rpm-spec-analyzer 0.1.1

Visitor-based static analyzer library for RPM .spec files
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253

//! RPM328 `scriptlet-command-without-requires` — a scriptlet invokes
//! a runtime helper (`useradd`, `getent`, `update-alternatives`, ...)
//! whose providing package isn't declared in `Requires:` (any
//! qualifier).
//!
//! The policy table lives on [`PolicyRegistry::scriptlet_required_deps`]
//! and lists `(command, providing-atom)` pairs that every Fedora-,
//! openSUSE-, and ALT-style packaging guide treats as mandatory: when
//! a `%pre` or `%post` runs `useradd`, the spec must `Requires(pre):
//! shadow-utils` (or its family equivalent). Without the dep, the
//! scriptlet aborts on minimal images that don't pull the helper in
//! transitively.
//!
//! We accept *any* qualifier on the matching `Requires:` — a plain
//! `Requires: shadow-utils` is fine, as is `Requires(pre,post)`. The
//! diagnostic reports the *canonical* qualifier matching the scriptlet
//! phase (e.g. `Requires(pre)` for `%pre`), which is the form the user
//! will most likely want to type. The rule fires once per
//! `(scriptlet-section, missing-atom)` pair so a `%post` that calls
//! `systemctl` three times produces one diagnostic, not three.
//! `systemctl` calls themselves are also flagged by RPM342 ("use
//! `%systemd_post`"); the two rules are complementary — RPM342 says
//! "wrong tool", RPM328 says "missing dep if you keep the tool".

use std::collections::BTreeSet;

use rpm_spec::ast::{ScriptletKind, Span, SpecFile, Tag};

use crate::diagnostic::{Diagnostic, LintCategory, Severity};
use crate::lint::{Lint, LintMetadata};
use crate::policy::PolicyRegistry;
use crate::rules::util::collect_top_level_dep_names;
use crate::shell::{CommandUseIndex, SectionRef};
use crate::visit::Visit;
use rpm_spec_profile::Profile;

pub static METADATA: LintMetadata = LintMetadata {
    id: "RPM328",
    name: "scriptlet-command-without-requires",
    description: "A scriptlet invokes a runtime helper (`useradd`, `getent`, \
                  `update-alternatives`, ...) without declaring the providing package in \
                  `Requires:`. Minimal images abort the scriptlet with command-not-found.",
    default_severity: Severity::Warn,
    category: LintCategory::Correctness,
};

#[derive(Debug, Default)]
pub struct ScriptletCommandWithoutRequires {
    diagnostics: Vec<Diagnostic>,
    policy: PolicyRegistry,
}

impl ScriptletCommandWithoutRequires {
    pub fn new() -> Self {
        Self::default()
    }
}

impl<'ast> Visit<'ast> for ScriptletCommandWithoutRequires {
    fn visit_spec(&mut self, spec: &'ast SpecFile<Span>) {
        if self.policy.scriptlet_required_deps.is_empty() {
            return;
        }
        let declared = collect_top_level_dep_names(spec, |t| matches!(t, Tag::Requires));
        let idx = CommandUseIndex::from_spec(spec);
        let mut reported: BTreeSet<(usize, &'static str)> = BTreeSet::new();

        for call in idx.all() {
            let SectionRef::Scriptlet { kind, .. } = call.location else {
                continue;
            };
            let Some(cmd) = call.name.as_deref() else {
                continue;
            };
            let Some(&(_, req_atom)) = self
                .policy
                .scriptlet_required_deps
                .iter()
                .find(|(tool, _)| *tool == cmd)
            else {
                continue;
            };
            if declared.contains(req_atom) {
                continue;
            }
            // Dedup per `(scriptlet section, missing atom)` so multiple
            // calls to the same tool in one scriptlet emit once.
            let key = (call.location.section_span().start_byte, req_atom);
            if !reported.insert(key) {
                continue;
            }
            let phase = scriptlet_qualifier(kind);
            self.diagnostics.push(Diagnostic::new(
                &METADATA,
                Severity::Warn,
                format!(
                    "scriptlet calls `{cmd}` in %{phase} but the spec does not declare \
                     `Requires({phase}): {req_atom}`; the scriptlet will abort on minimal \
                     images that don't pull the helper in transitively"
                ),
                call.location.section_span(),
            ));
        }
    }
}

