0.7
https://github.com/mcandre/specs#readme

cabal --version
cabal-install version 1.16.0.2
using version 1.16.0 of the Cabal library 

ghc --version
The Glorious Glasgow Haskell Compilation System, version 7.6.3

ghc-pkg field haskell-platform version
version: 2013.2.0.0

system_profiler SPSoftwareDataType | grep 'System Version'
      System Version: OS X 10.9 (13A603)

Filename collision

On OS X, the shellcheck compiled output collides with the ShellCheck directory due to case insensitivity. I don't know the convention in Haskell, but perhaps you could output the binary in a build directory (ghc --make shellcheck -o build/shellcheck). Or maybe use cabal.

$ make
: Conditionally compiling shellcheck
ghc -O9 --make shellcheck
[1 of 5] Compiling ShellCheck.AST   ( ShellCheck/AST.hs, ShellCheck/AST.o )
[2 of 5] Compiling ShellCheck.Parser ( ShellCheck/Parser.hs, ShellCheck/Parser.o )
[3 of 5] Compiling ShellCheck.Analytics ( ShellCheck/Analytics.hs, ShellCheck/Analytics.o )
[4 of 5] Compiling ShellCheck.Simple ( ShellCheck/Simple.hs, ShellCheck/Simple.o )
[5 of 5] Compiling Main             ( shellcheck.hs, shellcheck.o )
Linking shellcheck ...
ld: can't open output file for writing: shellcheck, errno=21 for architecture x86_64
collect2: error: ld returned 1 exit status
make: *** [shellcheck] Error 1

No warnings for missing ;; in case statements

To wit:

case $var in
a )
foo
b )
bar
esac

Ignore word split warning inside echo

12      echo $FIELDMATCH | sed -r "s/#FIELD#/$1/"
             ^–– Unquoted variable may contain spaces/globs, and will word split.

Confusion re: expr deprecation for strings

Shellcheck says to replace expr ..., as expr is deprecated. For mathematical expressions, I can use $((...)) instead. But what should I use for string expressions?

FizzBuzz example:

mcandre/toys#2 (comment)

Add shellcheck to Hackage

If we add shellcheck to Hackage, users can simply cabal install shellcheck.

Warn about break/continnue in subshells

Like with variable modification, break/continue are ineffectual in subshells:

while true; do { foo || break; } | bar; done

Conflicting parsec versions on build, Ubuntu 12.04

Hi,

Running Ubuntu 12.04.2 LTS with the packages given in the README:

ghc6 libghc6-parsec3-dev libghc6-quickcheck2-dev libghc6-json-dev libghc-regex-compat-dev

and also cabal. Current shellcheck HEAD cloned:

~/github/shellcheck$ git log -1 --oneline
de1fa61 Warn about client side expansion in ssh strings/heredocs.

configure seems okay but build fails:

~/github/shellcheck$ cabal configure
Resolving dependencies...
Configuring ShellCheck-0.1.0...
~/github/shellcheck$ cabal build 
Building ShellCheck-0.1.0...
Preprocessing executable 'shellcheck' for ShellCheck-0.1.0...

ShellCheck/Simple.hs:23:8:
    Could not find module `Text.Parsec.Pos'
    It is a member of the hidden package `parsec-3.1.2'.
    Perhaps you need to add `parsec' to the build-depends in your .cabal file.
    Use -v to see a list of the files searched for.
~/github/shellcheck$

With -v flag as suggested:

