Class: Homebrew::FormulaAuditor Private

Inherits:
Object
  • Object
show all
Includes:
FormulaCellarChecks
Defined in:
formula_auditor.rb

Overview

This class is part of a private API. This class may only be used in the Homebrew/brew repository. Third parties should avoid using this class if possible, as it may be removed or changed without warning.

Auditor for checking common violations in Formulae.

Constant Summary collapse

PERMITTED_LICENSE_MISMATCHES =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

{
  "AGPL-3.0" => ["AGPL-3.0-only", "AGPL-3.0-or-later"],
  "GPL-2.0"  => ["GPL-2.0-only",  "GPL-2.0-or-later"],
  "GPL-3.0"  => ["GPL-3.0-only",  "GPL-3.0-or-later"],
  "LGPL-2.1" => ["LGPL-2.1-only", "LGPL-2.1-or-later"],
  "LGPL-3.0" => ["LGPL-3.0-only", "LGPL-3.0-or-later"],
}.freeze
ELASTICSEARCH_KIBANA_RELICENSED_VERSION =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

"7.11"

Constants included from FormulaCellarChecks

FormulaCellarChecks::VALID_LIBRARY_EXTENSIONS

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Methods included from FormulaCellarChecks

#audit_installed, #check_binary_arches, #check_cpuid_instruction, #check_easy_install_pth, #check_elisp_dirname, #check_elisp_root, #check_env_path, #check_flat_namespace, #check_generic_executables, #check_infopages, #check_jars, #check_linkage, #check_manpages, #check_non_executables, #check_non_libraries, #check_openssl_links, #check_plist, #check_python_framework_links, #check_python_packages, #check_python_symlinks, #check_service_command, #check_shadowed_headers, #check_shim_references, #valid_library_extension?

Constructor Details

#initialize(formula, options = {}) ⇒ FormulaAuditor

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns a new instance of FormulaAuditor.



17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# File 'formula_auditor.rb', line 17

def initialize(formula, options = {})
  @formula = formula
  @versioned_formula = formula.versioned_formula?
  @new_formula_inclusive = options[:new_formula]
  @new_formula = options[:new_formula] && !@versioned_formula
  @strict = options[:strict]
  @online = options[:online]
  @git = options[:git]
  @display_cop_names = options[:display_cop_names]
  @only = options[:only]
  @except = options[:except]
  # Accept precomputed style offense results, for efficiency
  @style_offenses = options[:style_offenses]
  # Allow the formula tap to be set as homebrew/core, for testing purposes
  @core_tap = formula.tap&.core_tap? || options[:core_tap]
  @problems = []
  @new_formula_problems = []
  @text = FormulaTextAuditor.new(formula.path)
  @specs = %w[stable head].map { |s| formula.send(s) }.compact
  @spdx_license_data = options[:spdx_license_data]
  @spdx_exception_data = options[:spdx_exception_data]
end

Instance Attribute Details

#formulaObject (readonly)

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



15
16
17
# File 'formula_auditor.rb', line 15

def formula
  @formula
end

#new_formula_problemsObject (readonly)

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



15
16
17
# File 'formula_auditor.rb', line 15

def new_formula_problems
  @new_formula_problems
end

#problemsObject (readonly)

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



15
16
17
# File 'formula_auditor.rb', line 15

def problems
  @problems
end

#textObject (readonly)

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



15
16
17
# File 'formula_auditor.rb', line 15

def text
  @text
end

Class Method Details

.aliasesObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



116
117
118
119
# File 'formula_auditor.rb', line 116

def self.aliases
  # core aliases + tap alias names + tap alias full name
  @aliases ||= Formula.aliases + Formula.tap_aliases
end

Instance Method Details

#auditObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



788
789
790
791
792
793
794
795
796
797
798
799
# File 'formula_auditor.rb', line 788

def audit
  only_audits = @only
  except_audits = @except

  methods.map(&:to_s).grep(/^audit_/).each do |audit_method_name|
    name = audit_method_name.delete_prefix("audit_")
    next if only_audits&.exclude?(name)
    next if except_audits&.include?(name)

    send(audit_method_name)
  end
end

#audit_bitbucket_repositoryObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



