Skip to content

@dcantrell dcantrell released this Sep 19, 2019 · 101 commits to master since this release

New features:

  • Add the 'shellsyntax' inspection.

    This is another test inspired by rpminspect's ancestor. Here's what it does:

    1. Shell scripts are run through their shell with the '-n' option and the output and return code is collected.
    2. If the exit code is non-zero, the script is reported as invalid and marked RESULT_BAD.
    3. If there is a before build, perform the same check on the script from the before build.
      a) If the script was bad before but good after, report RESULT_INFO that the script is now valid.
      b) If the script was good before but bad after, report RESULT_BAD that the script is now invalid.
    4. In any case if the shell is 'bash' and the '-n' check returns non-zero and try it again with '-n -O extglob'. If that passes, report the script is invalid with -n but valid with extglob and the script needs "shopt extglob" in it.

    Some scripts report MIME types as "text/plain" and some are "text/x-shellscript". I stick with looking for "text/" and then trying to read the #! line.

    This inspection is not suitable for languages like Perl or Python because those programs lack a syntax checker with a '-n' option. Also, Perl and Python programs tend to be more complicated than a shell script.

    Lastly, the list of shells this inspection works for is set in the "shells" setting in rpminspect.conf. The default list is:

    sh ksh zsh csh tcsh rc bash
    

    You can modify this list or disable the inspection if you don't have these shells available or just don't want to run the shellsyntax inspection. The shells listed in this setting must be the basename(3) of the program and not the full path. This means that rpminspect expects them to be executable in the $PATH in its environment.

  • Added the 'upstream' inspection:

    This is a new inspection for builds. It only runs when you are comparing a before and after build and it also only applies to SRPM files. Here's what it does:

    1. It finds the SRPM peers for the before and after builds.
    2. It gets the Version and Epoch from the RPM headers.
    3. If the before and after Versions differ -OR- if the Epoch exists in either package and is different, then discontinue the inspection.
    4. If the Versions and Epoch values are the same, do this:
      a) Report any SourceN files in the SRPM that appeared in the after build but were not in the before build. These are flagged as RESULT_VERIFY.
      b) Report any SourceN files in the SRPM that changed content between the before and after build, mark as RESULT_BAD. The idea here is catching a package rebuild of the same version but the source files changed. This may be deliberate, but it could also be unexpected.
      c) Report any SourceN files in the SRPM that disappeared in the after build but were present in the before build. These are marked as RESULT_VERIFY.

    Content changes are done by computing the SHA-256 digest of file peers. Care is taken to only examine those files that are SourceN files in the spec file. That list is obtained from the RPMTAG_SOURCE array in the SRPM header. This avoids examining patches and other SRPM members in this inspection.

  • Add the 'ownership' inspection to librpminspect.

    The ownership inspection enforces a handful of policies and reports changes in file owner and group information. It works for both single builds as well as comparing two builds. If you are just running rpminspect against a single build, it skips the change reporting part of the ownership inspection. Here's what it does:

    1. Iterates over every file in every package in the after build, but skips source packages.

    2. Checks to see if rpminspect has forbidden_owners set. If so, check if the file is owned by a forbidden owner. If it is, report that as RESULT_BAD.

    3. Checks to see if rpminspect has forbidden_groups set. If so, check if the file is owned by a forbidden group. If it is, report that as RESULT_BAD.

    4. Checks to see if the file is in a bin_path. If it is, verifies the file is owned by bin_owner and if not, reports that as RESULT_BAD.

    5. If a file is in a bin_path and not group owned by bin_group, then it performs some additional checks:
      a) Checks to see if CAP_SETUID is set on the file.
      b) If CAP_SETUID is set and the file is S_IXOTH, report as RESULT_BAD noting it is world executable.
      c) If CAP_SETUID is set and the file is S_IWGRP, report as RESULT_BAD requiring a Security Team review noting it is group writable.
      d) If CAP_SETUID is not set, report the file must be group owned by bin_group and is RESULT_BAD.

    6. In the case of a before and after build, compare the owners and groups of each file. Report any changes as RESULT_VERIFY unless the file is in a bin_path and the after build has changed to bin_owner and bin_group. In that case just report it as RESULT_INFO.

Bug fixes:

  • Ignore .pyc and .pyo Python bytecode files in 'changedfiles'
  • Return the correct result from inspect_metadata, inspect_emptyrpm, and inspect_specname.
  • Remove desktop_file_validate from rpminspect.conf, it was the only command you could override at runtime. This functionality may return in a separate config file in the future.
  • In the 'metadata' inspection, do not assume the Vendor tag is set. (#43)
  • Make -Werror=format-security happy (#44)
  • Allow text output mode to work when it can't get a terminal width. (#42)
  • Return the correct exit code in main() (#39)
  • In addedfiles, use RESULT_VERIFY for new security-related files.
  • Always combine stdout and stderr in run_cmd()
  • Discontinue the use of cpp when comparing C and C++ header files in the 'changedfiles' inspection. Behavior is inconsistent, so just take the diff(1) output and require review of comments as well as code.
  • In 'changedfiles', ignore /usr/lib/debug and /usr/src/debug
  • result can be NULL when run_cmd() is called, remove assert().
  • Code cleanups caught by clang (#37)
  • README updates

Changes in the code:

  • Use meson instead of GNU automake, autoconf, and libtool. There is a single meson.build file at the top level directory.
  • Replace utils/make-release.sh with release.sh at the top level. It almost works, but fails when uploading artifacts to github. I keep debugging this script a little bit with each release I make.
  • Move src/librpminspect/ to lib/ and src/rpminspect/ to src/
  • Move tests/librpminspect/ to tests/lib/
  • Add contrib report-json2html.py (fboucher@redhat.com)
Assets 4
You can’t perform that action at this time.