build(deps): bump redhat-plumbers-in-action/differential-shellcheck from 4 to 5 #6

dependabot · 2023-10-21T09:15:41Z

Bumps redhat-plumbers-in-action/differential-shellcheck from 4 to 5.

Release notes

Sourced from redhat-plumbers-in-action/differential-shellcheck's releases.

v5.0.0

What's Changed

Breaking

drop: ignored-codes input 🚫 (#290) @jamacku

drop: shell-scripts input 🚫 (#288) @jamacku

New

Show more context for ShellCheck defects and fixes in console output 💾 (#300) @jamacku

Add support for subdirectory scanning 📁 (#294) @jamacku

Add Statistics of defect severities 📊 (#233) @jamacku

Show scanned files in console by default 📜 (#285) @jamacku

Bug Fixes

Fix autodetection of shell scripts in DEBUG mode 🥝 (#299) @jamacku

Always gather defect statistics 📉 (#298) @jamacku

Fix count of scanned files in job Summary when running on push event 🔢 (#297) @jamacku

Set correct version of ShellCheck in SARIF 🥥 (#296) @jamacku

fix: detection of changed files that might cause failure on some paths 🍭 (#286) @jamacku

Maintenance

Make the version of the used GHA more visible 👀 (#320) @jamacku

Update csutils (csdiff and csgrep) to 3.0.4 (#319) @jamacku

Update csutils (csdiff) to 3.0.3 (#293) @jamacku

Documentation

Improve documentation examples and update feature showcase 📷 (#301) @jamacku

Add section documenting VS Code integration 👩‍💻 (#311) @jamacku

doc: Explain format of path list options (#310) @VladimirSlavik

Automation and CI changes

Monthly dependabot updates 🤖 (#274) @jamacku

Dependency Updates

build(deps): bump fedora from 61f921e to 6fc00f8 (#312) @dependabot

build(deps): bump actions/checkout from 3.6.0 to 4.1.0 (#318) @dependabot

build(deps): bump docker/build-push-action from 4.1.1 to 5.0.0 (#317) @dependabot

build(deps): bump docker/login-action from 2.2.0 to 3.0.0 (#316) @dependabot

build(deps): bump docker/setup-buildx-action from 2.10.0 to 3.0.0 (#315) @dependabot

build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 (#314) @dependabot

... (truncated)

Changelog

Sourced from redhat-plumbers-in-action/differential-shellcheck's changelog.

Changelog

Next release

v5.0.0

Added defect statistics based on severity levels. They are available in the console output and in the job Summary page.

New option scan-directory. Allows to specify directories that will be scanned. By default Differe 8000 ntial ShellCheck scans the whole repository.

Show more context for ShellCheck defects and fixes in console output. The defect is now shown in the context of the surrounding code.

Fix autodetection of shell scripts in DEBUG mode

Fix detection of changed files that might cause failure on paths with special characters.

Fix count of scanned files in job Summary when running on push event.

Drop support for shell-scripts input

Drop support for ignored-codes input

Update csutils (csdiff) to 3.0.4

v4.2.2

Container images now based on Fedora 38

ShellCheck - 0.8.0 -> 0.9.0

csutils - 3.0.0 -> 3.0.2

v4.2.1

Handle multiple include/exclude paths with newlines

v4.2.0

New option exclude-path. Allows to specify list of paths excluded from ShellCheck scanning. It supports globbing and brace expansion. e.g. test/{test1,test2}/**

New option include-path. Similar to exclude-path, it allows specifying the list of paths that will be included into scanning. No further checks are performed. It supports globbing and brace expansion. e.g. fixture/**.fixture

v4.1.0

grep - do not escape # and ! in patterns

Utilize DEBUG to run grep without --silent option

Update csutils (csdiff) to 3.0.0

v4.0.2

Correctly handle character escaping in filenames (e.g. ␣ and &)

Improve documentation and more tests

v4.0.0
Tag latest is no longer available. Use major tags instead (e.g. v3 or v4).
Action can be triggered using GitHub push event
on:

... (truncated)

Commits

aa647ec v5.0.1
3dfdfcf fix: uninitialized variable RUNNER_DEBUG
98b3935 fix: drop support for DEBUG in grep
c9cc531 fix: incorrect log about fixed issues
0b37fe0 v5.0.0
b392c11 deps: use the correct version of super-linter
9988647 deps: add comment with pinned version
a58af3b deps: update csutils (csdiff and csgrep) to 3.0.4
dc2f863 doc: fix format of warning message
e0416c5 doc: add example.sh for testing purposes
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [redhat-plumbers-in-action/differential-shellcheck](https://github.com/redhat-plumbers-in-action/differential-shellcheck) from 4 to 5. - [Release notes](https://github.com/redhat-plumbers-in-action/differential-shellcheck/releases) - [Changelog](https://github.com/redhat-plumbers-in-action/differential-shellcheck/blob/main/docs/CHANGELOG.md) - [Commits](redhat-plumbers-in-action/differential-shellcheck@v4...v5) --- updated-dependencies: - dependency-name: redhat-plumbers-in-action/differential-shellcheck dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

