diff --git a/.pipelines/prchecks/CveSpecFilePRCheck/AntiPatternDetector.py b/.pipelines/prchecks/CveSpecFilePRCheck/AntiPatternDetector.py index 955ec364ef8..204ccb6bafb 100644 --- a/.pipelines/prchecks/CveSpecFilePRCheck/AntiPatternDetector.py +++ b/.pipelines/prchecks/CveSpecFilePRCheck/AntiPatternDetector.py @@ -98,6 +98,7 @@ def __init__(self, repo_root: str): 'cve-patch-mismatch': Severity.ERROR, 'unused-patch-file': Severity.WARNING, 'patch-without-cve-ref': Severity.WARNING, + 'incorrect-patch-case': Severity.ERROR, # CVE related issues 'missing-cve-reference': Severity.ERROR, @@ -172,11 +173,28 @@ def detect_patch_file_issues(self, spec_content: str, file_path: str, file_list: # Extract patch references from spec file with line numbers # Updated regex to handle both simple filenames and full URLs + # Made case-insensitive to detect all patch references (we'll flag incorrect case separately) patch_regex = r'^Patch(\d+):\s+(.+?)$' patch_refs = {} for line_num, line in enumerate(spec_content.split('\n'), 1): - match = re.match(patch_regex, line.strip()) + # First, check for incorrect lowercase 'patch' usage + if line.strip().startswith('patch') and ':' in line: + lowercase_match = re.match(r'^patch(\d+):\s+(.+?)$', line.strip()) + if lowercase_match: + patterns.append(AntiPattern( + id='incorrect-patch-case', + name="Incorrect Patch Reference Case", + description=f"Patch reference uses lowercase 'patch' instead of 'Patch' (RPM spec convention requires uppercase 'P')", + severity=self.severity_map.get('incorrect-patch-case', Severity.ERROR), + file_path=file_path, + line_number=line_num, + context=line.strip(), + recommendation="Change 'patch' to 'Patch' to follow RPM spec file conventions" + )) + + # Now detect all patch references (case-insensitive) for further validation + match = re.match(patch_regex, line.strip(), re.IGNORECASE) if match: patch_file = match.group(2).strip() diff --git a/.pipelines/prchecks/CveSpecFilePRCheck/CveSpecFilePRCheck.py b/.pipelines/prchecks/CveSpecFilePRCheck/CveSpecFilePRCheck.py index b8cd70811a5..6c2252c97e8 100644 --- a/.pipelines/prchecks/CveSpecFilePRCheck/CveSpecFilePRCheck.py +++ b/.pipelines/prchecks/CveSpecFilePRCheck/CveSpecFilePRCheck.py @@ -765,8 +765,16 @@ def main(): pr_number = int(os.environ.get("GITHUB_PR_NUMBER", "0")) if pr_number: - # Post organized comment - github_client.post_pr_comment(pr_number, analysis_result) + logger.info(f"Posting GitHub comment to PR #{pr_number}") + + # Format and post organized comment + comment = github_client.format_multi_spec_comment(analysis_result) + success = github_client.post_comment(pr_number, comment) + + if success: + logger.info("Successfully posted GitHub comment") + else: + logger.warning("Failed to post GitHub comment") # Update checks API if enabled if os.environ.get("USE_CHECKS_API", "false").lower() == "true": @@ -775,8 +783,10 @@ def main(): analysis_result.overall_severity, analysis_result.summary_statistics ) + else: + logger.warning("GITHUB_PR_NUMBER not set, skipping GitHub comment") except Exception as e: - logger.error(f"Failed to update GitHub status: {e}") + logger.error(f"Failed to update GitHub status: {e}", exc_info=True) # Return appropriate exit code return get_severity_exit_code(analysis_result.overall_severity) diff --git a/.pipelines/prchecks/CveSpecFilePRCheck/GitHubClient.py b/.pipelines/prchecks/CveSpecFilePRCheck/GitHubClient.py index 6795eb3e4fc..372a7866476 100644 --- a/.pipelines/prchecks/CveSpecFilePRCheck/GitHubClient.py +++ b/.pipelines/prchecks/CveSpecFilePRCheck/GitHubClient.py @@ -56,7 +56,8 @@ class GitHubClient: def __init__(self): """Initialize the GitHub client with authentication.""" - self.token = os.environ.get('GITHUB_TOKEN') + # Try GITHUB_TOKEN first, then fall back to SYSTEM_ACCESSTOKEN (for ADO) + self.token = os.environ.get('GITHUB_TOKEN') or os.environ.get('SYSTEM_ACCESSTOKEN') self.repo = os.environ.get('GITHUB_REPOSITORY', 'microsoft/azurelinux') self.api_base = 'https://api.github.com' diff --git a/.pipelines/prchecks/CveSpecFilePRCheck/pr_check_report.txt b/.pipelines/prchecks/CveSpecFilePRCheck/pr_check_report.txt index 56db7d0732c..219efd655d8 100644 --- a/.pipelines/prchecks/CveSpecFilePRCheck/pr_check_report.txt +++ b/.pipelines/prchecks/CveSpecFilePRCheck/pr_check_report.txt @@ -1,14 +1,14 @@ ================================================================================ CVE SPEC FILE CHECK - ANALYSIS REPORT ================================================================================ -Generated: 2025-10-14T17:34:56.229364 +Generated: 2025-10-14T18:15:21.600829 EXECUTIVE SUMMARY ---------------------------------------- Total Spec Files Analyzed: 1 Specs with Errors: 1 Specs with Warnings: 0 -Total Issues Found: 8 +Total Issues Found: 9 Overall Severity: ERROR PACKAGE ANALYSIS DETAILS @@ -17,7 +17,7 @@ PACKAGE ANALYSIS DETAILS Package: azcopy Spec File: SPECS/azcopy/azcopy.spec Status: ERROR -Issues: 4 errors, 4 warnings +Issues: 5 errors, 4 warnings Anti-Patterns Detected: - unused-patch-file: 4 occurrence(s) @@ -30,15 +30,18 @@ Issues: 4 errors, 4 warnings • Patch file 'CVE-2024-51744.patch' contains CVE reference but CVE-2024-51744 is n... • Patch file 'CVE-2025-30204.patch' contains CVE reference but CVE-2025-30204 is n... ... and 1 more + - missing-cve-in-changelog: 1 occurrence(s) + • CVE-2025-1111 is referenced in the spec file but not mentioned in any changelog ... RECOMMENDED ACTIONS ---------------------------------------- azcopy: - • Add CVE-2025-30204 to the spec file changelog entry + • Add CVE-2025-22868 to the spec file changelog entry • Add CVE-2024-51744 to the spec file changelog entry + • Add CVE-2025-1111 to a changelog entry + • Add CVE-2025-30204 to the spec file changelog entry • Add CVE-2025-22870 to the spec file changelog entry - • Add CVE-2025-22868 to the spec file changelog entry ================================================================================ END OF REPORT diff --git a/.pipelines/prchecks/CveSpecFilePRCheck/pr_check_results.json b/.pipelines/prchecks/CveSpecFilePRCheck/pr_check_results.json index 47992ee4fad..955c26aa34b 100644 --- a/.pipelines/prchecks/CveSpecFilePRCheck/pr_check_results.json +++ b/.pipelines/prchecks/CveSpecFilePRCheck/pr_check_results.json @@ -1,12 +1,12 @@ { - "timestamp": "2025-10-14T17:34:56.229698", + "timestamp": "2025-10-14T18:15:21.601167", "overall_severity": "ERROR", - "total_issues": 8, + "total_issues": 9, "summary_statistics": { "total_specs": 1, "specs_with_errors": 1, "specs_with_warnings": 0, - "total_errors": 4, + "total_errors": 5, "total_warnings": 4 }, "spec_results": [ @@ -14,7 +14,7 @@ "spec_path": "SPECS/azcopy/azcopy.spec", "package_name": "azcopy", "severity": "ERROR", - "summary": "4 errors, 4 warnings", + "summary": "5 errors, 4 warnings", "anti_patterns": [ { "id": "unused-patch-file", @@ -79,6 +79,14 @@ "severity": "ERROR", "line_number": null, "recommendation": "Add CVE-2025-22868 to the spec file changelog entry" + }, + { + "id": "missing-cve-in-changelog", + "name": "Missing CVE in Changelog", + "description": "CVE-2025-1111 is referenced in the spec file but not mentioned in any changelog entry", + "severity": "ERROR", + "line_number": null, + "recommendation": "Add CVE-2025-1111 to a changelog entry" } ], "ai_analysis": "" diff --git a/SPECS/azcopy/azcopy.spec b/SPECS/azcopy/azcopy.spec index ba6a326c806..7134bce52e2 100644 --- a/SPECS/azcopy/azcopy.spec +++ b/SPECS/azcopy/azcopy.spec @@ -31,6 +31,7 @@ Patch0: CVE-2025-22868.patch Patch1: CVE-2025-30204.patch Patch2: CVE-2025-22870.patch Patch3: CVE-2024-51744.patch +patch4: CVE-2025-1111.patch BuildRequires: golang >= 1.17.9 BuildRequires: git