zhangyiss/spack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

audit: add check for GitLab patches (#40656)

Browse Source 
GitLab's .patch URLs only provide abbreviated hashes, while .diff URLs
provide full hashes. There does not seem to be a parameter to force
.patch URLs to also return full hashes, so we should make sure to use
the .diff ones.
This commit is contained in:
Michael Kuhn 2023-10-23 20:22:39 +02:00 committed by GitHub
parent 3eac79bba7
commit bf6d5df0ec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 73 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
lib/spack/spack/audit.py
View File

@ -307,10 +307,17 @@ def _check_build_test_callbacks(pkgs, error_cls):
@package_directives @package_directives
def _check_patch_urls(pkgs, error_cls): def _check_patch_urls(pkgs, error_cls):
"""Ensure that patches fetched from GitHub have stable sha256 hashes.""" """Ensure that patches fetched from GitHub and GitLab have stable sha256
hashes."""
github_patch_url_re = ( github_patch_url_re = (
r"^https?://(?:patch-diff\.)?github(?:usercontent)?\.com/" r"^https?://(?:patch-diff\.)?github(?:usercontent)?\.com/"
".+/.+/(?:commit|pull)/[a-fA-F0-9]*.(?:patch|diff)" r".+/.+/(?:commit|pull)/[a-fA-F0-9]+\.(?:patch|diff)"
)
# Only .diff URLs have stable/full hashes:
# https://forum.gitlab.com/t/patches-with-full-index/29313
gitlab_patch_url_re = (
r"^https?://(?:.+)?gitlab(?:.+)/"
r".+/.+/-/(?:commit|merge_requests)/[a-fA-F0-9]+\.(?:patch|diff)"
) )
errors = [] errors = []
@ -321,9 +328,7 @@ def _check_patch_urls(pkgs, error_cls):
if not isinstance(patch, spack.patch.UrlPatch): if not isinstance(patch, spack.patch.UrlPatch):
continue continue
if not re.match(github_patch_url_re, patch.url): if re.match(github_patch_url_re, patch.url):
continue
full_index_arg = "?full_index=1" full_index_arg = "?full_index=1"
if not patch.url.endswith(full_index_arg): if not patch.url.endswith(full_index_arg):
errors.append( errors.append(
@ -334,6 +339,16 @@ def _check_patch_urls(pkgs, error_cls):
[patch.url], [patch.url],
) )
) )
elif re.match(gitlab_patch_url_re, patch.url):
if not patch.url.endswith(".diff"):
errors.append(
error_cls(
"patch URL in package {0} must end with .diff".format(
pkg_cls.name
),
[patch.url],
)
)
return errors return errors

4
lib/spack/spack/test/audit.py
View File

@ -21,6 +21,10 @@
(["wrong-variant-in-depends-on"], ["PKG-DIRECTIVES", "PKG-PROPERTIES"]), (["wrong-variant-in-depends-on"], ["PKG-DIRECTIVES", "PKG-PROPERTIES"]),
# This package has a GitHub patch URL without full_index=1 # This package has a GitHub patch URL without full_index=1
(["invalid-github-patch-url"], ["PKG-DIRECTIVES", "PKG-PROPERTIES"]), (["invalid-github-patch-url"], ["PKG-DIRECTIVES", "PKG-PROPERTIES"]),
# This package has invalid GitLab patch URLs
(["invalid-gitlab-patch-url"], ["PKG-DIRECTIVES", "PKG-PROPERTIES"]),
# This package has invalid GitLab patch URLs
(["invalid-selfhosted-gitlab-patch-url"], ["PKG-DIRECTIVES", "PKG-PROPERTIES"]),
# This package has a stand-alone 'test*' method in build-time callbacks # This package has a stand-alone 'test*' method in build-time callbacks
(["fail-test-audit"], ["PKG-DIRECTIVES", "PKG-PROPERTIES"]), (["fail-test-audit"], ["PKG-DIRECTIVES", "PKG-PROPERTIES"]),
# This package has no issues # This package has no issues

20
var/spack/repos/builtin.mock/packages/invalid-gitlab-patch-url/package.py Normal file
View File

@ -0,0 +1,20 @@
# Copyright 2013-2023 Lawrence Livermore National Security, LLC and other
# Spack Project Developers. See the top-level COPYRIGHT file for details.
#
# SPDX-License-Identifier: (Apache-2.0 OR MIT)
from spack.package import *
class InvalidGitlabPatchUrl(Package):
"""Package that has GitLab patch URLs that fail auditing."""
homepage = "http://www.example.com"
url = "http://www.example.com/patch-1.0.tar.gz"
version("1.0", md5="0123456789abcdef0123456789abcdef")
patch(
"https://gitlab.com/QEF/q-e/-/commit/4ca3afd4c6f27afcf3f42415a85a353a7be1bd37.patch",
sha256="d7dec588efb5c04f99d949d8b9bb4a0fbc98b917ae79e12e4b87ad7c3dc9e268",
)

20
var/spack/repos/builtin.mock/packages/invalid-selfhosted-gitlab-patch-url/package.py Normal file
View File

@ -0,0 +1,20 @@
# Copyright 2013-2023 Lawrence Livermore National Security, LLC and other
# Spack Project Developers. See the top-level COPYRIGHT file for details.
#
# SPDX-License-Identifier: (Apache-2.0 OR MIT)
from spack.package import *
class InvalidSelfhostedGitlabPatchUrl(Package):
"""Package that has GitLab patch URLs that fail auditing."""
homepage = "http://www.example.com"
url = "http://www.example.com/patch-1.0.tar.gz"
version("1.0", md5="0123456789abcdef0123456789abcdef")
patch(
"https://gitlab.gnome.org/GNOME/glib/-/commit/bda87264372c006c94e21ffb8ff9c50ecb3e14bd.patch",
sha256="2e811ec62cb09044c95a4d0213993f09af70cdcc1c709257b33bc9248ae950ed",
)