It fixes the crash spotted avahi#490 (comment). The fuzz target was updated to exercise those code paths (among other things). Without this commit it crashes with ``` fuzz-consume-record: malloc.c:250: void *avahi_memdup(const void *, size_t): Assertion `s' failed. ==72869== ERROR: libFuzzer: deadly signal #0 0x5031b5 in __sanitizer_print_stack_trace (avahi/out/fuzz-consume-record+0x5031b5) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06) #1 0x45cd6c in fuzzer::PrintStackTrace() (avahi/out/fuzz-consume-record+0x45cd6c) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06) #2 0x441c47 in fuzzer::Fuzzer::CrashCallback() (out/fuzz-consume-record+0x441c47) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06) #3 0x7f189e97ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #4 0x7f189e9cf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #5 0x7f189e97eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #6 0x7f189e96787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #7 0x7f189e96779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #8 0x7f189e977186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #9 0x557bfc in avahi_memdup avahi/avahi-common/malloc.c:250:5 #10 0x54895c in avahi_record_copy avahi/avahi-core/rr.c:469:45 ```

dependabot · 2023-11-02T14:21:42Z

Looks like redhat-plumbers-in-action/differential-shellcheck is up-to-date now, so this is no longer needed.

All the functions receiving service names expect them to be UTF-8. When they aren't those functions can crash. For example here's how avahi_alternative_service_name crashed without this patch: ``` alternative-test: alternative.c:44: drop_incomplete_utf8: Assertion `*e & 128' failed. #0 0x00007ffff76b0884 in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00007ffff765fafe in raise () from /lib64/libc.so.6 #2 0x00007ffff764887f in abort () from /lib64/libc.so.6 #3 0x00007ffff764879b in __assert_fail_base.cold () from /lib64/libc.so.6 #4 0x00007ffff7658187 in __assert_fail () from /lib64/libc.so.6 #5 0x000000000040257b in drop_incomplete_utf8 (c=0x60200003bed0 "\301\n") at alternative.c:44 #6 0x00000000004033b2 in avahi_alternative_service_name (s=0x40ff00 "\301\n") at alternative.c:184 #7 0x000000000040b722 in main (argc=1, argv=0x7fffffffe1c8) at alternative-test.c:91 ``` The test is added to make sure avahi_alternative_service_name no longer crashes. The fuzz target is updated to make sure avahi_alternative_service_name can withstand all sorts of service names.

Fixes: ``` ==93410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e76f14c16 at pc 0x00000047208d bp 0x7ffee90a6a00 sp 0x7ffee90a61c8 READ of size 1110 at 0x7f9e76f14c16 thread T0 #0 0x47208c in __interceptor_strlen (out/fuzz-domain+0x47208c) (BuildId: 731b20c1eef22c2104e75a6496a399b10cfc7cba) #1 0x534eb0 in avahi_strdup avahi/avahi-common/malloc.c:167:12 #2 0x53862c in avahi_normalize_name_strdup avahi/avahi-common/domain.c:226:12 ``` and ``` fuzz-domain: fuzz/fuzz-domain.c:38: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_domain_equal(s, t)' failed. ==101571== ERROR: libFuzzer: deadly signal #0 0x501175 in __sanitizer_print_stack_trace (/home/vagrant/avahi/out/fuzz-domain+0x501175) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) #1 0x45ad2c in fuzzer::PrintStackTrace() (/home/vagrant/avahi/out/fuzz-domain+0x45ad2c) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) #2 0x43fc07 in fuzzer::Fuzzer::CrashCallback() (/home/vagrant/avahi/out/fuzz-domain+0x43fc07) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) #3 0x7f1581d7ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) #4 0x7f1581dcf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) #5 0x7f1581d7eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) #6 0x7f1581d6787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) #7 0x7f1581d6779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) #8 0x7f1581d77186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) #9 0x5344a4 in LLVMFuzzerTestOneInput /home/vagrant/avahi/fuzz/fuzz-domain.c:38:9 ``` It's a follow-up to 94cb648

