[Bug 2272258] Review Request: trivy - Vulnerability and license scanner
https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Fedora Update System changed: What|Removed |Added Status|MODIFIED|CLOSED Resolution|--- |ERRATA Last Closed||2024-04-06 05:42:21 --- Comment #15 from Fedora Update System --- FEDORA-2024-9ed62a7814 (trivy-0.50.1-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c15 -- ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Bug 2272258] Review Request: trivy - Vulnerability and license scanner
https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Fedora Update System changed: What|Removed |Added Status|POST|MODIFIED --- Comment #14 from Fedora Update System --- FEDORA-2024-9ed62a7814 (trivy-0.50.1-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-9ed62a7814 -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c14 -- ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Bug 2272258] Review Request: trivy - Vulnerability and license scanner
https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Fedora Admin user for bugzilla script actions changed: What|Removed |Added Status|ASSIGNED|POST --- Comment #13 from Fedora Admin user for bugzilla script actions --- The Pagure repository was created at https://src.fedoraproject.org/rpms/trivy -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c13 -- ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Bug 2272258] Review Request: trivy - Vulnerability and license scanner
https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Jerry James changed: What|Removed |Added Flags|fedora-review? |fedora-review+ --- Comment #12 from Jerry James --- (In reply to Maxwell G from comment #11) > 臘 > https://git.sr.ht/~gotmax23/trivy-rpm/commit/ > 0e6ec42eca8c5d80d7167fdeae9a61968e16f744 Aha, mystery solved! You have addressed all of my concerns, so this package is APPROVED. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c12 -- ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Bug 2272258] Review Request: trivy - Vulnerability and license scanner
https://bugzilla.redhat.com/show_bug.cgi?id=2272258 --- Comment #11 from Maxwell G --- > - Notice the invalid-url rpmlint warning for Source0. The URL is missing > "https:" at the beginning. Is this a weakness of %gourl? Is something > missing from the spec file that would cause that to appear? 臘 https://git.sr.ht/~gotmax23/trivy-rpm/commit/0e6ec42eca8c5d80d7167fdeae9a61968e16f744 -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c11 -- ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Bug 2272258] Review Request: trivy - Vulnerability and license scanner
https://bugzilla.redhat.com/show_bug.cgi?id=2272258 --- Comment #10 from Maxwell G --- Spec URL: https://gotmax23.fedorapeople.org/reviews/trivy/trivy.spec SRPM URL: https://gotmax23.fedorapeople.org/reviews/trivy/trivy-0.50.0-1.fc39.src.rpm Fix Source0 entry -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c10 -- ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Bug 2272258] Review Request: trivy - Vulnerability and license scanner
https://bugzilla.redhat.com/show_bug.cgi?id=2272258 --- Comment #9 from Maxwell G --- I updated the specfile. I have fixed the incorrect/missing license issues, replaced modernc.org/sqlite with less problematic github.com/mattn/go-sqlite3, and removed the files with shebang issues (those files were included by %go_vendor_license_install, as they had license headers, but they were just development scripts, so there was no need to include them). The directory ownership issues were also fixed in go-vendor-tools; I pushed the fix to rawhide. https://git.sr.ht/~gotmax23/trivy-rpm has the unpacked sources if that's easier to review. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c9 -- ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Bug 2272258] Review Request: trivy - Vulnerability and license scanner
https://bugzilla.redhat.com/show_bug.cgi?id=2272258 --- Comment #8 from Maxwell G --- Spec URL: https://gotmax23.fedorapeople.org/reviews/trivy/trivy.spec SRPM URL: https://gotmax23.fedorapeople.org/reviews/trivy/trivy-0.50.0-1.fc39.src.rpm Koji scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=115896937 -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c8 -- ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Bug 2272258] Review Request: trivy - Vulnerability and license scanner
