# Keep matching patterns enough not to hide unintended errors and warnings. # There is no way to implement this with `%{SOURCE0}` without `%{_sourcedir}`. # The order in the .spec file could be possibly different. addFilter(r'ruby\.(spec|src):20: E: use-of-RPM_SOURCE_DIR$') # The used version is not obvious. addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-build_assert\)$') addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-check_type\)$') addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-container_of\)$') addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-list\)$') # The template files do not have to have executable bits. addFilter(r'^rubygem-bundler\.noarch: E: non-executable-script /usr/share/gems/gems/bundler-[\d\.]+/lib/bundler/templates/[\w/\.]+ 644 /usr/bin/env ') # The bundled gem files permissions are overridden as 644 by `make install`. # https://bugs.ruby-lang.org/issues/17840 # https://github.com/rubygems/rubygems/issues/5255 # https://github.com/ruby/debug/pull/481 # https://github.com/ruby/net-ftp/pull/12 # https://github.com/ruby/net-imap/pull/53 # https://github.com/ruby/net-pop/pull/7 # https://github.com/ruby/prime/pull/16 addFilter(r'^.*: E: non-executable-script /usr/share/gems/gems/(debug|net-(ftp|imap|pop)|prime)-[\d\.]+/bin/\w+ 644 ') # Ruby provides API to set the cipher list. addFilter(r'^ruby-libs\.\w+: W: crypto-policy-non-compliance-openssl /usr/lib(64)?/ruby/openssl.so SSL_CTX_set_cipher_list$') # `gethostbyname` is part of deprecated Ruby API. There is also request to drop the API altogether: # https://bugs.ruby-lang.org/issues/13097 # https://bugs.ruby-lang.org/issues/17944 addFilter(r'^ruby-libs\.\w+: W: binary-or-shlib-calls-gethostbyname /usr/lib(64)?/ruby/socket.so$') # Nothing referred and no dependency information should be no problem. # https://bugs.ruby-lang.org/issues/16558#note-2 addFilter(r'^ruby-libs\.\w+: E: shared-library-without-dependency-information /usr/lib(64)?/ruby/enc/gb2312.so$') # These are Ruby plugins, where Ruby always load glibc prior the library. addFilter(r'^ruby-libs\.\w+: W: library-not-linked-against-libc /usr/lib(64)?/ruby/.*.so$') # The function `chroot` without using `chdir` is detected by rpmlint with the # following message. However it looks a false positive as the `chroot` in the # `dir.c` is just used as a Ruby binding `Dir.chroot` for the function. # # ruby-libs.x86_64: E: missing-call-to-chdir-with-chroot /usr/lib64/libruby.so.N.N.N # This executable appears to call chroot without using chdir to change the # current directory. This is likely an error and permits an attacker to break # out of the chroot by using fchdir. While that's not always a security issue, # this has to be checked. addFilter(r'^ruby-libs\.\w+: E: missing-call-to-chdir-with-chroot /usr/lib(64)?/libruby.so.[\d/.]+$') # Rake ships some examples. addFilter(r'^rubygem-rake.noarch: W: devel-file-in-non-devel-package /usr/share/gems/gems/rake-[\d\.]+/doc/example/\w+.c$') # Some executables don't have their manual pages. Is it worth of use help2man? addFilter(r'^.+: W: no-manual-page-for-binary (bundler|gem|rbs|rdbg|rdoc|ruby-mri|typeprof)$') # Default gems does not come with any documentation. addFilter(r'^rubygem-(bigdecimal|io-console|json|psych)\.\w+: W: no-documentation$') # rubygems-devel ships only RPM macros and generators. Their placement is given # by RPM and can't be modified. addFilter(r'rubygems-devel.noarch: W: only-non-binary-in-usr-lib$') # The empty gem.build_complete file is false positive. This error is gone in rpmlint 2.0+. # https://github.com/rpm-software-management/rpmlint/commit/e34ce874f27d733628f51c9884ac951af072bed2 addFilter(r'^ruby(gem)?-(bigdecimal|bundled-gems|io-console|json|psych|rbs)\.\w+: E: zero-length /usr/lib(64)?/gems/ruby/.*/gem.build_complete')