From 552ef44f2f5275ddc5208761665a0935cbb2e382 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Posp=C3=AD=C5=A1il?= Date: Wed, 22 Oct 2025 14:16:48 +0200 Subject: [PATCH] fix bundling metadata This should help ProdSec accurately detect versions of bundled components in pcs. Security analysts usually filter the database based on ecosystem. The ecosystem detection has been done from RPM metadata for some time and that is when ProdSec stopped creating trackers accurately. The problem is that we didn't follow the Fedora Packaging Guidelines and didn't name the bundled components with package names as if they were entering Fedora. The ecosystem detection in Deptopia (the tool that ProdSec uses) expects "rubygem-" prefix for rubygems and "python[X]-" prefix for Python ecosystem. See PSDEVOPS-4408 for more details. This commit also changes metadata for bundling JavaScript libraries. The Packaging guidelines suggest the `js-` prefix. While Deptopia doesn't handle JS filtering, the tool that ProdSec uses doesn't require a strict match, so searching for jquery should also return js-jquery unless a strict flag is specified. --- pcs.spec | 49 +++++++++++++++++++++++++------------------------ 1 file changed, 25 insertions(+), 24 deletions(-) diff --git a/pcs.spec b/pcs.spec index 6f86ad1..b556e03 100644 --- a/pcs.spec +++ b/pcs.spec @@ -205,31 +205,32 @@ Requires: redhat-logos # needs logrotate for /etc/logrotate.d/pcsd Requires: logrotate -Provides: bundled(tornado) = %{tornado_version} -Provides: bundled(dataclasses) = %{dataclasses_version} -Provides: bundled(dacite) = %{dacite_version} -Provides: bundled(dateutil) = %{dateutil_version} -Provides: bundled(backports) = %{version_rubygem_backports} -Provides: bundled(ethon) = %{version_rubygem_ethon} -Provides: bundled(ffi) = %{version_rubygem_ffi} -Provides: bundled(json) = %{version_rubygem_json} -Provides: bundled(mustermann) = %{version_rubygem_mustermann} -Provides: bundled(nio4r) = %{version_rubygem_nio4r} -Provides: bundled(open4) = %{version_rubygem_open4} -Provides: bundled(puma) = %{version_rubygem_puma} -Provides: bundled(rack) = %{version_rubygem_rack} -Provides: bundled(rack_protection) = %{version_rubygem_rack_protection} -Provides: bundled(rack_test) = %{version_rubygem_rack_test} -Provides: bundled(rexml) = %{version_rubygem_rexml} -Provides: bundled(ruby2_keywords) = %{version_rubygem_ruby2_keywords} -Provides: bundled(sinatra) = %{version_rubygem_sinatra} -Provides: bundled(tilt) = %{version_rubygem_tilt} +Provides: bundled(python3-tornado) = %{tornado_version} +Provides: bundled(python3-dataclasses) = %{dataclasses_version} +Provides: bundled(python3-dacite) = %{dacite_version} +Provides: bundled(python3-dateutil) = %{dateutil_version} + +Provides: bundled(rubygem-backports) = %{version_rubygem_backports} +Provides: bundled(rubygem-ethon) = %{version_rubygem_ethon} +Provides: bundled(rubygem-ffi) = %{version_rubygem_ffi} +Provides: bundled(rubygem-json) = %{version_rubygem_json} +Provides: bundled(rubygem-mustermann) = %{version_rubygem_mustermann} +Provides: bundled(rubygem-nio4r) = %{version_rubygem_nio4r} +Provides: bundled(rubygem-open4) = %{version_rubygem_open4} +Provides: bundled(rubygem-puma) = %{version_rubygem_puma} +Provides: bundled(rubygem-rack) = %{version_rubygem_rack} +Provides: bundled(rubygem-rack-protection) = %{version_rubygem_rack_protection} +Provides: bundled(rubygem-rack-test) = %{version_rubygem_rack_test} +Provides: bundled(rubygem-rexml) = %{version_rubygem_rexml} +Provides: bundled(rubygem-ruby2_keywords) = %{version_rubygem_ruby2_keywords} +Provides: bundled(rubygem-sinatra) = %{version_rubygem_sinatra} +Provides: bundled(rubygem-tilt) = %{version_rubygem_tilt} # javascript bundled libraries for old web-ui -Provides: bundled(ember) = %{ember_version} -Provides: bundled(handlebars) = %{handlebars_version} -Provides: bundled(jquery) = %{jquery_version} -Provides: bundled(jquery-ui) = %{jquery_ui_version} +Provides: bundled(js-ember) = %{ember_version} +Provides: bundled(js-handlebars) = %{handlebars_version} +Provides: bundled(js-jquery) = %{jquery_version} +Provides: bundled(js-jquery-ui) = %{jquery_ui_version} %description pcs is a corosync and pacemaker configuration tool. It permits users to @@ -252,7 +253,7 @@ Requires: pcs = %{version}-%{release} Requires: pacemaker Requires: net-snmp -Provides: bundled(pyagentx) = %{pyagentx_version} +Provides: bundled(python3-pyagentx) = %{pyagentx_version} %description -n %{pcs_snmp_pkg_name} SNMP agent that provides information about pacemaker cluster to the master agent (snmpd)