https://bugzilla.redhat.com/show_bug.cgi?id=2272258 --- Comment #7 from Jerry James --- (In reply to Maxwell G from comment #5) > This is the first package to use > https://gitlab.com/fedora/sigs/go/go-vendor-tools, the new tooling for > vendoring Go packages, and is actually an optional dependency of > go-vendor-tools itself, so there is still some work to do. See the > discussion in > https://lists.fedoraproject.org/archives/list/gol...@lists.fedoraproject.org/ > thread/K5P6P2MGEE3SCPF4SZFWOIUGHQHJ6GGG/. I apologize for missing some > context with this review request. I had expected for a Go SIG member who had > participated in the previous discussions to review the package, but your > review is very welcome. Thank you! If some Go SIG member wants to take over this review, I am happy to hand it over. I actually have reviewed Go packages before, but it's been awhile, and I am clearly not up on the latest developments. > > There don't seem to be any golang packaging guidelines > > These do exist in > https://docs.fedoraproject.org/en-US/packaging-guidelines/Golang/, but don't > cover the new tooling yet. Okay. I expected to find a link in https://docs.fedoraproject.org/en-US/packaging-guidelines/#_domain_specific_guidelines, but I don't see one there. I am satisfied with your other answers. (I didn't know "%license %dir" was a thing. I'm glad that works!) I look forward to the next iteration. Thanks for doing the work to get trivy packaged. It will be a great addition to Fedora. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c7 -- ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Bug 2272258] Review Request: trivy - Vulnerability and license scanner
https://bugzilla.redhat.com/show_bug.cgi?id=2272258 --- Comment #6 from Maxwell G --- > - See the non-executable-script rpmlint warnings below. Please either remove > the shebangs from those files or make them executable. > - Note that unused-direct-shlib-dependency warning for /usr/bin/trivy. It > depends, uselessly, on libresolv.so.2. Does that mean /usr/bin/trivy was > linked without --as-needed? I'll look at these two items as well. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c6 -- ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Bug 2272258] Review Request: trivy - Vulnerability and license scanner
https://bugzilla.redhat.com/show_bug.cgi?id=2272258 --- Comment #5 from Maxwell G --- This is the first package to use https://gitlab.com/fedora/sigs/go/go-vendor-tools, the new tooling for vendoring Go packages, and is actually an optional dependency of go-vendor-tools itself, so there is still some work to do. See the discussion in https://lists.fedoraproject.org/archives/list/gol...@lists.fedoraproject.org/thread/K5P6P2MGEE3SCPF4SZFWOIUGHQHJ6GGG/. I apologize for missing some context with this review request. I had expected for a Go SIG member who had participated in the previous discussions to review the package, but your review is very welcome. Thank you! trivy has a lot of dependencies, some of which do atypical things (e.g., the modernc dependencies), and is not representative of the average Go project. It was likely not the best first package… Anyways, I will respond to the rest of your feedback inline. (In reply to Jerry James from comment #2) > There don't seem to be any golang packaging guidelines These do exist in https://docs.fedoraproject.org/en-US/packaging-guidelines/Golang/, but don't cover the new tooling yet. > I'm doing my best to understand and review properly below. Please excuse me > if I make an ignorant comment. The review is so long that bugzilla won't let > me paste it all, so I will split it across multiple comments. Sure—thank you for bearing with me. > Package Review > == > > Legend: > [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated > > Issues: > === > > - There is an awful lot of bundling going on. Is that typical for the golang > ecosystem? See the above comment about bundling. > - I am attempting to see if the License field in the spec file matches the > actual licenses in play. It's a bit of a challenge. There is no comment > in > the spec file nor any kind of README describing the license breakdown. > That > would help a lot. See the following questions. go-vendor-tools automatically