rpminspect-0.8

Changes in this release:

• Integration test suite continues to grow and fix problems.

• The javabytecode inspection will report the JAR relative path as well as the path to the embedded class file when a problem is found. (#56)

• libmandoc 1.14.5 API support. rpminspect will continue to work with 1.14.4 and previous releases and will detect which one to use at build time. The mandoc API changed completely between the 1.14.4 and 1.14.5 release. This is not entirely their fault as we are using it built as a shared library and the upstream project does not officially do that.

• rpminspect now exits with code 2 when there is a program error. Exit code 0 means inspections passed and exit code 1 means there was at least one inspection failure. (#57)

• If there is a Python json module exception raised in the test suite, print the inspection name, captured stdout, and captured stderr. This is meant to help debug the integration test suite.

• Fix the Icon file check in the desktop inspection. Look at all possible icon path trees (set in rpminspect.conf). Also honor the extensionless syntax in the desktop file.

• Fix the Exec file check in the desktop inspection so it honors arguments specified after the program name.

• Fix a SIGSEGV when the before and/or after arguments on the command line contain ".." in the pathspec.

• [MAJOR] Fix fundamental problems with the peer detection code. The integration test suite caught this and was leading to false results.

• Add the IPv6 function blacklist check. The configuration file can carry a list of forbidden IPv6 functions and raise a failure if it finds any of those used.

rpminspect-0.7

The big change in this release is the partially-complete integration test suite. There are a number of inspections now and I wanted to get an integration test suite in place now. I ask that future code contributions come with test cases and/or test case modifications.

New:

• User-override for the exit threshold. The -t/--threshold option can be used to control what result code from the inspections will trigger a non-zero exit (failure). By default this is set to VERIFY, but you can use this option to pick any result code available.
• Integration test suite (not all inspections have tests yet, but the base classes are in place for running rpminspect against an SRPM, a binary RPM, or a Koji build).
• Fix problems running the test suite in Travis-CI. We grew some dependencies.
• Releases are now handled by the utils/release.sh script which generates the tag, pushes to github, and posts this release entry and attaches the tarball and signature.
• Add a basic set of integration tests to just make sure when you run rpminspect it doesn't crash.
• I posted a pull request for the rpmfluff Python module in order to implement tests for the specname inspection: https://pagure.io/rpmfluff/pull-request/26

Bug fixes:

• Correctly handle License strings with license abbreviations with spaces. The "ASL 2.0" abbreviation is a good example. The way the inspection breaks up the string on spaces was causing this license to fail the approval check because the code was checking for "ASL" and then "2.0". The inspection has been fixed to work with these types of license abbreviations. Test cases have been added for them as well.
• Adjust the upstream inspection to always report upstream source changes, regardless of the NVR of the before and after packages. Changes are reported as VERIFY.
• The specname inspection returns BAD if it never got to see an SRPM.
• Some inspections were incorrectly marked as being valid for single builds. This has been corrected.
• Fix the return value for the disttag inspection when it runs on non-SRPM packages.
• All failures in the disttag inspection are now BAD rather than VERIFY.

rpminspect-0.6

New features:

• Add the 'shellsyntax' inspection.

  This is another test inspired by rpminspect's ancestor. Here's what it does:

  1. Shell scripts are run through their shell with the '-n' option and the output and return code is collected.
  2. If the exit code is non-zero, the script is reported as invalid and marked RESULT_BAD.
  3. If there is a before build, perform the same check on the script from the before build.
     a) If the script was bad before but good after, report RESULT_INFO that the script is now valid.
     b) If the script was good before but bad after, report RESULT_BAD that the script is now invalid.
  4. In any case if the shell is 'bash' and the '-n' check returns non-zero and try it again with '-n -O extglob'. If that passes, report the script is invalid with -n but valid with extglob and the script needs "shopt extglob" in it.

  Some scripts report MIME types as "text/plain" and some are "text/x-shellscript". I stick with looking for "text/" and then trying to read the #! line.

