subject:"\[Bug 2272258\] Review Request\: trivy \- Vulnerability and license scanner"

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

2024-04-05 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Fedora Update System  changed:

   What|Removed |Added

 Status|MODIFIED|CLOSED
 Resolution|--- |ERRATA
Last Closed||2024-04-06 05:42:21



--- Comment #15 from Fedora Update System  ---
FEDORA-2024-9ed62a7814 (trivy-0.50.1-1.fc41) has been pushed to the Fedora 41
stable repository.
If problem still persists, please make note of it in this bug report.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c15
--
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

2024-04-05 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Fedora Update System  changed:

   What|Removed |Added

 Status|POST|MODIFIED



--- Comment #14 from Fedora Update System  ---
FEDORA-2024-9ed62a7814 (trivy-0.50.1-1.fc41) has been submitted as an update to
Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-9ed62a7814


-- 
You are receiving this mail because:
You are always notified about changes to this product and component
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c14
--
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

2024-04-05 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Fedora Admin user for bugzilla script actions 
 changed:

   What|Removed |Added

 Status|ASSIGNED|POST



--- Comment #13 from Fedora Admin user for bugzilla script actions 
 ---
The Pagure repository was created at https://src.fedoraproject.org/rpms/trivy


-- 
You are receiving this mail because:
You are always notified about changes to this product and component
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c13
--
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

2024-04-05 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Jerry James  changed:

   What|Removed |Added

  Flags|fedora-review?  |fedora-review+



--- Comment #12 from Jerry James  ---
(In reply to Maxwell G from comment #11)
> 臘
> https://git.sr.ht/~gotmax23/trivy-rpm/commit/
> 0e6ec42eca8c5d80d7167fdeae9a61968e16f744

Aha, mystery solved!  You have addressed all of my concerns, so this package is
APPROVED.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c12
--
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

2024-04-05 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2272258



--- Comment #11 from Maxwell G  ---
> - Notice the invalid-url rpmlint warning for Source0.  The URL is missing
>   "https:" at the beginning.  Is this a weakness of %gourl?  Is something
>   missing from the spec file that would cause that to appear?



臘
https://git.sr.ht/~gotmax23/trivy-rpm/commit/0e6ec42eca8c5d80d7167fdeae9a61968e16f744


-- 
You are receiving this mail because:
You are always notified about changes to this product and component
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c11
--
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

2024-04-05 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2272258



--- Comment #10 from Maxwell G  ---
Spec URL: https://gotmax23.fedorapeople.org/reviews/trivy/trivy.spec
SRPM URL:
https://gotmax23.fedorapeople.org/reviews/trivy/trivy-0.50.0-1.fc39.src.rpm

Fix Source0 entry


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c10
--
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

2024-04-04 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2272258



--- Comment #9 from Maxwell G  ---
I updated the specfile. I have fixed the incorrect/missing license issues,
replaced modernc.org/sqlite with less problematic github.com/mattn/go-sqlite3,
and removed the files with shebang issues (those files were included by
%go_vendor_license_install, as they had license headers, but they were just
development scripts, so there was no need to include them). The directory
ownership issues were also fixed in go-vendor-tools; I pushed the fix to
rawhide.

https://git.sr.ht/~gotmax23/trivy-rpm has the unpacked sources if that's easier
to review.


-- 
You are receiving this mail because:
You are always notified about changes to this product and component
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c9
--
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

2024-04-04 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2272258



--- Comment #8 from Maxwell G  ---
Spec URL: https://gotmax23.fedorapeople.org/reviews/trivy/trivy.spec
SRPM URL:
https://gotmax23.fedorapeople.org/reviews/trivy/trivy-0.50.0-1.fc39.src.rpm



Koji scratch build:
https://koji.fedoraproject.org/koji/taskinfo?taskID=115896937


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c8
--
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

