CBL-Mariner-Bot false alarms on patches in systemd #14465
Description
The alert from CBL-Mariner-Bot in PR #14449:
🚨 PR Check Failed - Critical Issues Found
Found 1 critical/error issue(s) that must be fixed.
🔍 Critical Issues Detected:
Missing Patch File (ERROR)
- Patch file 'https://github.com/systemd/systemd/pull/26494.patch' is referenced in the spec but not found in the directory
- 💡 Fix: Add the missing patch file or update the Patch reference
🤖 AI Analysis Summary:
Brief Analysis: These changes update the release number and add ARM64 support while retaining pre‐existing patch definitions—including a CVE patch (CVE-2023-7008).
Critical Issues Found: • No explicit application of patch directives is visible for the CVE patch; ensure it’s applied correctly. • The changelog does not mention the CVE fix corresponding to CVE-2023-7008.
Recommended Actions: • Verify that CVE-2023-7008.patch (and other declared patches) is present in the package directory and that it is applied via %patch or %autopatch in the %prep section. • Update the changelog with a clear entry for the CVE fix. • Confirm that ARM64 changes use the same patch management best practices as the x86_64 code.
📋 For detailed analysis and recommendations, check the Azure DevOps pipeline logs.
This appears to be a false alarm. '26494.patch' is present in /SPEC/systemd/. , however, this referencing of patch0001 using the github url is new to me.
How does this play with RPM?
This has been in the spec since 255, so I'm curious if this issue is benign.
EDIT: Further review shows that this Patch path format follows similarly to our Source#: fields. Only the final portion of the path is used by rpmbuild. This is not a typical format for patch files in Azure Linux, but it is not incorrect. We can confirm this is a false alarm from CBLMariner-Bot.
Seperately, CBLMariner-Bot also raised concerns over a missing CVE-2023-7008 patch. This is also a false alarm, the patch was contributed 7 months ago and still exists and is being applied.
Originally posted by @SeanDougherty in #14449 (comment)