computes the license tag, but there definitely should be a comment explaining that. I opened https://gitlab.com/fedora/sigs/go/go2rpm/-/issues/41. > - Many files under vendor/modernc.org/libc contain one or both of > LGPL-2.1-or-later and GPL-3.0-or-later declarations, but I don't see either > license in the License field. Should they appear there? The licensing of that project is murky. See https://gitlab.com/cznic/libc/-/issues/31. It's pulled in via trivy's dependency on modernc.org/sqlite. I wonder if upstream would consider a different sqlite driver. I'll keep digging into it. > - vendor/github.com/rcrowley/go-metrics/LICENSE is BSD-2-Clause-Views, not > BSD-2-Clause, but I don't see that in License. Fixed locally. > - Some files additionally have lines that read: > // SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note > I don't know if we are obligated to list notes, or if we only worry about > exceptions in Fedora. The files: > - vendor/modernc.org/libc/sys/socket/socket_linux_arm.go > - vendor/modernc.org/libc/sys/socket/socket_linux_arm64.go > - vendor/modernc.org/libc/sys/socket/socket_linux_riscv64.go See above. > - What do you make of the license declaration at the top of > vendor/golang.org/x/crypto/chacha20/chacha_ppc64le.s? Is that file > included > in the build on ppc64le? The link in that comment is dead, but https://web.archive.org/web/20240111224133/https://www.openssl.org/~appro/cryptogams/ still has it and https://github.com/dot-asm/cryptogams/blob/a60f5b50ed908e91e5c39ca79126a4a876d5d8ff/LICENSE suggests that this is available under the BSD-3-Clause license OR (an unspecified version of) the GPL. golang-x-crypto is licensed under BSD-3-Clause as well and only retains that notice. go-vendor-tools already detects this dependency as BSD-3-Clause, so we should be okay there. I don't think adding an "OR GPL-1.0-or-later" to account for > ALTERNATIVELY, provided that this notice is retained in full, this product may be distributed under the terms of the GNU General Public License (GPL), in which case the provisions of the GPL apply INSTEAD OF those given above. in the original project's license makes sense here. > - vendor/github.com/alecthomas/chroma/formatters/svg/font_liberation_mono.go > contains an encoding of a font under the OFL-1.1-RFN license, which does > not > appear in License. Fixed locally. > - See the complaint below about unowned directories. This is not an error. > The directory /usr/share/licenses/trivy/vendor/github.com/kylelemons, for > example, is not owned by this package, but contains another directory that > is. Tracked at https://gitlab.com/fedora/sigs/go/go-vendor-tools/-/issues/44. The code that generates the license filelist also needs to add entries for intermediate directories. > - See the non-executable-script rpmlint warnings below. Please either remove > the shebangs from those files or make them executable. >
[Bug 2272258] Review Request: trivy - Vulnerability and license scanner
https://bugzilla.redhat.com/show_bug.cgi?id=2272258 --- Comment #4 from Jerry James --- Rpmlint --- Checking: trivy-0.50.0-1.fc41.x86_64.rpm trivy-debuginfo-0.50.0-1.fc41.x86_64.rpm trivy-debugsource-0.50.0-1.fc41.x86_64.rpm trivy-0.50.0-1.fc41.src.rpm rpmlint session starts rpmlint: 2.5.0 configuration: /usr/lib/python3.12/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmphxa68sdv')] checks: 32, packages: 4 trivy.src: E: spelling-error ('misconfigurations', '%description -l en_US misconfigurations -> configurations, reconfiguration, configuration') trivy.x86_64: E: spelling-error ('misconfigurations', '%description -l en_US misconfigurations -> configurations, reconfiguration, configuration') trivy.x86_64: E: readelf-failed /usr/bin/trivy 'utf-8' codec can't decode byte 0xc2 in position 10956: invalid continuation byte trivy.x86_64: E: non-executable-script /usr/share/licenses/trivy/vendor/cloud.google.com/go/internal/version/update_version.sh 644 /bin/bash trivy.x86_64: E: non-executable-script /usr/share/licenses/trivy/vendor/cloud.google.com/go/storage/emulator_test.sh 644 /bin/bash trivy.x86_64: E: non-executable-script /usr/share/licenses/trivy/vendor/github.com/go-git/go-git/v5/oss-fuzz.sh 644 /bin/bash -eu trivy.x86_64: E: non-executable-script /usr/share/licenses/trivy/vendor/go.opentelemetry.io/otel/get_main_pkgs.sh 