2024-04-03 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2272258



--- Comment #7 from Jerry James  ---
(In reply to Maxwell G from comment #5)
> This is the first package to use
> https://gitlab.com/fedora/sigs/go/go-vendor-tools, the new tooling for
> vendoring Go packages, and is actually an optional dependency of
> go-vendor-tools itself, so there is still some work to do. See the
> discussion in
> https://lists.fedoraproject.org/archives/list/gol...@lists.fedoraproject.org/
> thread/K5P6P2MGEE3SCPF4SZFWOIUGHQHJ6GGG/. I apologize for missing some
> context with this review request. I had expected for a Go SIG member who had
> participated in the previous discussions to review the package, but your
> review is very welcome. Thank you!

If some Go SIG member wants to take over this review, I am happy to hand it
over.

I actually have reviewed Go packages before, but it's been awhile, and I am
clearly not up on the latest developments.

> > There don't seem to be any golang packaging guidelines
> 
> These do exist in
> https://docs.fedoraproject.org/en-US/packaging-guidelines/Golang/, but don't
> cover the new tooling yet.

Okay.  I expected to find a link in
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_domain_specific_guidelines,
but I don't see one there.

I am satisfied with your other answers.  (I didn't know "%license %dir" was a
thing.  I'm glad that works!)  I look forward to the next iteration.  Thanks
for doing the work to get trivy packaged.  It will be a great addition to
Fedora.


-- 
You are receiving this mail because:
You are always notified about changes to this product and component
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c7
--
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

2024-04-02 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2272258



--- Comment #6 from Maxwell G  ---
> - See the non-executable-script rpmlint warnings below.  Please either remove
>   the shebangs from those files or make them executable.

> - Note that unused-direct-shlib-dependency warning for /usr/bin/trivy.  It
>   depends, uselessly, on libresolv.so.2.  Does that mean /usr/bin/trivy was
>   linked without --as-needed?

I'll look at these two items as well.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c6
--
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

2024-04-02 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2272258



--- Comment #5 from Maxwell G  ---
This is the first package to use
https://gitlab.com/fedora/sigs/go/go-vendor-tools, the new tooling for
vendoring Go packages, and is actually an optional dependency of
go-vendor-tools itself, so there is still some work to do. See the discussion
in
https://lists.fedoraproject.org/archives/list/gol...@lists.fedoraproject.org/thread/K5P6P2MGEE3SCPF4SZFWOIUGHQHJ6GGG/.
I apologize for missing some context with this review request. I had expected
for a Go SIG member who had participated in the previous discussions to review
the package, but your review is very welcome. Thank you!

trivy has a lot of dependencies, some of which do atypical things (e.g., the
modernc dependencies), and is not representative of the average Go project. It
was likely not the best first package… Anyways, I will respond to the rest of
your feedback inline.

(In reply to Jerry James from comment #2)

> There don't seem to be any golang packaging guidelines

These do exist in
https://docs.fedoraproject.org/en-US/packaging-guidelines/Golang/, but don't
cover the new tooling yet.

> I'm doing my best to understand and review properly below.  Please excuse me
> if I make an ignorant comment.  The review is so long that bugzilla won't let
> me paste it all, so I will split it across multiple comments.

Sure—thank you for bearing with me.

> Package Review
> ==
> 
> Legend:
> [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
> 
> Issues:
> ===
> 
> - There is an awful lot of bundling going on.  Is that typical for the golang
>   ecosystem?

See the above comment about bundling.

> - I am attempting to see if the License field in the spec file matches the
>   actual licenses in play.  It's a bit of a challenge.  There is no comment
>   in
>   the spec file nor any kind of README describing the license breakdown. 
>   That
>   would help a lot.  See the following questions.

go-vendor-tools automatically computes the license tag, but there definitely
should be a comment explaining that. I opened
https://gitlab.com/fedora/sigs/go/go2rpm/-/issues/41.

> - Many files under vendor/modernc.org/libc contain one or both of
>   LGPL-2.1-or-later and GPL-3.0-or-later declarations, but I don't see either
>   license in the License field.  Should they appear there?