505
506
507
508
509
510
511
512
513
# File 'formula_auditor.rb', line 505

def audit_bitbucket_repository
  user, repo = get_repo_data(%r{https?://bitbucket\.org/([^/]+)/([^/]+)/?.*}) if @new_formula
  return if user.blank?

  warning = SharedAudits.bitbucket(user, repo)
  return if warning.nil?

  new_formula_problem warning
end

#audit_bottle_disabledObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



446
447
448
449
450
451
452
453
454
455
456
457
458
# File 'formula_auditor.rb', line 446

def audit_bottle_disabled
  return unless formula.bottle_disabled?

  if !formula.bottle_disable_reason.valid?
    problem "Unrecognized bottle modifier"
  elsif @core_tap
    if formula.bottle_unneeded?
      problem "Formulae in homebrew/core should not use `bottle :unneeded`"
    else
      problem "Formulae in homebrew/core should not use `bottle :disabled`"
    end
  end
end

#audit_bottle_specObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



434
435
436
437
438
439
440
441
442
443
444
# File 'formula_auditor.rb', line 434

def audit_bottle_spec
  # special case: new versioned formulae should be audited
  return unless @new_formula_inclusive
  return unless @core_tap

  return if formula.bottle_disabled?

  return unless formula.bottle_defined?

  new_formula_problem "New formulae in homebrew/core should not have a `bottle do` block"
end

#audit_conflictsObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
# File 'formula_auditor.rb', line 316

def audit_conflicts
  tap = formula.tap
  formula.conflicts.each do |conflict|
    conflicting_formula = Formulary.factory(conflict.name)
    next if tap != conflicting_formula.tap

    problem "Formula should not conflict with itself" if formula == conflicting_formula

    if tap.formula_renames.key?(conflict.name) || tap.aliases.include?(conflict.name)
      problem "Formula conflict should be declared using " \
              "canonical name (#{conflicting_formula.name}) instead of #{conflict.name}"
    end

    reverse_conflict_found = false
    conflicting_formula.conflicts.each do |reverse_conflict|
      reverse_conflict_formula = Formulary.factory(reverse_conflict.name)
      if tap.formula_renames.key?(reverse_conflict.name) || tap.aliases.include?(reverse_conflict.name)
        problem "Formula #{conflicting_formula.name} conflict should be declared using " \
                "canonical name (#{reverse_conflict_formula.name}) instead of #{reverse_conflict.name}"
      end

      reverse_conflict_found ||= reverse_conflict_formula == formula
    end
    unless reverse_conflict_found
      problem "Formula #{conflicting_formula.name} should also have a conflict declared with #{formula.name}"
    end
  rescue TapFormulaUnavailableError
    # Don't complain about missing cross-tap conflicts.
    next
  rescue FormulaUnavailableError
    problem "Can't find conflicting formula #{conflict.name.inspect}."
  rescue TapFormulaAmbiguityError, TapFormulaWithOldnameAmbiguityError
    problem "Ambiguous conflicting formula #{conflict.name.inspect}."
  end
end

#audit_depsObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
# File 'formula_auditor.rb', line 207

def audit_deps
  @specs.each do |spec|
    # Check for things we don't like to depend on.
    # We allow non-Homebrew installs whenever possible.
    spec.deps.each do |dep|
      begin
        dep_f = dep.to_formula
      rescue TapFormulaUnavailableError
        # Don't complain about missing cross-tap dependencies
        next
      rescue FormulaUnavailableError
        problem "Can't find dependency '#{dep.name.inspect}'."
        next
      rescue TapFormulaAmbiguityError
        problem "Ambiguous dependency '#{dep.name.inspect}'."
        next
      rescue TapFormulaWithOldnameAmbiguityError
        problem "Ambiguous oldname dependency '#{dep.name.inspect}'."
        next
      end

