commit openSUSE-release-tools for openSUSE:Factory

root Fri, 23 Aug 2019 02:09:15 -0700

Hello community,

here is the log from the commit of package openSUSE-release-tools for 
openSUSE:Factory checked in at 2019-08-23 11:09:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openSUSE-release-tools (Old)
 and      /work/SRC/openSUSE:Factory/.openSUSE-release-tools.new.7948 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "openSUSE-release-tools"

Fri Aug 23 11:09:00 2019 rev:207 rq:725373 version:20190822.bf48f33a

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/openSUSE-release-tools/openSUSE-release-tools.changes
    2019-08-22 10:52:16.473700674 +0200
+++ 
/work/SRC/openSUSE:Factory/.openSUSE-release-tools.new.7948/openSUSE-release-tools.changes
  2019-08-23 11:09:07.118463021 +0200
@@ -1,0 +2,6 @@
+Thu Aug 22 16:22:19 UTC 2019 - [email protected]
+
+- Update to version 20190822.bf48f33a:
+  * check_source: add a review for the security team if there are warnings 
about missing whitelist entries and this is submitted to a project that has 
this check activated via attribute OSRT:Config (add to bad-rpmlint-entries)
+
+-------------------------------------------------------------------

Old:
----
  openSUSE-release-tools-20190820.b9c7635c.obscpio

New:
----
  openSUSE-release-tools-20190822.bf48f33a.obscpio

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ openSUSE-release-tools.spec ++++++
--- /var/tmp/diff_new_pack.Fk3wOW/_old  2019-08-23 11:09:10.514462601 +0200
+++ /var/tmp/diff_new_pack.Fk3wOW/_new  2019-08-23 11:09:10.518462601 +0200
@@ -20,7 +20,7 @@
 %define source_dir openSUSE-release-tools
 %define announcer_filename factory-package-news
 Name:           openSUSE-release-tools
-Version:        20190820.b9c7635c
+Version:        20190822.bf48f33a
 Release:        0
 Summary:        Tools to aid in staging and release work for openSUSE/SUSE
 License:        GPL-2.0-or-later AND MIT

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.Fk3wOW/_old  2019-08-23 11:09:10.554462596 +0200
+++ /var/tmp/diff_new_pack.Fk3wOW/_new  2019-08-23 11:09:10.554462596 +0200
@@ -1,6 +1,6 @@
 <servicedata>
   <service name="tar_scm">
     <param 
name="url">https://github.com/openSUSE/openSUSE-release-tools.git</param>
-    <param 
name="changesrevision">55bcb8b34d6f7a19a98ae0260b27cbff8af805ed</param>
+    <param 
name="changesrevision">bf48f33adfe0960a6a98f80e7317471378b43710</param>
   </service>
 </servicedata>

++++++ openSUSE-release-tools-20190820.b9c7635c.obscpio -> 
openSUSE-release-tools-20190822.bf48f33a.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/openSUSE-release-tools-20190820.b9c7635c/check_source.py 
new/openSUSE-release-tools-20190822.bf48f33a/check_source.py
--- old/openSUSE-release-tools-20190820.b9c7635c/check_source.py        
2019-08-20 14:54:04.000000000 +0200
+++ new/openSUSE-release-tools-20190822.bf48f33a/check_source.py        
2019-08-22 18:17:04.000000000 +0200
@@ -18,6 +18,8 @@
 from osclib.core import devel_project_get
 from osclib.core import devel_project_fallback
 from osclib.core import group_members
+from osclib.core import source_file_load
+from osclib.core import target_archs
 from urllib.error import HTTPError
 
 import ReviewBot
@@ -26,6 +28,8 @@
 class CheckSource(ReviewBot.ReviewBot):
 