The licensing of that project is murky. See
https://gitlab.com/cznic/libc/-/issues/31. It's pulled in via trivy's
dependency on modernc.org/sqlite. I wonder if upstream would consider a
different sqlite driver. I'll keep digging into it.

> - vendor/github.com/rcrowley/go-metrics/LICENSE is BSD-2-Clause-Views, not
>   BSD-2-Clause, but I don't see that in License.

Fixed locally.

> - Some files additionally have lines that read:
>   // SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note
>   I don't know if we are obligated to list notes, or if we only worry about
>   exceptions in Fedora.  The files:
>   - vendor/modernc.org/libc/sys/socket/socket_linux_arm.go
>   - vendor/modernc.org/libc/sys/socket/socket_linux_arm64.go
>   - vendor/modernc.org/libc/sys/socket/socket_linux_riscv64.go

See above.

> - What do you make of the license declaration at the top of
>   vendor/golang.org/x/crypto/chacha20/chacha_ppc64le.s?  Is that file
>   included
>   in the build on ppc64le?

The link in that comment is dead, but
https://web.archive.org/web/20240111224133/https://www.openssl.org/~appro/cryptogams/
still has it and
https://github.com/dot-asm/cryptogams/blob/a60f5b50ed908e91e5c39ca79126a4a876d5d8ff/LICENSE
suggests that this is available under the BSD-3-Clause license OR (an
unspecified version of) the GPL. golang-x-crypto is licensed under BSD-3-Clause
as well and only retains that notice. go-vendor-tools already detects this
dependency as BSD-3-Clause, so we should be okay there. I don't think adding an
"OR GPL-1.0-or-later" to account for 

> ALTERNATIVELY, provided that this notice is retained in full, this
product may be distributed under the terms of the GNU General Public
License (GPL), in which case the provisions of the GPL apply INSTEAD OF
those given above.

in the original project's license makes sense here.

> - vendor/github.com/alecthomas/chroma/formatters/svg/font_liberation_mono.go
>   contains an encoding of a font under the OFL-1.1-RFN license, which does
>   not
>   appear in License.

Fixed locally.

> - See the complaint below about unowned directories.  This is not an error.
>   The directory /usr/share/licenses/trivy/vendor/github.com/kylelemons, for
>   example, is not owned by this package, but contains another directory that
>   is.

Tracked at https://gitlab.com/fedora/sigs/go/go-vendor-tools/-/issues/44. The
code that generates the license filelist also needs to add entries for
intermediate directories.

> - See the non-executable-script rpmlint warnings below.  Please either remove
>   the shebangs from those files or make them executable.

>

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

2024-04-02 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2272258



--- Comment #4 from Jerry James  ---
Rpmlint
---
Checking: trivy-0.50.0-1.fc41.x86_64.rpm
  trivy-debuginfo-0.50.0-1.fc41.x86_64.rpm
  trivy-debugsource-0.50.0-1.fc41.x86_64.rpm
  trivy-0.50.0-1.fc41.src.rpm
 rpmlint session starts

rpmlint: 2.5.0
configuration:
/usr/lib/python3.12/site-packages/rpmlint/configdefaults.toml
/etc/xdg/rpmlint/fedora-legacy-licenses.toml
/etc/xdg/rpmlint/fedora-spdx-licenses.toml
/etc/xdg/rpmlint/fedora.toml
/etc/xdg/rpmlint/scoring.toml
/etc/xdg/rpmlint/users-groups.toml
/etc/xdg/rpmlint/warn-on-functions.toml
rpmlintrc: [PosixPath('/tmp/tmphxa68sdv')]
checks: 32, packages: 4