      if dep_f.oldname && dep.name.split("/").last == dep_f.oldname
        problem "Dependency '#{dep.name}' was renamed; use new name '#{dep_f.name}'."
      end

      if @core_tap &&
         @new_formula &&
         dep_f.keg_only? &&
         dep_f.keg_only_reason.provided_by_macos? &&
         dep_f.keg_only_reason.applicable? &&
         formula.requirements.none?(LinuxRequirement) &&
         !formula.tap&.audit_exception(:provided_by_macos_depends_on_allowlist, dep.name)
        new_formula_problem(
          "Dependency '#{dep.name}' is provided by macOS; " \
          "please replace 'depends_on' with 'uses_from_macos'.",
        )
      end

      dep.options.each do |opt|
        next if @core_tap
        next if dep_f.option_defined?(opt)
        next if dep_f.requirements.find do |r|
          if r.recommended?
            opt.name == "with-#{r.name}"
          elsif r.optional?
            opt.name == "without-#{r.name}"
          end
        end

        problem "Dependency '#{dep}' does not define option #{opt.name.inspect}"
      end

      problem "Don't use 'git' as a dependency (it's always available)" if @new_formula && dep.name == "git"

      problem "Dependency '#{dep.name}' is marked as :run. Remove :run; it is a no-op." if dep.tags.include?(:run)

      next unless @core_tap

      # we want to allow uses_from_macos for aliases but not bare dependencies
      if self.class.aliases.include?(dep.name) && spec.uses_from_macos_names.exclude?(dep.name)
        problem "Dependency '#{dep.name}' is an alias; use the canonical name '#{dep.to_formula.full_name}'."
      end

      if dep.tags.include?(:recommended) || dep.tags.include?(:optional)
        problem "Formulae in homebrew/core should not have optional or recommended dependencies"
      end
    end

    next unless @core_tap

    if spec.requirements.map(&:recommended?).any? || spec.requirements.map(&:optional?).any?
      problem "Formulae in homebrew/core should not have optional or recommended requirements"
    end
  end

  return unless @core_tap
  return if formula.tap&.audit_exception :versioned_dependencies_conflicts_allowlist, formula.name

  # The number of conflicts on Linux is absurd.
  # TODO: remove this and check these there too.
  return if OS.linux? && !Homebrew::EnvConfig.simulate_macos_on_linux?

  recursive_runtime_formulae = formula.runtime_formula_dependencies(undeclared: false)
  version_hash = {}
  version_conflicts = Set.new
  recursive_runtime_formulae.each do |f|
    name = f.name
    unversioned_name, = name.split("@")
    version_hash[unversioned_name] ||= Set.new
    version_hash[unversioned_name] << name
    next if version_hash[unversioned_name].length < 2

    version_conflicts += version_hash[unversioned_name]
  end

  return if version_conflicts.empty?

  return if formula.disabled?

  return if formula.deprecated? &&
            formula.deprecation_reason != DeprecateDisable::DEPRECATE_DISABLE_REASONS[:versioned_formula]

  problem <<~EOS
    #{formula.full_name} contains conflicting version recursive dependencies:
      #{version_conflicts.to_a.join ", "}
    View these with `brew deps --tree #{formula.full_name}`.
  EOS
end

#audit_elasticsearch_kibanaObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



381
382
383
384
385
386
387
388
# File 'formula_auditor.rb', line 381

def audit_elasticsearch_kibana
  return if formula.name != "elasticsearch" && formula.name != "kibana"
  return unless @core_tap
  return if formula.version < Version.new(ELASTICSEARCH_KIBANA_RELICENSED_VERSION)

  problem "Elasticsearch and Kibana were relicensed to a non-open-source license from version 7.11. " \
          "They must not be upgraded to version 7.11 or newer."
end

