rpm-spec-analyzer 0.1.1

Visitor-based static analyzer library for RPM .spec files
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204

//! RPM310 `arch-policy-contradiction` — flag arch-tag configurations
//! that contradict each other.
//!
//! Cases detected:
//!
//! 1. `BuildArch: noarch` combined with `ExclusiveArch:` or
//!    `ExcludeArch:` — restricting the arch set of a noarch package is
//!    meaningless.
//! 2. `ExclusiveArch:` and `ExcludeArch:` listing overlapping
//!    architectures — `ExcludeArch` cannot remove anything outside
//!    `ExclusiveArch`'s allowed set, so an overlap is dead policy at
//!    best, contradictory at worst.
//!
//! Conservative on macros: any arch token that isn't a plain literal
//! is ignored. The check still fires when at least one resolvable
//! arch is involved.

use std::collections::BTreeSet;

use rpm_spec::ast::{Span, SpecFile, Tag, TagValue, Text};

use crate::diagnostic::{Diagnostic, LintCategory, Severity};
use crate::lint::{Lint, LintMetadata};
use crate::rules::util::collect_top_level_preamble;
use crate::visit::Visit;

pub static METADATA: LintMetadata = LintMetadata {
    id: "RPM310",
    name: "arch-policy-contradiction",
    description: "`BuildArch: noarch` is combined with `ExclusiveArch`/`ExcludeArch`, or \
                  `ExclusiveArch` and `ExcludeArch` list overlapping architectures.",
    default_severity: Severity::Warn,
    category: LintCategory::Correctness,
};

#[derive(Debug, Default)]
pub struct ArchPolicyContradiction {
    diagnostics: Vec<Diagnostic>,
}

impl ArchPolicyContradiction {
    pub fn new() -> Self {
        Self::default()
    }
}

impl<'ast> Visit<'ast> for ArchPolicyContradiction {
    fn visit_spec(&mut self, spec: &'ast SpecFile<Span>) {
        let items = collect_top_level_preamble(spec);

        let mut buildarch_noarch: Option<Span> = None;
        let mut exclusive: Vec<(Span, BTreeSet<String>)> = Vec::new();
        let mut exclude: Vec<(Span, BTreeSet<String>)> = Vec::new();

        for item in &items {
            match &item.tag {
                Tag::BuildArch => {
                    if let TagValue::ArchList(list) = &item.value
                        && literal_archs(list).contains("noarch")
                    {
                        buildarch_noarch = Some(item.data);
                    }
                }
                Tag::ExclusiveArch => {
                    if let TagValue::ArchList(list) = &item.value {
                        exclusive.push((item.data, literal_archs(list)));
                    }
                }
                Tag::ExcludeArch => {
                    if let TagValue::ArchList(list) = &item.value {
                        exclude.push((item.data, literal_archs(list)));
                    }
                }
                _ => {}
            }
        }

        if let Some(noarch_span) = buildarch_noarch {
            for (span, _) in &exclusive {
                self.diagnostics.push(
                    Diagnostic::new(
                        &METADATA,
                        Severity::Warn,
                        "`ExclusiveArch:` set together with `BuildArch: noarch` — \
                         noarch packages run on any arch, so restricting is meaningless",
                        *span,
                    )
                    .with_label(noarch_span, "`BuildArch: noarch` declared here"),
                );
            }
            for (span, _) in &exclude {
                self.diagnostics.push(
                    Diagnostic::new(
                        &METADATA,
                        Severity::Warn,
                        "`ExcludeArch:` set together with `BuildArch: noarch` — \
                         noarch packages run on any arch, so excluding is meaningless",
                        *span,
                    )
                    .with_label(noarch_span, "`BuildArch: noarch` declared here"),
                );
            }
        }

        // ExclusiveArch ∩ ExcludeArch overlap check.
        for (ex_span, ex_set) in &exclusive {
            for (excl_span, excl_set) in &exclude {
                let overlap: Vec<&String> = ex_set.intersection(excl_set).collect();
                if !overlap.is_empty() {
                    let names: Vec<&str> = overlap.iter().map(|s| s.as_str()).collect();
                    self.diagnostics.push(
                        Diagnostic::new(
                            &METADATA,
                            Severity::Warn,
                            format!(
                                "`ExclusiveArch` and `ExcludeArch` both list `{}` — \
                                 either include or exclude, not both",
                                names.join(", "),
                            ),
                            *excl_span,
                        )
                        .with_label(*ex_span, "`ExclusiveArch:` declared here"),
                    );
                }
            }
        }
    }
}

fn literal_archs(list: &[Text]) -> BTreeSet<String> {
    list.iter()
        .filter_map(|t| t.literal_str())
        .map(|s| s.trim().to_owned())
        .filter(|s| !s.is_empty())
        .collect()
}

impl Lint for ArchPolicyContradiction {
    fn metadata(&self) -> &'static LintMetadata {
        &METADATA
    }
    fn take_diagnostics(&mut self) -> Vec<Diagnostic> {
        std::mem::take(&mut self.diagnostics)
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::session::parse;

    fn run(src: &str) -> Vec<Diagnostic> {
        let outcome = parse(src);
        let mut lint = ArchPolicyContradiction::new();
        lint.visit_spec(&outcome.spec);
        lint.take_diagnostics()
    }

    #[test]
    fn flags_noarch_with_exclusivearch() {
        let src = "Name: x\nBuildArch: noarch\nExclusiveArch: x86_64\n";
        let diags = run(src);
        assert_eq!(diags.len(), 1, "{diags:?}");
        assert_eq!(diags[0].lint_id, "RPM310");
        assert!(diags[0].message.contains("noarch"));
    }

    #[test]
    fn flags_noarch_with_excludearch() {
        let src = "Name: x\nBuildArch: noarch\nExcludeArch: s390x\n";
        let diags = run(src);
        assert_eq!(diags.len(), 1);
        assert!(diags[0].message.contains("ExcludeArch"));
    }

    #[test]
    fn flags_exclusivearch_excludearch_overlap() {
        let src = "Name: x\nExclusiveArch: x86_64 aarch64\nExcludeArch: aarch64 s390x\n";
        let diags = run(src);
        assert_eq!(diags.len(), 1);
        assert!(diags[0].message.contains("aarch64"));
    }

    #[test]
    fn silent_for_distinct_arch_lists() {
        let src = "Name: x\nExclusiveArch: x86_64\nExcludeArch: s390x\n";
        assert!(run(src).is_empty());
    }

    #[test]
    fn silent_for_buildarch_x86_64_alone() {
        let src = "Name: x\nBuildArch: x86_64\nExclusiveArch: x86_64\n";
        // No noarch hazard; ExclusiveArch alone is fine.
        assert!(run(src).is_empty());
    }

    #[test]
    fn silent_when_exclusivearch_only_macro_archs() {
        // `ExclusiveArch: %{ix86}` — we can't compare against literal,
        // so no flag.
        let src = "Name: x\nExclusiveArch: %{ix86}\nExcludeArch: s390x\n";
        assert!(run(src).is_empty());
    }
}