~/github/shellcheck$ cabal build -v 
creating dist/build
creating dist/build/autogen
Building ShellCheck-0.1.0...
Preprocessing executable 'shellcheck' for ShellCheck-0.1.0...
Building executable shellcheck...
creating dist/build/shellcheck
creating dist/build/shellcheck/shellcheck-tmp
/usr/bin/ghc --make -o dist/build/shellcheck/shellcheck -hide-all-packages -fbuilding-cabal-package -package-conf dist/package.conf.inplace -i -idist/build/shellcheck/shellcheck-tmp -i. -idist/build/autogen -Idist/build/autogen -Idist/build/shellcheck/shellcheck-tmp -optP-include -optPdist/build/autogen/cabal_macros.h -odir dist/build/shellcheck/shellcheck-tmp -hidir dist/build/shellcheck/shellcheck-tmp -stubdir dist/build/shellcheck/shellcheck-tmp -package-id base-4.5.0.0-40b99d05fae6a4eea95ea69e6e0c9702 -package-id containers-0.4.2.1-cfc6420ecc2194c9ed977b06bdfd9e69 -package-id directory-1.1.0.2-ebacad9b5233212b1abbebce9b7e6524 -package-id json-0.5-b3efb968dbdfc514365c5250445af3ff -package-id mtl-2.0.1.0-db19dd8a7700e3d3adda8aa8fe5bf53d -package-id parsec-2.1.0.1-defe69eb7a92d23008966c94e32574a7 -package-id regex-compat-0.95.1-851005df9f3cd69b337623025f7c092b -O -XHaskell98 ./shellcheck.hs

ShellCheck/Simple.hs:23:8:
    Could not find module `Text.Parsec.Pos'
    It is a member of the hidden package `parsec-3.1.2'.
    Perhaps you need to add `parsec' to the build-depends in your .cabal file.
    Use -v to see a list of the files searched for.
~/github/shellcheck$

I have three parsec-dev packages installed:

un  libghc-parsec-dev                             <none>                                        (no description available)
un  libghc-parsec-dev-2.1.0.1-defe6               <none>                                        (no description available)
un  libghc-parsec-dev-3.1.2-a6715                 <none>                                        (no description available)
ii  libghc-parsec2-dev                            2.1.0.1-6                                     Haskell monadic parser combinator library for GHC
ii  libghc-parsec3-dev                            3.1.2-1                                       Haskell monadic parser combinator library for GHC
ii  libghc6-parsec3-dev                           1:6                                           transitional dummy package

cabal info parsec says:

Versions available: 2.0, 2.1.0.0, 2.1.0.1, (3.0.0), (3.0.1), (3.1.0)
Versions installed: 2.1.0.1, (3.1.2)

(and Text.ParserCombinators.Parsec.Pos is included in the modules listing).

An explicit dependency parsec == 2.1.0.1 does not change the build error
(as I expected). However setting parsec == 3.1.2 reveals:

~/github/shellcheck$ cabal configure
Resolving dependencies...
Configuring ShellCheck-0.1.0...
Warning: This package indirectly depends on multiple versions of the same
package. This is highly likely to cause a compile failure.
package json-0.5 requires parsec-2.1.0.1
package ShellCheck-0.1.0 requires parsec-3.1.2
~/github/shellcheck$

No more recent version of json appears to be available in Ubuntu (although there is a slightly older version of 0.5).

Because I'm a WILD AND CRAZY guy I tried cabal build in any case and
that seems to produce a working executable. But obviously something a
little fishy here...

Parse error with for loops without the "in" part

Hi,

ShellCheck is awesome, but it fails to parse this code:

for i do
  echo $i
done

It works only when the do statement is clearly separated:

for i; do
  echo $i
done

# or

for i
do
  echo $i
done

All shells (except [t]csh) I have tried support all three syntaxes. POSIX [1] doesn't clearly state how the do reserved word is supposed to delimit the loop's body.

Best Regards,
Dridi

[1] http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_09_04_03

test with implicit "-n"

The following test case was created from /etc/cron.daily/prelink on RHEL6:

#!/bin/sh
[ "`find /var/lib/prelink/quick -mtime -${PRELINK_NONRPM_CHECK_INTERVAL:-7} 2>/dev/null`" \
   -a -f /var/lib/rpm/Packages \
   -a /var/lib/rpm/Packages -ot /var/lib/prelink/quick ] && exit 0

# shellcheck testcase.sh 

In testcase.sh line 2:
[ "`find /var/lib/prelink/quick -mtime -${PRELINK_NONRPM_CHECK_INTERVAL:-7} 2>/dev/null`" \
^-- Couldn't parse this test expression.


In testcase.sh line 3:
   -a -f /var/lib/rpm/Packages \
         ^-- Unexpected "/". Fix any mentioned problems and try again.

Here's a slightly modified version with an explicit "-n" which doesn't show the parsing problem:

#!/bin/sh
[ -n "`find /var/lib/prelink/quick -mtime -${PRELINK_NONRPM_CHECK_INTERVAL:-7} 2>/dev/null`" \
   -a -f /var/lib/rpm/Packages \
   -a /var/lib/rpm/Packages -ot /var/lib/prelink/quick ] && exit 0

# shellcheck testcase2.sh 

In testcase2.sh line 2:
[ -n "`find /var/lib/prelink/quick -mtime -${PRELINK_NONRPM_CHECK_INTERVAL:-7} 2>/dev/null`" \
     ^-- Use $(..) instead of deprecated `..`

I.e. there is a parsing problem when the explicit "-n" is missing. According to the man page test(1) both variants should be equivalent:

      -n STRING
             the length of STRING is nonzero

      STRING equivalent to -n STRING

Incorrect parsing of | in regex

In rename_files_from_cue.sh line 14:

if (($#!=2)) || [[ ! -f "$2" ]] || [[ ! "$1" =~ ogg|flac ]]; then
^-- The mentioned parser error was in this if expression.
^-- Couldn't parse this test expression.
^-- Unexpected keyword/token. Fix any mentioned problems and try again.

Thanks to Norbert Varzariu for reporting.

Here document parsed as starting from token rather than the next line

cat << EOF > /dev/null
foo
EOF

the here document is parsed as starting with > /dev/null rather than foo

Add perl to list of commands where $ in single quotes is accepted

Perl tends to incorrectly trigger the variable-in-single-quotes warning, as in

perl -F: -lane 'print $F[0]' /etc/passwd

It should be added to the accepted list along with awk and trap.

Questionable tip on replacing "$(dirname …)"

This is questionable, since it ignores the very real cornercase of "$0" being a plain word ("dirname foo" is ".", not "foo").

scriptdir="$(cd "$(dirname "$0")" && pwd)"
                   ^-- Use parameter expansion instead, such as ${var%/*}.

shellcheck for other shell languages?

I plan to run Shellcheck over some zsh, ksh scripts, etc. etc. Would Shellcheck print warnings specific to these shell languages? Would Shellcheck even recognize the syntax?

Shellcheck is awesome, by the way!

false positive on "cat | while read"

I prefer this construct a lot over having an obscure redirect after "done" to feed the while loop:

cat "$pkglist" | while read pkg; do
    ^-- Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.

cabal install fails on OS X 10.9 GHC 7.6.3

I cloned the tree and did a cabal install and it failed. Here's the relevant error:
[6 of 6] Compiling Main ( shellcheck.hs, dist/build/shellcheck/shellcheck-tmp/Main.o )

shellcheck.hs:159:39:
Not in scope: catch' Perhaps you meantcatch#' (imported from GHC.Exts)

shellcheck.hs:220:5:
Not in scope: catch' Perhaps you meantcatch#' (imported from GHC.Exts)
Failed to install ShellCheck-0.2.0
cabal: Error: some packages failed to install:
ShellCheck-0.2.0 failed during the building phase. The exception was:
ExitFailure 1

Have I screwed up somewhere?

Stop warning about variables in single quoted args to ssh

Allow disabling warnings by comments

There should be a way to disable false positives in comments, e.g.

# shellcheck disable-msg SC2086
echo $1

These should be scoped for structure for which they appear, or the entire file if at the top.

test with <<-!

cat <<-!SOME_MARKER | xargs echo
test
test2
!SOME_MARKER

1 cat <<-!SOME_MARKER | xargs echo
^––
SC1009 The mentioned parser error was in this simple command.

      ^––

SC1073 Couldn't parse this here document.

         ^––

SC1072 Unexpected keyword/token. Fix any mentioned problems and try again.

