Skip to content

feat: add Debian cppcheck official evidence#135

Merged
SSobol77 merged 1 commit into
mainfrom
feature/f4-linux-deb-cppcheck-official-evidence
Jul 9, 2026
Merged

feat: add Debian cppcheck official evidence#135
SSobol77 merged 1 commit into
mainfrom
feature/f4-linux-deb-cppcheck-official-evidence

Conversation

@SSobol77

@SSobol77 SSobol77 commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Summary

Add verified official-source distro evidence for the existing Debian cppcheck mapping.

This PR promotes exactly one additional existing mapping:

  • artifact: deb
  • source policy artifact: deb
  • distro family: debian
  • tool: cppcheck
  • package name: cppcheck
  • executable name: cppcheck

After this PR, exactly four generated evidence records are verified-official-source:

  • deb/yamllint
  • deb/shellcheck
  • deb/clang-tidy
  • deb/cppcheck

No other mapping is promoted.

What changed

  • Extended OFFICIAL_DISTRO_EVIDENCE_BY_POLICY with one new override:

    • ("deb", "cppcheck")
  • Generated evidence for deb/cppcheck now uses:

    • evidence_source_type = official-distro-metadata
    • evidence_status = verified-official-source
    • official_source_kind = distro-package-index
    • verification_scope = package-name-and-executable
    • official_source_url = https://packages.debian.org/cppcheck
    • evidence_record_id = official-distro-metadata:deb:cppcheck
    • external_verification_required_for_new_mappings = false
    • release_blocking = false

Official Debian evidence basis

The evidence note references:

  • Debian package metadata:
    • https://packages.debian.org/cppcheck
  • Debian filelist metadata:
    • https://packages.debian.org/sid/amd64/cppcheck/filelist
  • Debian manpage metadata:
    • https://manpages.debian.org/unstable/cppcheck/cppcheck.1.en.html

These sources are used only as evidence for the existing package/executable mapping. No versions are added as contract fields.

Promotion boundary

Existing official evidence is preserved:

  • deb/yamllint
  • deb/shellcheck
  • deb/clang-tidy

Docker helper mappings are intentionally not promoted:

  • docker-deb-helper/yamllint remains repository-local-policy/current-policy-baseline
  • docker-deb-helper/shellcheck remains repository-local-policy/current-policy-baseline
  • docker-deb-helper/clang-tidy remains repository-local-policy/current-policy-baseline
  • docker-deb-helper/cppcheck remains repository-local-policy/current-policy-baseline

All RPM/openSUSE/Arch/Slackware mappings remain unchanged.

Scope controls

This PR does not:

  • add package names
  • change OS_PACKAGE_NAMES
  • change executable names
  • add package versions as contract fields
  • add checksums
  • run package managers
  • download anything
  • perform network operations
  • vendor binaries or archives
  • add generated artifacts
  • weaken the Full-required baseline
  • reclassify required tools as optional
  • touch UI/provider/parser/runtime/TextMate/theme code

Verifier behavior

The existing promotion gate remains enforced.

Added/updated tests verify rejection of tampered deb/cppcheck official evidence, including:

  • official source URL drift
  • official source kind drift
  • verification scope drift
  • verified package-name drift
  • verified executable-name drift
  • source type downgrade to repository-local-policy
  • missing verification note
  • evidence record ID downgrade to repository-local-policy:deb:cppcheck

Validation

Passed locally / by agent report:

uv run ruff check src tests scripts
uv run ruff format --check src tests scripts
uv run python scripts/check_runtime_imports.py
uv run pytest -q tests/packaging/test_f4_linter_linux_provisioning.py
uv run pytest -q tests/packaging
uv run pytest -q tests/extensions/linters
uv run pytest -q tests/docs

Observed results:

tests/packaging/test_f4_linter_linux_provisioning.py: 100 passed
tests/packaging: 473 passed
tests/extensions/linters: 226 passed
tests/docs: 18 passed

Safety:

No new package names.
No OS_PACKAGE_NAMES changes.
No executable-name changes.
No package versions as contract fields.
No checksums.
No package-manager calls.
No downloads.
No network operations.
No generated artifacts.
No vendored binaries.
No UI/provider/parser/runtime/TextMate/theme changes.

Next work

A follow-up PR can promote the next single existing Debian mapping only after adding similarly explicit official-source evidence and verifier coverage.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@SSobol77, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 28 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 09c2af65-1cb8-4791-addc-fd6cdf4a9f3f

📥 Commits

Reviewing files that changed from the base of the PR and between 7a59227 and f6a55cb.

📒 Files selected for processing (2)
  • scripts/f4_linter_linux_provisioning.py
  • tests/packaging/test_f4_linter_linux_provisioning.py
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/f4-linux-deb-cppcheck-official-evidence

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

sonarqubecloud Bot commented Jul 9, 2026

Copy link
Copy Markdown

@SSobol77 SSobol77 merged commit 7aef1d6 into main Jul 9, 2026
5 checks passed
@SSobol77 SSobol77 deleted the feature/f4-linux-deb-cppcheck-official-evidence branch July 9, 2026 21:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant