This should help ProdSec accurately detect versions of bundled
components in pcs. Security analysts usually filter the database based
on ecosystem. The ecosystem detection has been done from RPM metadata
for some time and that is when ProdSec stopped creating trackers
accurately. The problem is that we didn't follow the Fedora Packaging
Guidelines and didn't name the bundled components with package names as
if they were entering Fedora. The ecosystem detection in Deptopia (the
tool that ProdSec uses) expects "rubygem-" prefix for rubygems and
"python[X]-" prefix for Python ecosystem. See PSDEVOPS-4408 for more
details.
This commit also changes metadata for bundling JavaScript libraries. The
Packaging guidelines suggest the `js-` prefix. While Deptopia doesn't
handle JS filtering, the tool that ProdSec uses doesn't require a strict
match, so searching for jquery should also return js-jquery unless a
strict flag is specified.
- Fixed CVE-2024-49761 by updating rubygem rexml
Resolves: RHEL-98708
- Fixed dist macro in changelog entries, brackets are mandatory inside a string, also adding back question mark to make macro disappear if not defined
- Fixed copy-paste error in CVE identifier of the last update
- Rebased to the latest upstream sources (see CHANGELOG.md)
Resolves: RHEL-7584, RHEL-7668, RHEL-7729, RHEL-7731, RHEL-7732, RHEL-7741, RHEL-7742, RHEL-7743, RHEL-7745, RHEL-8467
- Tightened permissions of bundled rubygems to be 755 or stricter
Resolves: RHEL-7715
Prior to this fix, some gems were installed with write permissions for the
owner group and everyone. With this patch, write permissions are removed
with chmod for all rubygems.
Resolves: RHEL-7715
In the previous commit, a switch for configure was inadvertently removed
by a backport from RHEL 9. The switch was relaxing check for installed
dependencies since they are not required for running the tests. This
commit puts the switch back to fix the failure in RHEL gating.
Resolves: RHEL-15218
The deprecated STI gating test definition is removed in favor of
flexible metadata format (fmf). This fixes testing in Testing Farm
which is enabled in CentOS Stream merge requests.
This is not the final version, some workarounds were needed. Most
notable ones are patching sources which is not yet supported by
tmt (test management tool - used to run tests in Testing Farm).
Tmt also does not download rubygems, so a macro was put in place
to avoid errors while trying to copy them in the prep phase of rpmbuild.
To ensure smooth build process in the future, we will test that the new
gating test definition will match the previous result without changing
the package content.
Resolves: RHEL-15218
- Make use of filters when extracting tarballs to enhance security if provided by Python (`pcs config restore` command)
- Do not display duplicate records in commands `pcs property [config] --all` and `pcs property describe`
Source files were erroneously imported during creating the c8s branch,
this commit removes them. It also adds the STI test setup for gating
which was not imported.