trivy.src: E: spelling-error ('misconfigurations', '%description -l en_US
misconfigurations -> configurations, reconfiguration, configuration')
trivy.x86_64: E: spelling-error ('misconfigurations', '%description -l en_US
misconfigurations -> configurations, reconfiguration, configuration')
trivy.x86_64: E: readelf-failed /usr/bin/trivy 'utf-8' codec can't decode byte
0xc2 in position 10956: invalid continuation byte
trivy.x86_64: E: non-executable-script
/usr/share/licenses/trivy/vendor/cloud.google.com/go/internal/version/update_version.sh
644 /bin/bash
trivy.x86_64: E: non-executable-script
/usr/share/licenses/trivy/vendor/cloud.google.com/go/storage/emulator_test.sh
644 /bin/bash
trivy.x86_64: E: non-executable-script
/usr/share/licenses/trivy/vendor/github.com/go-git/go-git/v5/oss-fuzz.sh 644
/bin/bash -eu
trivy.x86_64: E: non-executable-script
/usr/share/licenses/trivy/vendor/go.opentelemetry.io/otel/get_main_pkgs.sh 644
/usr/bin/env bash
trivy.x86_64: E: non-executable-script
/usr/share/licenses/trivy/vendor/go.opentelemetry.io/otel/verify_examples.sh
644 /bin/bash
trivy.x86_64: E: non-executable-script
/usr/share/licenses/trivy/vendor/google.golang.org/grpc/regenerate.sh 644
/bin/bash
trivy.x86_64: E: non-executable-script
/usr/share/licenses/trivy/vendor/k8s.io/kubectl/pkg/util/i18n/translations/extract.py
644 /usr/bin/env python3
trivy.x86_64: W: no-manual-page-for-binary trivy
trivy.spec: W: invalid-url Source1: trivy-0.50.0-vendor.tar.xz
trivy.spec: W: invalid-url Source0:
//github.com/aquasecurity/trivy/archive/v0.50.0/trivy-0.50.0.tar.gz
trivy.x86_64: E: files-duplicated-waste 2071566
trivy-debugsource.x86_64: E: files-duplicated-waste 794638
trivy.x86_64: W: files-duplicate
/usr/share/licenses/trivy/vendor/go.opentelemetry.io/otel/trace/LICENSE
/usr/share/licenses/trivy/LICENSE:/usr/share/licenses/trivy/vendor/github.com/AdaLogics/go-fuzz-headers/LICENSE:/usr/share/licenses/trivy/vendor/github.com/AdamKorcz/go-118-fuzz-build/LICENSE:/usr/share/licenses/trivy/vendor/github.com/GoogleCloudPlatform/docker-credential-gcr/LICENSE:/usr/share/licenses/trivy/vendor/github.com/agext/levenshtein/LICENSE:(and
33 more)
trivy.x86_64: W: files-duplicate
/usr/share/licenses/trivy/vendor/k8s.io/utils/LICENSE
/usr/share/licenses/trivy/vendor/cloud.google.com/go/LICENSE:/usr/share/licenses/trivy/vendor/cloud.google.com/go/compute/LICENSE:/usr/share/licenses/trivy/vendor/cloud.google.com/go/compute/metadata/LICENSE:/usr/share/licenses/trivy/vendor/cloud.google.com/go/iam/LICENSE:/usr/share/licenses/trivy/vendor/cloud.google.com/go/storage/LICENSE:(and
96 more)
trivy.x86_64: W: files-duplicate
/usr/share/licenses/trivy/vendor/github.com/imdario/mergo/LICENSE
/usr/share/licenses/trivy/vendor/dario.cat/mergo/LICENSE
trivy.x86_64: W: files-duplicate
/usr/share/licenses/trivy/vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/LICENSE.txt
/usr/share/licenses/trivy/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/LICENSE.txt:/usr/share/licenses/trivy/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/LICENSE.txt
trivy.x86_64: W: files-duplicate
/usr/share/licenses/trivy/vendor/github.com/Azure/go-autorest/tracing/LICENSE
/usr/share/licenses/trivy/vendor/github.com/Azure/go-autorest/LICENSE:/usr/share/licenses/trivy/vendor/github.com/Azure/go-autorest/autorest/LICENSE:/usr/share/licenses/trivy/vendor/github.com/Azure/go-autorest/autorest/adal/LICENSE:/usr/share/licenses/trivy/vendor/github.com/Azure/go-autorest/autorest/date/LICENSE:/usr/share/licenses/trivy/vendor/github.com/Azure/go-autorest/logger/LICENSE
trivy.x86_64: W: files-duplicate
/usr/share/licenses/trivy/vendor/github.com/Intevation/jsonpath/LICENSE
/usr/share/licenses/trivy/vendor/github.com/Intevation/gval/LICENSE
trivy.x86_64: W: files-duplicate
/usr/share/licenses/trivy/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/AUTHORS
/usr/share/licenses/trivy/vendor/github.com/ProtonMail/go-crypto/AUTHORS
trivy.x86_64: W: files-duplicate
/usr/share/licenses/trivy/vendor/modernc.org/token/LICENSE