#audit_fileObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# File 'formula_auditor.rb', line 53

def audit_file
  if formula.core_formula? && @versioned_formula
    unversioned_formula = begin
      # build this ourselves as we want e.g. homebrew/core to be present
      full_name = if formula.tap
        "#{formula.tap}/#{formula.name}"
      else
        formula.name
      end
      Formulary.factory(full_name.gsub(/@.*$/, "")).path
    rescue FormulaUnavailableError, TapFormulaAmbiguityError,
           TapFormulaWithOldnameAmbiguityError
      Pathname.new formula.path.to_s.gsub(/@.*\.rb$/, ".rb")
    end
    unless unversioned_formula.exist?
      unversioned_name = unversioned_formula.basename(".rb")
      problem "#{formula} is versioned but no #{unversioned_name} formula exists"
    end
  elsif @build_stable &&
        formula.stable? &&
        !@versioned_formula &&
        (versioned_formulae = formula.versioned_formulae - [formula]) &&
        versioned_formulae.present?
    versioned_aliases = formula.aliases.grep(/.@\d/)
    _, last_alias_version = versioned_formulae.map(&:name).last.split("@")
    alias_name_major = "#{formula.name}@#{formula.version.major}"
    alias_name_major_minor = "#{alias_name_major}.#{formula.version.minor}"
    alias_name = if last_alias_version.split(".").length == 1
      alias_name_major
    else
      alias_name_major_minor
    end
    valid_alias_names = [alias_name_major, alias_name_major_minor]

    unless @core_tap
      versioned_aliases.map! { |a| "#{formula.tap}/#{a}" }
      valid_alias_names.map! { |a| "#{formula.tap}/#{a}" }
    end

    valid_versioned_aliases = versioned_aliases & valid_alias_names
    invalid_versioned_aliases = versioned_aliases - valid_alias_names

    if valid_versioned_aliases.empty?
      if formula.tap
        problem <<~EOS
          Formula has other versions so create a versioned alias:
            cd #{formula.tap.alias_dir}
            ln -s #{formula.path.to_s.gsub(formula.tap.path, "..")} #{alias_name}
        EOS
      else
        problem "Formula has other versions so create an alias named #{alias_name}."
      end
    end

    if invalid_versioned_aliases.present?
      problem <<~EOS
        Formula has invalid versioned aliases:
          #{invalid_versioned_aliases.join("\n  ")}
      EOS
    end
  end
end

#audit_formula_nameObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# File 'formula_auditor.rb', line 121

def audit_formula_name
  name = formula.name

  problem "Formula name '#{name}' must not contain uppercase letters." if name != name.downcase

  return unless @strict
  return unless @core_tap

  problem "'#{name}' is not allowed in homebrew/core." if MissingFormula.disallowed_reason(name)

  if Formula.aliases.include? name
    problem "Formula name conflicts with existing aliases in homebrew/core."
    return
  end

  if (oldname = CoreTap.instance.formula_renames[name])
    problem "'#{name}' is reserved as the old name of #{oldname} in homebrew/core."
    return
  end

  return if formula.core_formula?
  return unless Formula.core_names.include?(name)

  problem "Formula name conflicts with existing core formula."
end

#audit_github_repositoryObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



484
485
486
487
488
489
490
491
492
493
# File 'formula_auditor.rb', line 484

def audit_github_repository
  user, repo = get_repo_data(%r{https?://github\.com/([^/]+)/([^/]+)/?.*}) if @new_formula

  return if user.blank?

  warning = SharedAudits.github(user, repo)
  return if warning.nil?

  new_formula_problem warning
end

#audit_github_repository_archivedObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



460
461
462
463
464
465
466
467
468
469
470
# File 'formula_auditor.rb', line 460

def audit_github_repository_archived
  return if formula.deprecated? || formula.disabled?

  user, repo = get_repo_data(%r{https?://github\.com/([^/]+)/([^/]+)/?.*}) if @online
  return if user.blank?

