Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFE: Show JAR containing java class #56

Closed
cipherboy opened this issue Oct 11, 2019 · 7 comments

Comments

@cipherboy
Copy link
Contributor

@cipherboy cipherboy commented Oct 11, 2019

The Java bytecode version check extracts JARs and inspects them for class files. This is nice, but the path is relatively arbitrary, e.g.:

501) File /org/jboss/resteasy/plugins/providers/AbstractEntityProvider.class
(/var/tmp/rpminspect/jar.zlKxJR/org/jboss/resteasy/plugins/providers/AbstractEntityProvider.class), Java byte code version 51 greater than expected 43 for product release rpm
Result: BAD
Waiver Authorization: Anyone

What I'd suggest is:

501) File <path> in <jar-path>
...

This helps when multiple JARs are shipped in a single RPM.

Thoughts?

@dcantrell

This comment has been minimized.

Copy link
Collaborator

@dcantrell dcantrell commented Oct 11, 2019

This is definitely a known deficiency, I was just saving it for clean up later. I guess it's later now.

I'll work on changing it to the output you've suggested and we can see how that looks. Should the path use slashes for separators within the jar file or something else?

@cipherboy

This comment has been minimized.

Copy link
Contributor Author

@cipherboy cipherboy commented Oct 11, 2019

Path using slashes is fine, especially if the file name ends with .class; JARs are Just Zips (TM). You're not really going to be copying / pasting this as e.g., an import statement (import org.jboss.resteasy....) to fix it, you're going to need to look on disk somewhere. So I think leaving it with slashes is nice. :)

Not trying to rush fixing it, just figured I'd report it since I hadn't seen it yet.. :)

@dcantrell

This comment has been minimized.

Copy link
Collaborator

@dcantrell dcantrell commented Oct 16, 2019

Sounds reasonable. Can you give me a simple package or package comparsion I could use as a test case?

@cipherboy

This comment has been minimized.

Copy link
Contributor Author

@cipherboy cipherboy commented Oct 16, 2019

JSS ships a single JAR and a symlink to that JAR, so the following should work:

$ rpminspect jss-4.6.1-2.fc31 jss-4.6.2-1.fc31

The JAR is at /usr/lib/java/jss4.jar, with /usr/lib64/jss/jss4.jar being a symbolic link to it. My expectation (without looking at the code) would be that only one entry for each issue should show up since it shouldn't consider symbolic links.

For a package that ships multiple JARs, try the core subpackage of resteasy:

$ rpminspect resteasy-core-3.0.19-4.fc26 resteasy-core-3.0.19-5.fc26

That contains a couple of different JARs:

  • /usr/share/java/resteasy/resteasy-jaxrs.jar
  • /usr/share/java/resteasy/resteasy-jaxrs-jandex.jar

Most of the classes for resteasy are in the former; the latter contains only metadata and no classes.

I'm not sure I know of any RPMs with multiple JARs off the top of my head.

@dcantrell

This comment has been minimized.

Copy link
Collaborator

@dcantrell dcantrell commented Oct 16, 2019

What about output that looks like:

  1. File /org/mozilla/jss/crypto/KeyWrapper.class (/usr/lib/java/jss4.jar),
    Java byte code version 52 greater than expected 43 for product release fc31
    Result: BAD
    Waiver Authorization: Anyone

  2. File /org/mozilla/jss/CryptoManager.class (/usr/lib/java/jss4.jar), Java
    byte code version 52 greater than expected 43 for product release fc31
    Result: BAD
    Waiver Authorization: Anyone

  3. File /org/mozilla/jss/UserCertConflictException.class
    (/usr/lib/java/jss4.jar), Java byte code version 52 greater than expected 43
    for product release fc31
    Result: BAD
    Waiver Authorization: Anyone

  4. File /org/mozilla/jss/CryptoManager$OCSPPolicy.class
    (/usr/lib/java/jss4.jar), Java byte code version 52 greater than expected 43
    for product release fc31
    Result: BAD
    Waiver Authorization: Anyone

I'm not sure why I did it the other way first, but the path in parens was the full path to the temporarily extract component from the jar file rather than the jar file itself...which I already had. Would this work?

@cipherboy

This comment has been minimized.

Copy link
Contributor Author

@cipherboy cipherboy commented Oct 16, 2019

That looks perfect :) The RPM maintainer should be readily able to map the JAR filename from their installed package to something useful (especially with the class path).

Thanks @dcantrell!

@dcantrell

This comment has been minimized.

Copy link
Collaborator

@dcantrell dcantrell commented Oct 16, 2019

Thanks!

dcantrell added a commit that referenced this issue Oct 16, 2019
@dcantrell dcantrell closed this Oct 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.