2 test
3 test2
4 !SOME_MARKER
5

dirname replacement

I'm not entirely sure if this is a bug, so please forgive me if it's a problem with my script instead

shellcheck suggests that i replace "dirname $0" with "${var%/*}"
however, when i run the script with "bash scriptname" or "sh scriptname", the parameter expansion does not result in the same string:
dirname: "."
parameter expansion: "scriptname"

hope that helps

Comment on var=foo echo "$var"

Silence specific warnings

It would be very helpful to turn of warnings in specific cases. Pylint warnings can be silenced with a comment:

pylint: disable-msg=C0103

Something similar would be very useful. Another option would be a config file where you could turn off specific warnings globally.

Add options to generate input for other systems

Add a option to create shell and html output compareable to http://www.shellcheck.net/
and create checkstyle output.

Example:
$ shellcheck --recursive --outputdir=target/shellcheck --checkstyle-file target/checkstyle.xml target/ shellscriptfolder

This example would:

recursively search the folder "shellscriptfolder" for shellscripts
creates html output in the folder "target/shellcheck"
(one outputfile for every shellscript, same directory structure like in "shellscriptfolder)
creates a output file compatible to the well known "checkstyle" tool
(http://checkstyle.sourceforge.net/)

This might be very useful for automatic build environments.
Jenkins/Hudson provide plugins for publishing html outout or for interpreting checkstyle reports (provide a awesome presentation and statistics from the checkstyle files to the build metrics of the project)

GCC output mode uses virtual columns rather than real columns

Try to detect incorrect arithmetics, like i=i+1

eval foo=(bar) is valid bash but doesn't parse in Shellcheck

With ksh namespaces, variable names can contain periods

Warn about possibly dangerous rm commands

Consider:
foo=$(something)
rm -r "/usr/$foo"

The assignment could fail due to program errors or ulimit, and rm would then delete /usr/

Is there a way to warn about these things that's useful and not full of false positives?

Add shellcheck to Homebrew

If we add shellcheck to Homebrew, users can simply brew install shellcheck.

"for arg do" is reported as syntax error despite being valid

The shorthand for for arg in "$@"; do, for arg do (note: without the requirement of a semicolon), is reported as a violation of SC107{3,2}, but it is explicitly permitted by POSIX, and in fact is more portable than for arg; do (with semicolon).

A script that triggers this:

for arg do
    echo "$arg"
done

expr is sometimes the only option

VERSION=$(expr "$VERSION" : '.*"\(1.[0-9\.]*\)["_]')
          ^-- expr is antiquated. Consider rewriting this using $((..)), ${} or [[ ]].

In this case the regular expression cannot be handled by the suggested mechanisms.

expr "$VERSION" \< 1.2 >/dev/null && continue
^-- expr is antiquated. Consider rewriting this using $((..)), ${} or [[ ]].

expr can compare floats

Unexpected parse error in for loop

This parse error doesn't seem right:

In test.sh line 3:
for (( i=0 ; i<10 ; i++ )) ; do
^-- Couldn't parse this for loop.
^-- Expected 'do'.
^-- Unexpected ";". Fix any mentioned problems and try again.

Apparently, the parser is not expecting the semicolon before 'do', but man bash says it is a correct syntax:

   for (( expr1 ; expr2 ; expr3 )) ; do list ; done
          First, the arithmetic expression expr1 is evaluated according to the rules described below under ARITHMETIC EVALUATION.  The arithmetic expression expr2 is then evaluated repeatedly until it  evaluates  to
          zero.  Each time expr2 evaluates to a non-zero value, list is executed and the arithmetic expression expr3 is evaluated.  If any expression is omitted, it behaves as if it evaluates to 1.  The return value
          is the exit status of the last command in list that is executed, or false if any of the expressions is invalid.