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

2024-04-02 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2272258



--- Comment #3 from Jerry James  ---
[!]: Package must own all directories that it creates.
 Note: Directories without known owners:
 /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk-
 go-v2/service/efs,
 /usr/share/licenses/trivy/vendor/github.com/liggitt/tabwriter,

/usr/share/licenses/trivy/vendor/sigs.k8s.io/kustomize/kyaml/internal/forked/github.com,
 /usr/share/licenses/trivy/vendor/github.com/kylelemons,
 /usr/share/licenses/trivy/vendor/k8s.io/kube-openapi/pkg/validation,
 /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk-
 go-v2/feature/s3,

/usr/share/licenses/trivy/vendor/sigs.k8s.io/kustomize/kyaml/internal/forked/github.com/go-
 yaml, /usr/share/licenses/trivy/vendor/github.com/klauspost/compress,

/usr/share/licenses/trivy/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp,
 /usr/share/licenses/trivy/vendor/github.com/csaf-
 poc/csaf_distribution/v3/LICENSES,
 /usr/share/licenses/trivy/vendor/github.com/docker/go-units,
 /usr/share/licenses/trivy/vendor/github.com/moby/spdystream,
 /usr/share/licenses/trivy/vendor/github.com/sergi,
 /usr/share/licenses/trivy/vendor/github.com/open-policy-
 agent/opa/internal/semver,
 /usr/share/licenses/trivy/vendor/k8s.io/kube-openapi/pkg/internal,
 /usr/share/licenses/trivy/vendor/github.com/hashicorp/hcl/v2,
 /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk-
 go-v2/service/accessanalyzer,
 /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk-
 go-v2/service/sso,
 /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk-
 go-v2/service/rds, /usr/share/licenses/trivy/vendor/github.com/beorn7,
 /usr/share/licenses/trivy/vendor/github.com/beorn7/perks,
 /usr/share/licenses/trivy/vendor/github.com/AzureAD,

/usr/share/licenses/trivy/vendor/google.golang.org/api/internal/third_party,
 /usr/share/licenses/trivy/vendor/github.com/cloudflare,
 /usr/share/licenses/trivy/vendor/google.golang.org/api/internal,
 /usr/share/licenses/trivy/vendor/github.com/moby/sys/user,
 /usr/share/licenses/trivy/vendor/github.com/mxk,
 /usr/share/licenses/trivy/vendor/github.com/cpuguy83/dockercfg,
 /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk-
 go-v2/service/ecs,
 /usr/share/licenses/trivy/vendor/github.com/russross/blackfriday/v2,
 /usr/share/licenses/trivy/pkg/iac,
 /usr/share/licenses/trivy/vendor/sigs.k8s.io/kustomize,