644 /usr/bin/env bash trivy.x86_64: E: non-executable-script /usr/share/licenses/trivy/vendor/go.opentelemetry.io/otel/verify_examples.sh 644 /bin/bash trivy.x86_64: E: non-executable-script /usr/share/licenses/trivy/vendor/google.golang.org/grpc/regenerate.sh 644 /bin/bash trivy.x86_64: E: non-executable-script /usr/share/licenses/trivy/vendor/k8s.io/kubectl/pkg/util/i18n/translations/extract.py 644 /usr/bin/env python3 trivy.x86_64: W: no-manual-page-for-binary trivy trivy.spec: W: invalid-url Source1: trivy-0.50.0-vendor.tar.xz trivy.spec: W: invalid-url Source0: //github.com/aquasecurity/trivy/archive/v0.50.0/trivy-0.50.0.tar.gz trivy.x86_64: E: files-duplicated-waste 2071566 trivy-debugsource.x86_64: E: files-duplicated-waste 794638 trivy.x86_64: W: files-duplicate /usr/share/licenses/trivy/vendor/go.opentelemetry.io/otel/trace/LICENSE /usr/share/licenses/trivy/LICENSE:/usr/share/licenses/trivy/vendor/github.com/AdaLogics/go-fuzz-headers/LICENSE:/usr/share/licenses/trivy/vendor/github.com/AdamKorcz/go-118-fuzz-build/LICENSE:/usr/share/licenses/trivy/vendor/github.com/GoogleCloudPlatform/docker-credential-gcr/LICENSE:/usr/share/licenses/trivy/vendor/github.com/agext/levenshtein/LICENSE:(and 33 more) trivy.x86_64: W: files-duplicate /usr/share/licenses/trivy/vendor/k8s.io/utils/LICENSE /usr/share/licenses/trivy/vendor/cloud.google.com/go/LICENSE:/usr/share/licenses/trivy/vendor/cloud.google.com/go/compute/LICENSE:/usr/share/licenses/trivy/vendor/cloud.google.com/go/compute/metadata/LICENSE:/usr/share/licenses/trivy/vendor/cloud.google.com/go/iam/LICENSE:/usr/share/licenses/trivy/vendor/cloud.google.com/go/storage/LICENSE:(and 96 more) trivy.x86_64: W: files-duplicate /usr/share/licenses/trivy/vendor/github.com/imdario/mergo/LICENSE /usr/share/licenses/trivy/vendor/dario.cat/mergo/LICENSE trivy.x86_64: W: files-duplicate /usr/share/licenses/trivy/vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/LICENSE.txt /usr/share/licenses/trivy/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/LICENSE.txt:/usr/share/licenses/trivy/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/LICENSE.txt trivy.x86_64: W: files-duplicate /usr/share/licenses/trivy/vendor/github.com/Azure/go-autorest/tracing/LICENSE /usr/share/licenses/trivy/vendor/github.com/Azure/go-autorest/LICENSE:/usr/share/licenses/trivy/vendor/github.com/Azure/go-autorest/autorest/LICENSE:/usr/share/licenses/trivy/vendor/github.com/Azure/go-autorest/autorest/adal/LICENSE:/usr/share/licenses/trivy/vendor/github.com/Azure/go-autorest/autorest/date/LICENSE:/usr/share/licenses/trivy/vendor/github.com/Azure/go-autorest/logger/LICENSE trivy.x86_64: W: files-duplicate /usr/share/licenses/trivy/vendor/github.com/Intevation/jsonpath/LICENSE /usr/share/licenses/trivy/vendor/github.com/Intevation/gval/LICENSE trivy.x86_64: W: files-duplicate /usr/share/licenses/trivy/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/AUTHORS /usr/share/licenses/trivy/vendor/github.com/ProtonMail/go-crypto/AUTHORS trivy.x86_64: W: files-duplicate /usr/share/licenses/trivy/vendor/modernc.org/token/LICENSE
[Bug 2272258] Review Request: trivy - Vulnerability and license scanner
https://bugzilla.redhat.com/show_bug.cgi?id=2272258 --- Comment #3 from Jerry James --- [!]: Package must own all directories that it creates. Note: Directories without known owners: /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk- go-v2/service/efs, /usr/share/licenses/trivy/vendor/github.com/liggitt/tabwriter, /usr/share/licenses/trivy/vendor/sigs.k8s.io/kustomize/kyaml/internal/forked/github.com, /usr/share/licenses/trivy/vendor/github.com/kylelemons, /usr/share/licenses/trivy/vendor/k8s.io/kube-openapi/pkg/validation, /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk- go-v2/feature/s3, /usr/share/licenses/trivy/vendor/sigs.k8s.io/kustomize/kyaml/internal/forked/github.com/go- yaml, /usr/share/licenses/trivy/vendor/github.com/klauspost/compress, /usr/share/licenses/trivy/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp, /usr/share/licenses/trivy/vendor/github.com/csaf- poc/csaf_distribution/v3/LICENSES, /usr/share/licenses/trivy/vendor/github.com/docker/go-units, /usr/share/licenses/trivy/vendor/github.com/moby/spdystream, /usr/share/licenses/trivy/vendor/github.com/sergi, /usr/share/licenses/trivy/vendor/github