False positive warning for find

This warning is invalid:

find trunk -type f -name '*.gcda' -print0 |\
^-- Don't use find | xargs cmd. find -exec cmd {} + handles whitespace.

find ... -print0 | xargs -0 ... handles whitespace.
And piping to xargs can be orders of magnitude(!) faster than using -exec {}, which is single-threaded, blocking, and not file system cache friendly:

$ rm -f /tmp/foo; time find /usr/lib64 -type f 2>/dev/null -print0 | xargs -0 md5sum >>/tmp/foo 2>/dev/null

real 0m3.304s
user 0m2.971s
sys 0m0.373s
$ rm -f /tmp/foo; time find /usr/lib64 -type f 2>/dev/null -exec md5sum >>/tmp/foo {} ;

real 0m14.842s
user 0m4.928s
sys 0m5.174s

If anything, the warning should be the other way - never use exec {} if there's an opportunity to use -print0 | xargs -0

Array appears unused despite being processed in an expression

This example script converts first letter to capital of first argument passed to it.
Shellcheck reports array "small" is not being used despite it is getting processed inside printf expression.

#!/bin/bash

small=( a b c d e f g h i j k l m n o p q r s t u v w x y z )
capital=( A B C D E F G H I J K L M N O P Q R S T U V W X Y Z )

pos() {
declare -a my_array=("${!2}")
for (( i = 0; i < ${#my_array[@]}; i++ )); do
   if [ "${my_array[$i]}" = "${1}" ]; then
       echo $i;
   fi
done
}

printf "%s%s" "${capital[$(pos "${1::1}" "small[@]")]}" "${1#?}"

exit 0

False positive warning for ls

This warning is incorrect:

ls -1N | cat
^-- Don't parse ls output; it mangles filenames.

When used with -N and a pipe, ls does not mangle file names, but passes them on raw. What you have after the pipe might mangle them, of course, but that's a different issue.

Omit "No comments for <file>" messages

I like to run shellcheck *.sh to scan a whole directory at once. But the helpful messages are often hidden inside long lists of No comments for <file>. Could we turn this message off by default, so that shellcheck only shows warnings, like how CheckStyle works?

Parsing error when using brace-grouped command as argument

This fails, when it should not:
time { true; }

Function names not as permissive as bash function names

... and ? are valid function names in bash, however shellcheck chokes on them and stops parsing

Parser error for pipe directly after keyword: for f; do true; done| cat

Generare shell from Haskell?

Interesting project.

I am wondering if it would be possible to use the AST to generate correct shell scripts from Haskell. The use case I have in mind is what Ansible is doing: managing remote hosts with SSH and shell scripts.

Add Fedora build prerequisites command to readme

yum install cabal-install ghc ghc-parsec-devel ghc-QuickCheck-devel ghc-json-devel ghc-regex-compat-devel

Thanks to Norbert Varzariu

test=`grep "\"" test`

1 test=grep "\"" test
^––
SC1009 The mentioned parser error was in this simple command.

               ^––

SC1073 Couldn't parse this double quoted string.

                     ^––

SC1072 Unexpected eof. Fix any mentioned problems and try again

Test expression with operator as a variable not parsed.

Hello

It looks like this expression is not parsed correctly.

[ -"${option_type:0:1}" "$value" ]
^-- Couldn't parse this test expression.
^-- Unexpected """. Fix any mentioned problems and try again.

For the record, the line context is available at https://github.com/Anvil/bash-argsparse/blob/master/argsparse.sh#L614

Thank you.

In ksh93, 'function' keyword is required for typeset with local variables

Compare:

foo() { typeset lul; lul=42; }; foo; echo $lul

function foo { typeset lul; lul=42; }; foo; echo $lul

Bad substitution not reported

#!/bin/bash
var=ab
echo "${"$(echo "${var//a/a1}")"//b/b1}"
exit 0

this erronous script reports bad substitution when run in bash shell but reports OK with shellcheck.

Tag a stable release

Hi, would it be possible that you tag a stable release of the software?

That would help getting the package accepted in Homebrew: Homebrew/legacy-homebrew#21231

Also, being a person who's experienced with Haskell, could you please see the discussion at the aforementioned ticket and add your thoughts about the Cabal issues we're having? Namely preventing it from writing into the user's HOME directory (~/.cabal)