/usr/share/licenses/trivy/vendor/github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg,
 /usr/share/licenses/trivy/vendor/go.opentelemetry.io/contrib,
 /usr/share/licenses/trivy/vendor/github.com/moby/sys/mountinfo,
 /usr/share/licenses/trivy/vendor/github.com/jbenet/go-context,
 /usr/share/licenses/trivy/vendor/github.com/vbatts,
 /usr/share/licenses/trivy/vendor/github.com/cenkalti/backoff/v4,
 /usr/share/licenses/trivy/vendor/github.com/alicebob/miniredis/v2/geohash,
 /usr/share/licenses/trivy/vendor/github.com/antchfx,
 /usr/share/licenses/trivy/vendor/k8s.io/client-go/third_party,
 /usr/share/licenses/trivy/vendor/modernc.org/sqlite,
 /usr/share/licenses/trivy/vendor/github.com/go-logr/logr,
 /usr/share/licenses/trivy/vendor/github.com/golang,
 /usr/share/licenses/trivy/vendor/github.com/go-git/go-billy/v5,
 /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk-go-v2/feature,
 /usr/share/licenses/trivy/vendor/dario.cat/mergo,
 /usr/share/licenses/trivy/vendor/github.com/Intevation,
 /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk-
 go-v2/service/lambda,
 /usr/share/licenses/trivy/vendor/github.com/dlclark,
 /usr/share/licenses/trivy/vendor/github.com/spdx,
 /usr/share/licenses/trivy/vendor/k8s.io,
 /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk-
 go-v2/service/cloudfront,
 /usr/share/licenses/trivy/vendor/github.com/modern-go,
 /usr/share/licenses/trivy/vendor/github.com/oklog,
 /usr/share/licenses/trivy/vendor/cloud.google.com/go/compute,
 /usr/share/licenses/trivy/vendor/github.com/subosito/gotenv,
 /usr/share/licenses/trivy/vendor/github.com/opencontainers,
 /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk-
 go-v2/service/elasticsearchservice,
 /usr/share/licenses/trivy/vendor/github.com/googleapis/enterprise-
 certificate-proxy,
 /usr/share/licenses/trivy/vendor/github.com/spf13/afero,
 /usr/share/licenses/trivy/vendor/github.com/aws/aws-sdk-
 go-v2/service/kms, /usr/share/licenses/trivy/vendor/golang.org/x,
 /usr/share/licenses/trivy/vendor/github.com/docker/cli,

/usr/share/licenses/trivy/vendor/github.com/alicebob/miniredis/v2/hyperloglog,
 /usr/share/licenses/trivy/vendor/github.com/vbatts/tar-split,
 /usr/share/licenses/trivy/vendor/github.com/cenkalti/backoff,

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

2024-04-02 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2272258



--- Comment #2 from Jerry James  ---
There don't seem to be any golang packaging guidelines, which surprises me, so
I'm doing my best to understand and review properly below.  Please excuse me
if I make an ignorant comment.  The review is so long that bugzilla won't let
me paste it all, so I will split it across multiple comments.

Package Review
==

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated

Issues:
===
- There is an awful lot of bundling going on.  Is that typical for the golang
  ecosystem?

- I am attempting to see if the License field in the spec file matches the
  actual licenses in play.  It's a bit of a challenge.  There is no comment in
  the spec file nor any kind of README describing the license breakdown.  That
  would help a lot.  See the following questions.

- Many files under vendor/modernc.org/libc contain one or both of
  LGPL-2.1-or-later and GPL-3.0-or-later declarations, but I don't see either
  license in the License field.  Should they appear there?

- vendor/github.com/rcrowley/go-metrics/LICENSE is BSD-2-Clause-Views, not
  BSD-2-Clause, but I don't see that in License.

- Some files additionally have lines that read:
  // SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note
  I don't know if we are obligated to list notes, or if we only worry about
  exceptions in Fedora.  The files:
  - vendor/modernc.org/libc/sys/socket/socket_linux_arm.go
  - vendor/modernc.org/libc/sys/socket/socket_linux_arm64.go
  - vendor/modernc.org/libc/sys/socket/socket_linux_riscv64.go

- What do you make of the license declaration at the top of
  vendor/golang.org/x/crypto/chacha20/chacha_ppc64le.s?  Is that file included
  in the build on ppc64le?