.com/open-policy- agent/opa/internal/semver, /usr/share/licenses/trivy/vendor/k8s.io/kube-openapi/pkg/internal, /usr/share/licenses/trivy/vendor/github.com/hashicorp/hcl/v2, /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk- go-v2/service/accessanalyzer, /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk- go-v2/service/sso, /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk- go-v2/service/rds, /usr/share/licenses/trivy/vendor/github.com/beorn7, /usr/share/licenses/trivy/vendor/github.com/beorn7/perks, /usr/share/licenses/trivy/vendor/github.com/AzureAD, /usr/share/licenses/trivy/vendor/google.golang.org/api/internal/third_party, /usr/share/licenses/trivy/vendor/github.com/cloudflare, /usr/share/licenses/trivy/vendor/google.golang.org/api/internal, /usr/share/licenses/trivy/vendor/github.com/moby/sys/user, /usr/share/licenses/trivy/vendor/github.com/mxk, /usr/share/licenses/trivy/vendor/github.com/cpuguy83/dockercfg, /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk- go-v2/service/ecs, /usr/share/licenses/trivy/vendor/github.com/russross/blackfriday/v2, /usr/share/licenses/trivy/pkg/iac, /usr/share/licenses/trivy/vendor/sigs.k8s.io/kustomize, /usr/share/licenses/trivy/vendor/github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg, /usr/share/licenses/trivy/vendor/go.opentelemetry.io/contrib, /usr/share/licenses/trivy/vendor/github.com/moby/sys/mountinfo, /usr/share/licenses/trivy/vendor/github.com/jbenet/go-context, /usr/share/licenses/trivy/vendor/github.com/vbatts, /usr/share/licenses/trivy/vendor/github.com/cenkalti/backoff/v4, /usr/share/licenses/trivy/vendor/github.com/alicebob/miniredis/v2/geohash, /usr/share/licenses/trivy/vendor/github.com/antchfx, /usr/share/licenses/trivy/vendor/k8s.io/client-go/third_party, /usr/share/licenses/trivy/vendor/modernc.org/sqlite, /usr/share/licenses/trivy/vendor/github.com/go-logr/logr, /usr/share/licenses/trivy/vendor/github.com/golang, /usr/share/licenses/trivy/vendor/github.com/go-git/go-billy/v5, /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk-go-v2/feature, /usr/share/licenses/trivy/vendor/dario.cat/mergo, /usr/share/licenses/trivy/vendor/github.com/Intevation, /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk- go-v2/service/lambda, /usr/share/licenses/trivy/vendor/github.com/dlclark, /usr/share/licenses/trivy/vendor/github.com/spdx, /usr/share/licenses/trivy/vendor/k8s.io, /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk- go-v2/service/cloudfront, /usr/share/licenses/trivy/vendor/github.com/modern-go, /usr/share/licenses/trivy/vendor/github.com/oklog, /usr/share/licenses/trivy/vendor/cloud.google.com/go/compute, /usr/share/licenses/trivy/vendor/github.com/subosito/gotenv, /usr/share/licenses/trivy/vendor/github.com/opencontainers, /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk- go-v2/service/elasticsearchservice, /usr/share/licenses/trivy/vendor/github.com/googleapis/enterprise- certificate-proxy, /usr/share/licenses/trivy/vendor/github.com/spf13/afero, /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk- go-v2/service/kms, /usr/share/licenses/trivy/vendor/golang.org/x, /usr/share/licenses/trivy/vendor/github.com/docker/cli, /usr/share/licenses/trivy/vendor/github.com/alicebob/miniredis/v2/hyperloglog, /usr/share/licenses/trivy/vendor/github.com/vbatts/tar-split, /usr/share/licenses/trivy/vendor/github.com/cenkalti/backoff,
[Bug 2272258] Review Request: trivy - Vulnerability and license scanner
https://bugzilla.redhat.com/show_bug.cgi?id=2272258 --- Comment #2 from Jerry James --- There don't seem to be any golang packaging guidelines, which surprises me, so I'm doing my best to understand and review properly below. Please excuse me if I make an ignorant comment. The review is so long that bugzilla won't let me paste it all, so I will split it across multiple comments. Package Review == Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated Issues: === - There is an awful lot of bundling going on. Is that typical for the golang ecosystem? - I am attempting to see if the License field in the spec file matches the actual licenses in play. It's a bit of a challenge. There is no comment in the spec file nor any kind of README describing the license breakdown. That would help a lot. See the following questions. - Many files under vendor/modernc.org/libc