   = SharedAudits.github_repo_data(user, repo)
  return if .nil?

  problem "GitHub repo is archived" if ["archived"]
end

#audit_gitlab_repositoryObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



495
496
497
498
499
500
501
502
503
# File 'formula_auditor.rb', line 495

def audit_gitlab_repository
  user, repo = get_repo_data(%r{https?://gitlab\.com/([^/]+)/([^/]+)/?.*}) if @new_formula
  return if user.blank?

  warning = SharedAudits.gitlab(user, repo)
  return if warning.nil?

  new_formula_problem warning
end

#audit_gitlab_repository_archivedObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



472
473
474
475
476
477
478
479
480
481
482
# File 'formula_auditor.rb', line 472

def audit_gitlab_repository_archived
  return if formula.deprecated? || formula.disabled?

  user, repo = get_repo_data(%r{https?://gitlab\.com/([^/]+)/([^/]+)/?.*}) if @online
  return if user.blank?

   = SharedAudits.gitlab_repo_data(user, repo)
  return if .nil?

  problem "GitLab repo is archived" if ["archived"]
end

#audit_glibcObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



367
368
369
370
371
372
373
374
375
376
377
# File 'formula_auditor.rb', line 367

def audit_glibc
  return if formula.name != "glibc"
  return unless @core_tap

  version = formula.version.to_s
  return if version == OS::CI_GLIBC_VERSION

  problem "The glibc version must be #{version}, as this is the version used by our CI on Linux. " \
          "Glibc is for users who have a system Glibc with a lower version, " \
          "which allows them to use our Linux bottles, which were compiled against system Glibc on CI."
end

#audit_homepageObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
# File 'formula_auditor.rb', line 404

def audit_homepage
  homepage = formula.homepage

  return if homepage.blank?

  return unless @online

  return if formula.tap&.audit_exception :cert_error_allowlist, formula.name, homepage

  return unless DevelopmentTools.curl_handles_most_https_certificates?

  use_homebrew_curl = false
  %w[Stable HEAD].each do |name|
    spec_name = name.downcase.to_sym
    next unless (spec = formula.send(spec_name))

    use_homebrew_curl = spec.using == :homebrew_curl
    break if use_homebrew_curl
  end

  if (http_content_problem = curl_check_http_content(homepage,
                                                     "homepage URL",
                                                     user_agents:       [:browser, :default],
                                                     check_content:     true,
                                                     strict:            @strict,
                                                     use_homebrew_curl: use_homebrew_curl))
    problem http_content_problem
  end
end

#audit_licenseObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
# File 'formula_auditor.rb', line 155

def audit_license
  if formula.license.present?
    licenses, exceptions = SPDX.parse_license_expression formula.license

    non_standard_licenses = licenses.reject { |license| SPDX.valid_license? license }
    if non_standard_licenses.present?
      problem <<~EOS
        Formula #{formula.name} contains non-standard SPDX licenses: #{non_standard_licenses}.
        For a list of valid licenses check: #{Formatter.url("https://spdx.org/licenses/")}
      EOS
    end

    if @strict
      deprecated_licenses = licenses.select do |license|
        SPDX.deprecated_license? license
      end
      if deprecated_licenses.present?
        problem <<~EOS
          Formula #{formula.name} contains deprecated SPDX licenses: #{deprecated_licenses}.
          You may need to add `-only` or `-or-later` for GNU licenses (e.g. `GPL`, `LGPL`, `AGPL`, `GFDL`).
          For a list of valid licenses check: #{Formatter.url("https://spdx.org/licenses/")}
        EOS
      end
    end

    invalid_exceptions = exceptions.reject { |exception| SPDX.valid_license_exception? exception }
    if invalid_exceptions.present?
      problem <<~EOS
        Formula #{formula.name} contains invalid or deprecated SPDX license exceptions: #{invalid_exceptions}.
        For a list of valid license exceptions check:
          #{Formatter.url("https://spdx.org/licenses/exceptions-index.html")}
      EOS
    end

    return unless @online

    user, repo = get_repo_data(%r{https?://github\.com/([^/]+)/([^/]+)/?.*})
    return if user.blank?