  This inspection is not suitable for languages like Perl or Python because those programs lack a syntax checker with a '-n' option. Also, Perl and Python programs tend to be more complicated than a shell script.

  Lastly, the list of shells this inspection works for is set in the "shells" setting in rpminspect.conf. The default list is:

  sh ksh zsh csh tcsh rc bash
  

  You can modify this list or disable the inspection if you don't have these shells available or just don't want to run the shellsyntax inspection. The shells listed in this setting must be the basename(3) of the program and not the full path. This means that rpminspect expects them to be executable in the $PATH in its environment.

• Added the 'upstream' inspection:

  This is a new inspection for builds. It only runs when you are comparing a before and after build and it also only applies to SRPM files. Here's what it does:

  1. It finds the SRPM peers for the before and after builds.
  2. It gets the Version and Epoch from the RPM headers.
  3. If the before and after Versions differ -OR- if the Epoch exists in either package and is different, then discontinue the inspection.
  4. If the Versions and Epoch values are the same, do this:
     a) Report any SourceN files in the SRPM that appeared in the after build but were not in the before build. These are flagged as RESULT_VERIFY.
     b) Report any SourceN files in the SRPM that changed content between the before and after build, mark as RESULT_BAD. The idea here is catching a package rebuild of the same version but the source files changed. This may be deliberate, but it could also be unexpected.
     c) Report any SourceN files in the SRPM that disappeared in the after build but were present in the before build. These are marked as RESULT_VERIFY.

  Content changes are done by computing the SHA-256 digest of file peers. Care is taken to only examine those files that are SourceN files in the spec file. That list is obtained from the RPMTAG_SOURCE array in the SRPM header. This avoids examining patches and other SRPM members in this inspection.

• Add the 'ownership' inspection to librpminspect.

  The ownership inspection enforces a handful of policies and reports changes in file owner and group information. It works for both single builds as well as comparing two builds. If you are just running rpminspect against a single build, it skips the change reporting part of the ownership inspection. Here's what it does:

  1. Iterates over every file in every package in the after build, but skips source packages.

  2. Checks to see if rpminspect has forbidden_owners set. If so, check if the file is owned by a forbidden owner. If it is, report that as RESULT_BAD.

  3. Checks to see if rpminspect has forbidden_groups set. If so, check if the file is owned by a forbidden group. If it is, report that as RESULT_BAD.

  4. Checks to see if the file is in a bin_path. If it is, verifies the file is owned by bin_owner and if not, reports that as RESULT_BAD.

  5. If a file is in a bin_path and not group owned by bin_group, then it performs some additional checks:
     a) Checks to see if CAP_SETUID is set on the file.
     b) If CAP_SETUID is set and the file is S_IXOTH, report as RESULT_BAD noting it is world executable.
     c) If CAP_SETUID is set and the file is S_IWGRP, report as RESULT_BAD requiring a Security Team review noting it is group writable.
     d) If CAP_SETUID is not set, report the file must be group owned by bin_group and is RESULT_BAD.

  6. In the case of a before and after build, compare the owners and groups of each file. Report any changes as RESULT_VERIFY unless the file is in a bin_path and the after build has changed to bin_owner and bin_group. In that case just report it as RESULT_INFO.

Bug fixes:

• Ignore .pyc and .pyo Python bytecode files in 'changedfiles'
• Return the correct result from inspect_metadata, inspect_emptyrpm, and inspect_specname.
• Remove desktop_file_validate from rpminspect.conf, it was the only command you could override at runtime. This functionality may return in a separate config file in the future.
• In the 'metadata' inspection, do not assume the Vendor tag is set. (#43)
• Make -Werror=format-security happy (#44)
• Allow text output mode to work when it can't get a terminal width. (#42)
• Return the correct exit code in main() (#39)
• In addedfiles, use RESULT_VERIFY for new security-related files.
• Always combine stdout and stderr in run_cmd()
• Discontinue the use of cpp when comparing C and C++ header files in the 'changedfiles' inspection. Behavior is inconsistent, so just take the diff(1) output and require review of comments as well as code.
• In 'changedfiles', ignore /usr/lib/debug and /usr/src/debug
• result can be NULL when run_cmd() is called, remove assert().
• Code cleanups caught by clang (#37)
• README updates