     SCRIPT_PATH = os.path.dirname(os.path.realpath(__file__))
+    AUDIT_BUG_URL = 
"https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs";
+    AUDIT_BUG_MESSAGE = "The package is submitted to an official product and 
it has warnings that indicate that it need to go through a security review. 
Those warnings can only be ignored in devel projects. For more information 
please read: {}.".format(AUDIT_BUG_URL)
 
     def __init__(self, *args, **kwargs):
         ReviewBot.ReviewBot.__init__(self, *args, **kwargs)
@@ -48,6 +52,8 @@
         self.repo_checker = config.get('repo-checker')
         self.devel_whitelist = config.get('devel-whitelist', '').split()
         self.skip_add_reviews = False
+        self.security_review_team = config.get('security-review-team', 
'security-team')
+        self.bad_rpmlint_entries = config.get('bad-rpmlint-entries', 
'').split()
 
         if self.action.type == 'maintenance_incident':
             # The workflow effectively enforces the names to match and the
@@ -187,8 +193,51 @@
             elif self.repo_checker is not None:
                 self.add_review(self.request, by_user=self.repo_checker, 
msg='Please review build success')
 
+        if self.bad_rpmlint_entries:
+            if self.has_whitelist_warnings(source_project, source_package, 
target_project, target_package):
+                # if there are any add a review for the security team
+                # maybe add the found warnings to the message for the review
+                self.add_review(self.request, 
by_group=self.security_review_team, msg=CheckSource.AUDIT_BUG_MESSAGE)
+            if self.suppresses_whitelist_warnings( source_project, 
source_package ):
+                self.add_review(self.request, 
by_group=self.security_review_team, msg=CheckSource.AUDIT_BUG_MESSAGE)
+
         return True
 
+    def suppresses_whitelist_warnings( self, source_project, source_package):
+        # checks if there's a rpmlintrc that suppresses warnings that we check
+        found_entries = set()
+        contents = source_file_load(self.apiurl, source_project, 
source_package, source_package+'-rpmlintrc')
+        if contents:
+            matches = re.findall(r'addFilter\(["\']([^"\']+)["\']\)', contents)
+            for entry in self.bad_rpmlint_entries:
+                for match in matches:
+                    if match.startswith(entry):
+                        self.logger.info(f'found suppressed whitelist warning: 
{entry}')
+                        found_entries.add(entry)
+        return found_entries
+
+    def has_whitelist_warnings( self, source_project, source_package, 
target_project, target_package ):
+        # this checks if this is a submit to an product project and it has 
warnings for non-whitelisted permissions/files
+        found_entries = set()
+        url = osc.core.makeurl(self.apiurl, ['build', target_project])
+        xml = ET.parse(osc.core.http_GET(url)).getroot()
+        for f in xml.findall('entry'):
+            # we check all repos in the source project for errors that exist 
in the target project
+            repo = f.attrib['name']
+            query = { 'last' : 1, }
+            for arch in target_archs(self.apiurl, source_project, repo):
+                url = osc.core.makeurl(self.apiurl, ['build', source_project, 
repo, arch, source_package, '_log'], query = query)
+                try:
+                    result = osc.core.http_GET(url)
+                    contents = str(result.read())
+                    for entry in self.bad_rpmlint_entries:
+                        if (': W: '+entry in contents) and not (entry in 
found_entries):
+                            self.logger.info(f'found missing whitelist for 
warning: {entry}')
+                            found_entries.add(entry)
+                except HTTPError as e:
+                    self.logger.error('ERROR in URL %s [%s]' % (url, e))
+        return found_entries
+
     def is_devel_project(self, source_project, target_project):
         if source_project in self.devel_whitelist:
             return True

++++++ openSUSE-release-tools.obsinfo ++++++
--- /var/tmp/diff_new_pack.Fk3wOW/_old  2019-08-23 11:09:11.054462534 +0200
+++ /var/tmp/diff_new_pack.Fk3wOW/_new  2019-08-23 11:09:11.054462534 +0200
@@ -1,5 +1,5 @@
 name: openSUSE-release-tools
-version: 20190820.b9c7635c
-mtime: 1566305644
-commit: b9c7635cfc795851307952aec275b12120a93105
+version: 20190822.bf48f33a
+mtime: 1566490624
+commit: bf48f33adfe0960a6a98f80e7317471378b43710

commit openSUSE-release-tools for openSUSE:Factory

Reply via email to