    github_license = GitHub.get_repo_license(user, repo)
    return unless github_license
    return if (licenses + ["NOASSERTION"]).include?(github_license)
    return if PERMITTED_LICENSE_MISMATCHES[github_license]&.any? { |license| licenses.include? license }
    return if formula.tap&.audit_exception :permitted_formula_license_mismatches, formula.name

    problem "Formula license #{licenses} does not match GitHub license #{Array(github_license)}."

  elsif @new_formula && @core_tap
    problem "Formulae in homebrew/core must specify a license."
  end
end

#audit_postgresqlObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



352
353
354
355
356
357
358
359
360
361
362
363
364
365
# File 'formula_auditor.rb', line 352

def audit_postgresql
  return unless formula.name == "postgresql"
  return unless @core_tap

  major_version = formula.version.major.to_i
  previous_major_version = major_version - 1
  previous_formula_name = "postgresql@#{previous_major_version}"
  begin
    Formula[previous_formula_name]
  rescue FormulaUnavailableError
    problem "Versioned #{previous_formula_name} in homebrew/core must be created for " \
            "`brew postgresql-upgrade-database` and `pg_upgrade` to work."
  end
end

#audit_prefix_has_contentsObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



769
770
771
772
773
774
775
776
777
778
# File 'formula_auditor.rb', line 769

def audit_prefix_has_contents
  return unless formula.prefix.directory?
  return unless Keg.new(formula.prefix).empty_installation?

  problem <<~EOS
    The installation seems to be empty. Please ensure the prefix
    is set correctly and expected files are installed.
    The prefix configure/make argument may be case-sensitive.
  EOS
end

#audit_reverse_migrationObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



756
757
758
759
760
761
762
763
764
765
766
767
# File 'formula_auditor.rb', line 756

def audit_reverse_migration
  # Only enforce for new formula being re-added to core
  return unless @strict
  return unless @core_tap
  return unless formula.tap.tap_migrations.key?(formula.name)

  problem <<~EOS
    #{formula.name} seems to be listed in tap_migrations.json!
    Please remove #{formula.name} from present tap & tap_migrations.json
    before submitting it to Homebrew/homebrew-#{formula.tap.repo}.
  EOS
end

#audit_revision_and_version_schemeObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
# File 'formula_auditor.rb', line 648

def audit_revision_and_version_scheme
  return unless @git
  return unless formula.tap # skip formula not from core or any taps
  return unless formula.tap.git? # git log is required
  return if formula.stable.blank?

  fv = FormulaVersions.new(formula)

  current_version = formula.stable.version
  current_checksum = formula.stable.checksum
  current_version_scheme = formula.version_scheme
  current_revision = formula.revision
  current_url = formula.stable.url

  previous_version = nil
  previous_version_scheme = nil
  previous_revision = nil

  newest_committed_version = nil
  newest_committed_checksum = nil
  newest_committed_revision = nil
  newest_committed_url = nil

  fv.rev_list("origin/master") do |rev|
    begin
      fv.formula_at_revision(rev) do |f|
        stable = f.stable
        next if stable.blank?

        previous_version = stable.version
        previous_checksum = stable.checksum
        previous_version_scheme = f.version_scheme
        previous_revision = f.revision

        newest_committed_version ||= previous_version
        newest_committed_checksum ||= previous_checksum
        newest_committed_revision ||= previous_revision
        newest_committed_url ||= stable.url
      end
    rescue MacOSVersionError
      break
    end

    break if previous_version && current_version != previous_version
    break if previous_revision && current_revision != previous_revision
  end

  if current_version == newest_committed_version &&
     current_url == newest_committed_url &&
     current_checksum != newest_committed_checksum &&
     current_checksum.present? && newest_committed_checksum.present?
    problem(
      "stable sha256 changed without the url/version also changing; " \
      "please create an issue upstream to rule out malicious " \
      "circumstances and to find out why the file changed.",
    )
  end

  if !newest_committed_version.nil? &&
     current_version < newest_committed_version &&
     current_version_scheme == previous_version_scheme
    problem "stable version should not decrease (from #{newest_committed_version} to #{current_version})"
  end