Changes in the code:

• Use meson instead of GNU automake, autoconf, and libtool. There is a single meson.build file at the top level directory.
• Replace utils/make-release.sh with release.sh at the top level. It almost works, but fails when uploading artifacts to github. I keep debugging this script a little bit with each release I make.
• Move src/librpminspect/ to lib/ and src/rpminspect/ to src/
• Move tests/librpminspect/ to tests/lib/
• Add contrib report-json2html.py (fboucher@redhat.com)

rpminspect-0.5

rpminspect-0.5 is now available with the following bug fixes and improvements:

• Support running rpminspect on local RPM packages (#23). You may now specify a local RPM or SRPM as the input for rpminspect. If you specify a before and after file, rpminspect will assume they are peers and will perform applicable inspections.

• Adjust the 'text' output mode by adding some extra blank lines for readability.

• For the 'changedfiles' inspection, get the list of possible C and C++ header file endings from the header_file_extensions setting in rpminspect.conf.

• Add dnf instructions to the README file to help get the development packages installed on Fedora or RHEL.

• Prevent a crash in get_product_release() when the build specification lacks enough information to infer a product release (e.g., a Koji build ID).

• Start an integration test suite in the tests/ subdirectory.

• Adopt a Code of Conduct for the project, see CODE_OF_CONDUCT.md

• Move the data/setuid subdirectory to data/stat-whitelist. The files will be installed to /usr/share/rpminspect and the stat-whitelist subdirectory provides information on file modes, owners, and groups for known setuid/setgid files.

• Process a [vendor-data] section in the configuration file which contains paths to locations provided by the rpminspect data package.

• Fix configuration file detection in rpminspect.

New inspections:

• Implement the 'removedfiles' inspection. When comparing two builds, rpminspect will report if files have disappeared from packages from the before to the after build. If the removed file was an ELF shared object, rpminspect reports it as a RESULT_BAD noting it may be a potential ABI break. Files removed from a security path prefix are also marked as RESULT_BAD and as WAIVABLE_BY_SECURITY. All other removals are reported as RESULT_VERIFY.

• Implement the 'addedfiles' inspection. Kind of like the opposite of removedfiles, but does a little more. It ignores the debuginfo things and Python .egg-info files. It also checks to make sure no package added files to /var/tmp or /tmp. It also checks to make sure there are no *~ or *.orig files. Likewise, it makes sure no package has subdirectories like __MACOSX, .cvs, or .git. These settings are all modifiable in the rpminspect.conf file. Lastly, if a new setuid or setgid file is added, it flags it for a security team review unless it is on the stat-whitelist for the product release and the expected permissions match those in the package.

Builds are available in Copr as well as the f31 and rawhide branches.

rpminspect-0.4

rpminspect-0.4 is now available with the following improvements and bug fixes:

• Support multiple buildhost subdomains in rpminspect.conf (#25)

In Fedora, the s390x packages are built on hosts provided by Red Hat's internal mainframe. These have a buildhost subdomain of .bos.redhat.com while the other architectures carry .fedoraproject.org. The buildhost_subdomain parameter in rpminspect.conf now supports multiple subdomains separated by spaces.

• Add more usage information to the README (#24)

Give more examples on how to use rpminspect at the command line.