contain one or both of LGPL-2.1-or-later and GPL-3.0-or-later declarations, but I don't see either license in the License field. Should they appear there? - vendor/github.com/rcrowley/go-metrics/LICENSE is BSD-2-Clause-Views, not BSD-2-Clause, but I don't see that in License. - Some files additionally have lines that read: // SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note I don't know if we are obligated to list notes, or if we only worry about exceptions in Fedora. The files: - vendor/modernc.org/libc/sys/socket/socket_linux_arm.go - vendor/modernc.org/libc/sys/socket/socket_linux_arm64.go - vendor/modernc.org/libc/sys/socket/socket_linux_riscv64.go - What do you make of the license declaration at the top of vendor/golang.org/x/crypto/chacha20/chacha_ppc64le.s? Is that file included in the build on ppc64le? - vendor/github.com/alecthomas/chroma/formatters/svg/font_liberation_mono.go contains an encoding of a font under the OFL-1.1-RFN license, which does not appear in License. - See the complaint below about unowned directories. This is not an error. The directory /usr/share/licenses/trivy/vendor/github.com/kylelemons, for example, is not owned by this package, but contains another directory that is. - See the non-executable-script rpmlint warnings below. Please either remove the shebangs from those files or make them executable. - Notice the invalid-url rpmlint warning for Source0. The URL is missing "https:" at the beginning. Is this a weakness of %gourl? Is something missing from the spec file that would cause that to appear? - Note that unused-direct-shlib-dependency warning for /usr/bin/trivy. It depends, uselessly, on libresolv.so.2. Does that mean /usr/bin/trivy was linked without --as-needed? - Version 0.50.1 has been released, FYI. = MUST items = C/C++: [x]: Provides: bundled(gnulib) in place as required. Note: Sources not installed [x]: Package does not contain kernel modules. [x]: Package does not contain any libtool archives (.la) [x]: Package contains no static executables. [x]: Rpath absent or only used for internal libs. Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [!]: License field in the package spec file matches the actual license. Note: There is no build directory. Running licensecheck on vanilla upstream sources. Licenses found: "Unknown or generated", "*No copyright* Apache License 2.0", "Apache License 2.0", "BSD 3-Clause License", "MIT License", "*No copyright* MIT License", "BSD 2-Clause License", "Apache License 2.0 and/or MIT License", "BSD 3-Clause License and/or MIT License", "*No copyright* GNU Lesser General Public License", "*No copyright* The Unlicense", "*No copyright* Apache License 2.0 and/or Creative Commons Attribution 4.0", "ISC License", "Apache License 2.0 and/or Creative Commons Attribution 4.0", "BSD 2-Clause License and/or ISC License", "*No copyright* Mozilla Public License 2.0", "Mozilla Public License 2.0", "Apache License 2.0 and/or BSD 3-Clause License", "BSD 2-Clause with views sentence", "*No copyright* Creative Commons Attribution 4.0", "Apple Public Source License 2.0", "*No copyright* Public domain", "*No copyright* Apache License 2.0 and/or Public domain", "GNU Lesser General Public License v2.1 or later", "BSD 2-Clause License and/or BSD 2-clause FreeBSD License and/or BSD 3-Clause License", "BSD 3-Clause License and/or GNU Lesser General Public License v2.1 or later", "*No copyright* BSD 2-Clause License", "BSD 2-Clause License and/or BSD 2-clause FreeBSD License", "BSD 2-clause NetBSD License", "BSD-4-Clause (University of California-Specific) and/or GNU General Public License v3.0 or later", "BSD 3-Clause License and/or Public domain", "GNU General Public License v3.0 or later and/or GNU General Public
[Bug 2272258] Review Request: trivy - Vulnerability and license scanner
https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Jerry James changed: What|Removed |Added CC||loganje...@gmail.com Flags||fedora-review? Doc Type|--- |If docs needed, set a value Assignee|nob...@fedoraproject.org|loganje...@gmail.com Status|NEW |ASSIGNED --- Comment #1 from Jerry James --- I will take this review. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2272258 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c1 -- ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue