search

fedora-infra / bodhi

Bodhi is a web-system that facilitates the process of publishing updates for a Fedora-based software distribution.
https://bodhi.fedoraproject.org
GNU General Public License v2.0
150 stars 189 forks source link

rpminspect static-analysis test fails at annocheck incorrectly #5671

Closed dogukancagatay closed 1 month ago

dogukancagatay commented 1 month ago

My package update process fails on annocheck stage of fedora-ci.koji-build.rpminspect.static-analysis test.

The failure reason is documented here for the compiled library as the following:

Hardened: /usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: FAIL: stack-realign test because -mstackrealign not enabled

The problem is the package build logs say that the flag (-mstackrealign) exists when building that .so file, which fails the test.

gcc -shared -Wl,-z,relro -Wl,--as-needed -Wl,-z,pack-relative-relocs -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m32 -march=i686 -mtune=generic -msse2 -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection -mstackrealign build/temp.linux-i686-cpython-312/_crc32c.o build/temp.linux-i686-cpython-312/checkarm.o build/temp.linux-i686-cpython-312/checksse42.o build/temp.linux-i686-cpython-312/crc32c_adler.o build/temp.linux-i686-cpython-312/crc32c_arm64.o build/temp.linux-i686-cpython-312/crc32c_sw.o -L/usr/lib -o build/lib.linux-i686-cpython-312/crc32c.cpython-312-i386-linux-gnu.so

Bodhi link: https://bodhi.fedoraproject.org/updates/FEDORA-2024-62efcdf3df

dogukancagatay commented 1 month ago

FYI, when I check the built RPM with annocheck locally, I got a PASS result.

# annocheck --ignore-unknown --verbose --profile=rawhide python3-crc32c-2.4-1.fc41.i686.rpm                         
annocheck: Version 12.54.
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: pie test because the ELF file header has the correct type 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: info: written in C (source: DW_AT_language string).
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: pic test because option found in DW_AT_producer string 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: stack-prot test because option found in DW_AT_producer string 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: optimization test because option found in DW_AT_producer string 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: lto test because detected in DW_AT_producer string 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: writable-got test 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: dynamic-segment test 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: bind-now test 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: gnu-stack test because stack segment exists with the correct permissions 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: gnu-relro test 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: gaps test because no gaps found in .text section coverage 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: notes test 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: skip: branch-protection test because not an AArch64 binary 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: skip: cf-protection test because not an x86_64 binary 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: skip: dynamic-tags test because AArch64 specific 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: entry test 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: fast test 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: skip: fortify test because compiling in LTO mode hides preprocessor and warning options 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: skip: glibcxx-assertions test because source language not C++ 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: skip: go-revision test because no GO compiled code found 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: skip: implicit-values test because  These tests are only relevent to C source code 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: instrumentation test 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: production test 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: property-note test because property note found 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: run-path test 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: rwx-seg test 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: short-enums test 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: skip: stack-clash test because compiling in LTO mode hides the -fstack-clash-protection option 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: skip: stack-realign test because no GCC compiled C/C++ code found 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: textrel test 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: threads test 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: PASS: unicode test 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: skip: warnings test because compiling in LTO mode hides preprocessor and warning options 
Hardened: ./usr/lib/python3.12/site-packages/crc32c.cpython-312-i386-linux-gnu.so: Overall: PASS.
mattiaverga commented 1 month ago

For help debugging failed Fedora CI tests (fedora-ci.*), contact the Fedora CI team. There's nothing to do at bodhi side.