RFE: Show JAR containing java class

[cipherboy]

The Java bytecode version check extracts JARs and inspects them for class files. This is nice, but the path is relatively arbitrary, e.g.:

501) File /org/jboss/resteasy/plugins/providers/AbstractEntityProvider.class
(/var/tmp/rpminspect/jar.zlKxJR/org/jboss/resteasy/plugins/providers/AbstractEntityProvider.class), Java byte code version 51 greater than expected 43 for product release rpm
Result: BAD
Waiver Authorization: Anyone

What I'd suggest is:

501) File <path> in <jar-path>
...

This helps when multiple JARs are shipped in a single RPM.

Thoughts?

[dcantrell]

This is definitely a known deficiency, I was just saving it for clean up later. I guess it's later now.

I'll work on changing it to the output you've suggested and we can see how that looks. Should the path use slashes for separators within the jar file or something else?

[cipherboy]

Path using slashes is fine, especially if the file name ends with .class; JARs are Just Zips (TM). You're not really going to be copying / pasting this as e.g., an import statement (import org.jboss.resteasy....) to fix it, you're going to need to look on disk somewhere. So I think leaving it with slashes is nice. :)

Not trying to rush fixing it, just figured I'd report it since I hadn't seen it yet.. :)

[dcantrell]

Sounds reasonable. Can you give me a simple package or package comparsion I could use as a test case?

[cipherboy]

JSS ships a single JAR and a symlink to that JAR, so the following should work:

$ rpminspect jss-4.6.1-2.fc31 jss-4.6.2-1.fc31

The JAR is at /usr/lib/java/jss4.jar, with /usr/lib64/jss/jss4.jar being a symbolic link to it. My expectation (without looking at the code) would be that only one entry for each issue should show up since it shouldn't consider symbolic links.

For a package that ships multiple JARs, try the core subpackage of resteasy:

$ rpminspect resteasy-core-3.0.19-4.fc26 resteasy-core-3.0.19-5.fc26

That contains a couple of different JARs:

• /usr/share/java/resteasy/resteasy-jaxrs.jar
• /usr/share/java/resteasy/resteasy-jaxrs-jandex.jar

Most of the classes for resteasy are in the former; the latter contains only metadata and no classes.

I'm not sure I know of any RPMs with multiple JARs off the top of my head.

[dcantrell]

What about output that looks like:

4281. File /org/mozilla/jss/crypto/KeyWrapper.class (/usr/lib/java/jss4.jar),
      Java byte code version 52 greater than expected 43 for product release fc31
      Result: BAD
      Waiver Authorization: Anyone

4282. File /org/mozilla/jss/CryptoManager.class (/usr/lib/java/jss4.jar), Java
      byte code version 52 greater than expected 43 for product release fc31
      Result: BAD
      Waiver Authorization: Anyone

4283. File /org/mozilla/jss/UserCertConflictException.class
      (/usr/lib/java/jss4.jar), Java byte code version 52 greater than expected 43
      for product release fc31
      Result: BAD
      Waiver Authorization: Anyone

4284. File /org/mozilla/jss/CryptoManager$OCSPPolicy.class
      (/usr/lib/java/jss4.jar), Java byte code version 52 greater than expected 43
      for product release fc31
      Result: BAD
      Waiver Authorization: Anyone

I'm not sure why I did it the other way first, but the path in parens was the full path to the temporarily extract component from the jar file rather than the jar file itself...which I already had. Would this work?

[cipherboy]

That looks perfect :) The RPM maintainer should be readily able to map the JAR filename from their installed package to something useful (especially with the class path).

Thanks @dcantrell!

[dcantrell]

Thanks!