  unless previous_version_scheme.nil?
    if current_version_scheme < previous_version_scheme
      problem "version_scheme should not decrease (from #{previous_version_scheme} " \
              "to #{current_version_scheme})"
    elsif current_version_scheme > (previous_version_scheme + 1)
      problem "version_schemes should only increment by 1"
    end
  end

  if (previous_version != newest_committed_version ||
     current_version != newest_committed_version) &&
     !current_revision.zero? &&
     current_revision == newest_committed_revision &&
     current_revision == previous_revision
    problem "'revision #{current_revision}' should be removed"
  elsif current_version == previous_version &&
        !previous_revision.nil? &&
        current_revision < previous_revision
    problem "revision should not decrease (from #{previous_revision} to #{current_revision})"
  elsif newest_committed_revision &&
        current_revision > (newest_committed_revision + 1)
    problem "revisions should only increment by 1"
  end
end

#audit_specsObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
# File 'formula_auditor.rb', line 529

def audit_specs
  problem "Head-only (no stable download)" if head_only?(formula)

  %w[Stable HEAD].each do |name|
    spec_name = name.downcase.to_sym
    next unless (spec = formula.send(spec_name))

    except = @except.to_a
    if spec_name == :head &&
       formula.tap&.audit_exception(:head_non_default_branch_allowlist, formula.name, spec.specs[:branch])
      except << "head_branch"
    end

    ra = ResourceAuditor.new(
      spec, spec_name,
      online: @online, strict: @strict, only: @only, except: except,
      use_homebrew_curl: spec.using == :homebrew_curl
    ).audit
    ra.problems.each do |message|
      problem "#{name}: #{message}"
    end

    spec.resources.each_value do |resource|
      problem "Resource name should be different from the formula name" if resource.name == formula.name

      ra = ResourceAuditor.new(
        resource, spec_name,
        online: @online, strict: @strict, only: @only, except: @except
      ).audit
      ra.problems.each do |message|
        problem "#{name} resource #{resource.name.inspect}: #{message}"
      end
    end

    next if spec.patches.empty?
    next if !@new_formula || !@core_tap

    new_formula_problem(
      "Formulae should not require patches to build. " \
      "Patches should be submitted and accepted upstream first.",
    )
  end

  return unless @core_tap

  if formula.head && @versioned_formula &&
     !formula.tap&.audit_exception(:versioned_head_spec_allowlist, formula.name)
    problem "Versioned formulae should not have a `HEAD` spec"
  end

  stable = formula.stable
  return unless stable
  return unless stable.url

  version = stable.version
  problem "Stable: version (#{version}) is set to a string without a digit" if version.to_s !~ /\d/

  stable_version_string = version.to_s
  if stable_version_string.start_with?("HEAD")
    problem "Stable: non-HEAD version name (#{stable_version_string}) should not begin with HEAD"
  end

  stable_url_version = Version.parse(stable.url)
  stable_url_minor_version = stable_url_version.minor.to_i

  formula_suffix = stable.version.patch.to_i
  throttled_rate = formula.tap&.audit_exception(:throttled_formulae, formula.name)
  if throttled_rate && formula_suffix.modulo(throttled_rate).nonzero?
    problem "should only be updated every #{throttled_rate} releases on multiples of #{throttled_rate}"
  end

  case (url = stable.url)
  when /[\d._-](alpha|beta|rc\d)/
    matched = Regexp.last_match(1)
    version_prefix = stable_version_string.sub(/\d+$/, "")
    return if formula.tap&.audit_exception :unstable_allowlist, formula.name, version_prefix
    return if formula.tap&.audit_exception :unstable_devel_allowlist, formula.name, version_prefix

    problem "Stable version URLs should not contain #{matched}"
  when %r{download\.gnome\.org/sources}, %r{ftp\.gnome\.org/pub/GNOME/sources}i
    version_prefix = stable.version.major_minor
    return if formula.tap&.audit_exception :gnome_devel_allowlist, formula.name, version_prefix
    return if stable_url_version < Version.create("1.0")
    # All minor versions are stable in the new GNOME version scheme (which starts at version 40.0)
    # https://discourse.gnome.org/t/new-gnome-versioning-scheme/4235
    return if stable_url_version >= Version.create("40.0")
    return if stable_url_minor_version.even?