- vendor/github.com/alecthomas/chroma/formatters/svg/font_liberation_mono.go
  contains an encoding of a font under the OFL-1.1-RFN license, which does not
  appear in License.

- See the complaint below about unowned directories.  This is not an error.
  The directory /usr/share/licenses/trivy/vendor/github.com/kylelemons, for
  example, is not owned by this package, but contains another directory that
  is.

- See the non-executable-script rpmlint warnings below.  Please either remove
  the shebangs from those files or make them executable.

- Notice the invalid-url rpmlint warning for Source0.  The URL is missing
  "https:" at the beginning.  Is this a weakness of %gourl?  Is something
  missing from the spec file that would cause that to appear?

- Note that unused-direct-shlib-dependency warning for /usr/bin/trivy.  It
  depends, uselessly, on libresolv.so.2.  Does that mean /usr/bin/trivy was
  linked without --as-needed?

- Version 0.50.1 has been released, FYI.

= MUST items =

C/C++:
[x]: Provides: bundled(gnulib) in place as required.
 Note: Sources not installed
[x]: Package does not contain kernel modules.
[x]: Package does not contain any libtool archives (.la)
[x]: Package contains no static executables.
[x]: Rpath absent or only used for internal libs.

Generic:
[x]: Package is licensed with an open-source compatible license and meets
 other legal requirements as defined in the legal section of Packaging
 Guidelines.
[!]: License field in the package spec file matches the actual license.
 Note: There is no build directory. Running licensecheck on vanilla
 upstream sources. Licenses found: "Unknown or generated", "*No
 copyright* Apache License 2.0", "Apache License 2.0", "BSD 3-Clause
 License", "MIT License", "*No copyright* MIT License", "BSD 2-Clause
 License", "Apache License 2.0 and/or MIT License", "BSD 3-Clause
 License and/or MIT License", "*No copyright* GNU Lesser General Public
 License", "*No copyright* The Unlicense", "*No copyright* Apache
 License 2.0 and/or Creative Commons Attribution 4.0", "ISC License",
 "Apache License 2.0 and/or Creative Commons Attribution 4.0", "BSD
 2-Clause License and/or ISC License", "*No copyright* Mozilla Public
 License 2.0", "Mozilla Public License 2.0", "Apache License 2.0 and/or
 BSD 3-Clause License", "BSD 2-Clause with views sentence", "*No
 copyright* Creative Commons Attribution 4.0", "Apple Public Source
 License 2.0", "*No copyright* Public domain", "*No copyright* Apache
 License 2.0 and/or Public domain", "GNU Lesser General Public License
 v2.1 or later", "BSD 2-Clause License and/or BSD 2-clause FreeBSD
 License and/or BSD 3-Clause License", "BSD 3-Clause License and/or GNU
 Lesser General Public License v2.1 or later", "*No copyright* BSD
 2-Clause License", "BSD 2-Clause License and/or BSD 2-clause FreeBSD
 License", "BSD 2-clause NetBSD License", "BSD-4-Clause (University of
 California-Specific) and/or GNU General Public License v3.0 or later",
 "BSD 3-Clause License and/or Public domain", "GNU General Public
 License v3.0 or later and/or GNU General Public

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

2024-04-02 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Jerry James  changed:

   What|Removed |Added

 CC||loganje...@gmail.com
  Flags||fedora-review?
   Doc Type|--- |If docs needed, set a value
   Assignee|nob...@fedoraproject.org|loganje...@gmail.com
 Status|NEW |ASSIGNED



--- Comment #1 from Jerry James  ---
I will take this review.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
https://bugzilla.redhat.com/show_bug.cgi?id=2272258

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272258%23c1
--
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

[Bug 2272258] Review Request: trivy - Vulnerability and license scanner

15 matches

Site Navigation

Mail list logo

Footer information