/// Canonical `Requires(<qualifier>)` token matching the scriptlet
/// phase. Mirrors RPM's own naming so the diagnostic suggestion is
/// directly copy-pasteable into the spec.
fn scriptlet_qualifier(kind: ScriptletKind) -> &'static str {
    match kind {
        ScriptletKind::Pre => "pre",
        ScriptletKind::Post => "post",
        ScriptletKind::Preun => "preun",
        ScriptletKind::Postun => "postun",
        ScriptletKind::Pretrans => "pretrans",
        ScriptletKind::Posttrans => "posttrans",
        ScriptletKind::Preuntrans => "preuntrans",
        ScriptletKind::Postuntrans => "postuntrans",
        // `ScriptletKind` is `#[non_exhaustive]`; a future variant
        // falls back to a neutral label that still reads as a hint.
        _ => "pre",
    }
}

impl Lint for ScriptletCommandWithoutRequires {
    fn metadata(&self) -> &'static LintMetadata {
        &METADATA
    }
    fn take_diagnostics(&mut self) -> Vec<Diagnostic> {
        std::mem::take(&mut self.diagnostics)
    }
    fn applies_to_profile(&self, profile: &Profile) -> bool {
        !PolicyRegistry::for_profile(profile)
            .scriptlet_required_deps
            .is_empty()
    }
    fn set_profile(&mut self, profile: &Profile) {
        self.policy = PolicyRegistry::for_profile(profile);
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::session::parse;
    use rpm_spec_profile::{Family, Profile};

    fn fedora_profile() -> Profile {
        let mut p = Profile::default();
        p.identity.family = Some(Family::Fedora);
        p
    }

    fn run(src: &str) -> Vec<Diagnostic> {
        let outcome = parse(src);
        let mut lint = ScriptletCommandWithoutRequires::new();
        lint.set_profile(&fedora_profile());
        lint.visit_spec(&outcome.spec);
        lint.take_diagnostics()
    }

    #[test]
    fn flags_useradd_without_requires() {
        let src = "Name: x\n%pre\nuseradd -r foo\nexit 0\n";
        let diags = run(src);
        assert_eq!(diags.len(), 1, "{diags:?}");
        assert_eq!(diags[0].lint_id, "RPM328");
        assert!(diags[0].message.contains("useradd"));
        assert!(diags[0].message.contains("shadow-utils"));
        assert!(
            diags[0].message.contains("Requires(pre)"),
            "should suggest the matching qualifier: {:?}",
            diags[0].message
        );
    }

    #[test]
    fn silent_when_requires_declared() {
        let src = "Name: x\nRequires(pre): shadow-utils\n%pre\nuseradd -r foo\nexit 0\n";
        assert!(run(src).is_empty());
    }

    #[test]
    fn silent_when_plain_requires_declared() {
        // Any qualifier flavour of `Requires:` covers the scriptlet.
        let src = "Name: x\nRequires: shadow-utils\n%pre\nuseradd -r foo\nexit 0\n";
        assert!(run(src).is_empty());
    }

    #[test]
    fn silent_when_requires_has_qualifier_list() {
        // `Requires(pre,post): shadow-utils` — combined qualifier list
        // must still register as declared.
        let src = "Name: x\nRequires(pre,post): shadow-utils\n%pre\nuseradd -r foo\nexit 0\n";
        assert!(run(src).is_empty());
    }

    #[test]
    fn flags_systemctl_in_post() {
        // RPM328 fires; RPM342 also fires in the registry, but we test
        // RPM328 in isolation here.
        let src = "Name: x\n%post\nsystemctl daemon-reload\nexit 0\n";
        let diags = run(src);
        assert_eq!(diags.len(), 1);
        assert!(diags[0].message.contains("systemd"));
        assert!(diags[0].message.contains("Requires(post)"));
    }

    #[test]
    fn silent_in_buildscript() {
        // %install isn't a scriptlet — RPM324 owns that surface.
        let src = "Name: x\n%install\nuseradd -r foo\n";
        assert!(run(src).is_empty());
    }

    #[test]
    fn deduplicates_repeated_calls_in_one_scriptlet() {
        let src = "Name: x\n%post\nsystemctl daemon-reload\nsystemctl restart foo\nexit 0\n";
        assert_eq!(run(src).len(), 1);
    }

    #[test]
    fn emits_per_scriptlet_section() {
        // userdel isn't in the policy table; only %pre fires.
        let src = "Name: x\n%pre\nuseradd -r foo\nexit 0\n%postun\nuserdel foo\nexit 0\n";
        let diags = run(src);
        assert_eq!(diags.len(), 1);
    }

    #[test]
    fn emits_once_per_scriptlet_per_atom() {
        // `useradd` and `groupadd` both → `shadow-utils`; one
        // scriptlet, one atom — one diagnostic.
        let src = "Name: x\n%pre\nuseradd -r foo\ngroupadd -r foo\nexit 0\n";
        assert_eq!(run(src).len(), 1);
    }

    #[test]
    fn silent_for_unknown_command() {
        let src = "Name: x\n%post\nfoo --bar\nexit 0\n";
        assert!(run(src).is_empty());
    }

    #[test]
    fn silent_on_generic_profile() {
        let outcome = parse("Name: x\n%pre\nuseradd -r foo\n");
        let mut lint = ScriptletCommandWithoutRequires::new();
        lint.set_profile(&Profile::default());
        lint.visit_spec(&outcome.spec);
        assert!(lint.take_diagnostics().is_empty());
    }
}