    problem "#{stable.version} is a development release"
  when %r{isc.org/isc/bind\d*/}i
    return if stable_url_minor_version.even?

    problem "#{stable.version} is a development release"

  when %r{https?://gitlab\.com/([\w-]+)/([\w-]+)}
    owner = Regexp.last_match(1)
    repo = Regexp.last_match(2)

    tag = SharedAudits.gitlab_tag_from_url(url)
    tag ||= stable.specs[:tag]
    tag ||= stable.version

    if @online
      error = SharedAudits.gitlab_release(owner, repo, tag, formula: formula)
      problem error if error
    end
  when %r{^https://github.com/([\w-]+)/([\w-]+)}
    owner = Regexp.last_match(1)
    repo = Regexp.last_match(2)
    tag = SharedAudits.github_tag_from_url(url)
    tag ||= formula.stable.specs[:tag]

    if @online
      error = SharedAudits.github_release(owner, repo, tag, formula: formula)
      problem error if error
    end
  end
end

#audit_styleObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



40
41
42
43
44
45
46
47
48
49
50
51
# File 'formula_auditor.rb', line 40

def audit_style
  return unless @style_offenses

  @style_offenses.each do |offense|
    correction_status = "#{Tty.green}[Corrected]#{Tty.reset} " if offense.corrected?

    cop_name = "#{offense.cop_name}: " if @display_cop_names
    message = "#{cop_name}#{correction_status}#{offense.message}"

    problem message, location: offense.location
  end
end

#audit_textObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
# File 'formula_auditor.rb', line 737

def audit_text
  bin_names = Set.new
  bin_names << formula.name
  bin_names += formula.aliases
  [formula.bin, formula.sbin].each do |dir|
    next unless dir.exist?

    bin_names += dir.children.map(&:basename).map(&:to_s)
  end
  shell_commands = ["system", "shell_output", "pipe_output"]
  bin_names.each do |name|
    shell_commands.each do |cmd|
      if text.to_s.match?(/test do.*#{cmd}[(\s]+['"]#{Regexp.escape(name)}[\s'"]/m)
        problem %Q(fully scope test #{cmd} calls, e.g. #{cmd} "\#{bin}/#{name}")
      end
    end
  end
end

#audit_versioned_keg_onlyObject

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



390
391
392
393
394
395
396
397
398
399
400
401
402
# File 'formula_auditor.rb', line 390

def audit_versioned_keg_only
  return unless @versioned_formula
  return unless @core_tap

  if formula.keg_only?
    return if formula.keg_only_reason.versioned_formula?
    return if formula.name.start_with?("openssl", "libressl") && formula.keg_only_reason.by_macos?
  end

  return if formula.tap&.audit_exception :versioned_keg_only_allowlist, formula.name

  problem "Versioned formulae in homebrew/core should use `keg_only :versioned_formula`"
end

#get_repo_data(regex) ⇒ Object

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



515
516
517
518
519
520
521
522
523
524
525
526
527
# File 'formula_auditor.rb', line 515

def get_repo_data(regex)
  return unless @core_tap
  return unless @online

  _, user, repo = *regex.match(formula.stable.url) if formula.stable
  _, user, repo = *regex.match(formula.homepage) unless user
  _, user, repo = *regex.match(formula.head.url) if !user && formula.head
  return if !user || !repo

  repo.delete_suffix!(".git")

  [user, repo]
end

#problem_if_output(output) ⇒ Object

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



784
785
786
# File 'formula_auditor.rb', line 784

def problem_if_output(output)
  problem(output) if output
end

#quote_dep(dep) ⇒ Object

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.



780
781
782
# File 'formula_auditor.rb', line 780

def quote_dep(dep)
  dep.is_a?(Symbol) ? dep.inspect : "'#{dep}'"
end