• Add support for specifying a list of architectures on the command line (#27)

This is similar to the koji command line option to restrict builds to a subset of architectures. List architectures as a string separated by commas. "noarch" is valid since RPM recognizes that. To note the SRPM, use "src" as the architecture. An example: -a x86_64,ppc64le,src

• Split the -T option out in to -T and -E options (#28)

The biggest issue here was my use of '!' to specify excluded tests. I have now split the option out in to -T to specify tests to run -or- the -E option to specify tests to not run. The options are mutually exclusive and the default mode for rpminspect is to run all applicable tests. If you specify -T, rpminspect disables all tests except the ones you specify with this option. You can use 'ALL' with the -T option if you want to, but that is the default behavior. If you specify -E, rpminspect enables all tests except the ones you specify with this option. If you use 'ALL' with the -E option, all tests are disabled and rpminspect becomes a no-op.

New functionality:

• The 'changedfiles' inspection is new and does quite a bit. This inspection only runs when comparing builds and the objective is to report changes between file peers. It only runs for regular files and skips any files lacking a peer since other inspections will handle those modes. For compressed files, changedfiles performs a zcmp/bzcmp/xzcmp and reports if there are differences. The reason for this is to account for changing compression levels but unchanged uncompressed content. For ELF objects, rpminspect runs eu-elfcmp and reports. If the file is a gettext message catalog (.mo files), it runs the file through msgunfmt and compares that output then reports. C and C++ header files are preprocessed and compared with 'diff -uw' to report possible API changes. Lastly, for any file peers not hitting a special case, the SHA-256 digests are compared and if they differ then rpminspect reports.

• The rpminspect.conf file now carries the security_path_prefix setting to list path prefixes where security related files reside.

• The fetch only mode writes the downloaded Koji build to an NVR subdirectory rather than the temporary directory structure rpminspect would use internally.

Builds are available in Copr and will be available in rawhide soon.

rpminspect-0.3

rpminspect-0.3 is now available. Notable changes:

• Increase the XML-RPC size limit to handle large return values from Koji
• Handle hard link extraction correctly when unpacking RPM payloads (#19)
• Trim trailing slashes from release strings
• Prevent SIGSEGV when running desktop-file-validate on *.desktop files
• Support ~ expansion in --workdir=PATH specification (#22)

The #19 issue was causing problems with a lot of large packages, e.g. python3.

v0.2

rpminspect-0.2

A lot of changes since the first release. Here is a summary:

• Start a unit test suite
• Build and release fixes, CI fixes with Travis-CI, Copr integration fixes
• Report BAD during license inspection if the db is missing
• Clean up the text output mode to make it easier to pipe through tools like less(1)
• Skip source packages in the desktop file entry, elf, and xml inspections
• For passing inspections (RESULT_OK), do not output the message
• Do not look for Koji build logs when gathering local builds
• Handle XMLRPC_TYPE_NIL when gathering Koji build information
• Support module metadata in get_koji_build() and struct koji_build
• Extend rpminspect.conf to carry download URLs for different build types
• Support fetching regular Koji builds and modular Koji builds
• Recognize empty RPMs in extract_rpm()
• When fetching modules, honor the filtered_rpms metadata list
• Add a fetch-only mode (-f) to the rpminspect command
• Add a generic unpacking function built on libarchive to handle unpacking other files
• Handle both Java class files in the RPM as well as inside .jar files
• Detect product release by looking for a dist tag
• Allow the user to specify the product release on the command line
• Simplify the HEADER_* strings for Fedora CI integration

New inspections:

• disttag - Checks for the use of %{?dist} at the end of Release numbers
• specname - Ensures the Name of the SRPM contains Name.spec
• modularity - Ensures RPMs in modules carry the 'modularitylabel' header
• javabytecode - Compares JVM major version number in .class files against the expected JVM major version for the product release

New dependencies:

• libyaml - required for reading modulemd.txt metadata files from Koji modules

Restricted dependencies:

• mandoc <= 1.14.4 (the 1.14.5 API completely changed, so we have to update that in the next release)

rpminspect-0.1

rpminspect is beginning regular releases for development purposes in Fedora rawhide.