When avahi-daemon fails under ASan/UBSan the tests trying to reach it via D-Bus start to fail too with cryptic error messages and without ASan reports it's hard to tell what exactly fails. This patch is prompted by avahi#551 where the smoke test failed with ``` ** (process:23892): WARNING **: 10:26:43.529: Error initializing Avahi: Daemon not running glib-integration: client.c:626: void avahi_client_free(AvahiClient *): Assertion `client' failed. ``` without any way to figure out what went wrong. With this patch applied the following backtrace would have been shown: ``` avahi-daemon[23694]: browse.c: Found CNAME loop on interface 2, proto 1, query cname0.local IN AAAA avahi-daemon[23694]: browse.c: Found CNAME loop on interface 2, proto 1, query cname0.local IN AAAA avahi-daemon[23694]: ================================================================= avahi-daemon[23694]: ==23694==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000000f70 at pc 0x7f5aac154542 bp 0x7ffe59141be0 sp 0x7ffe59141bd8 avahi-daemon[23694]: READ of size 4 at 0x60b000000f70 thread T0 avahi-daemon[23694]: #0 0x7f5aac154541 in lookup_multicast_callback /home/runner/work/avahi/avahi/avahi-core/browse.c:268:12 avahi-daemon[23694]: #1 0x7f5aac1bfa0a in avahi_multicast_lookup_engine_notify /home/runner/work/avahi/avahi/avahi-core/multicast-lookup.c:317:21 avahi-daemon[23694]: #2 0x7f5aac115808 in avahi_cache_update /home/runner/work/avahi/avahi/avahi-core/cache.c:363:13 avahi-daemon[23694]: #3 0x7f5aac0e9621 in handle_response_packet /home/runner/work/avahi/avahi/avahi-core/server.c:720:21 avahi-daemon[23694]: #4 0x7f5aac0e3cf6 in dispatch_packet /home/runner/work/avahi/avahi/avahi-core/server.c:1032:9 avahi-daemon[23694]: #5 0x7f5aac0e2116 in mcast_socket_event /home/runner/work/avahi/avahi/avahi-core/server.c:1093:13 avahi-daemon[23694]: #6 0x7f5aac464b6c in avahi_simple_poll_dispatch /home/runner/work/avahi/avahi/avahi-common/simple-watch.c:585:13 avahi-daemon[23694]: #7 0x7f5aac4651a8 in avahi_simple_poll_iterate /home/runner/work/avahi/avahi/avahi-common/simple-watch.c:605:14 avahi-daemon[23694]: #8 0x5592a3ed3884 in run_server /home/runner/work/avahi/avahi/avahi-daemon/main.c:1279:18 avahi-daemon[23694]: #9 0x5592a3ec4132 in main /home/runner/work/avahi/avahi/avahi-daemon/main.c:1708:13 avahi-daemon[23694]: #10 0x7f5aabc29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 avahi-daemon[23694]: #11 0x7f5aabc29e3f in __libc_start_main csu/../csu/libc-start.c:392:3 avahi-daemon[23694]: #12 0x5592a3e05054 in _start (/usr/sbin/avahi-daemon+0x71054) (BuildId: 0aa9e5ea43ef010d5f42e9109eabd1434ff1b3db) ... ```

Those strings are consumed in various places and it's generally expected that they are UTF-8. It's prompted by an issue where python scripts threw the UnicodeDecodeError exception trying to parse the output of avahi-browse -arp. The fuzz target fails on architectures where char is unsigned (like aarch64 for example): ``` fuzz-strlst: fuzz/fuzz-strlst.c:40: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_utf8_valid(t)' failed. ==26== ERROR: libFuzzer: deadly signal #0 0x4a38f8 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3 #1 0x44d350 in fuzzer::PrintStackTrace() cxa_noexception.cpp #2 0x436728 in fuzzer::Fuzzer::CrashCallback() cxa_noexception.cpp #3 0x5500834ffc (/usr/lib/aarch64-linux-gnu/ld-2.31.so+0x23ffc) #4 0x550099cd74 in raise (/lib/aarch64-linux-gnu/libc.so.6+0x33d74) #5 0x5500989aa8 in abort (/lib/aarch64-linux-gnu/libc.so.6+0x20aa8) #6 0x550099648c (/lib/aarch64-linux-gnu/libc.so.6+0x2d48c) #7 0x55009964f0 in __assert_fail (/lib/aarch64-linux-gnu/libc.so.6+0x2d4f0) #8 0x4a4e70 in LLVMFuzzerTestOneInput /src/avahi/fuzz/fuzz-strlst.c:40:9 `` but it shouldn't break anything because currently it's run on x86_64/i386 only on a regular basis. It should help to catch bugs/regressions though.

dependabot bot added the dependencies Pull requests that update a dependency file label Oct 21, 2023

dependabot bot closed this Nov 2, 2023

dependabot bot deleted the dependabot/github_actions/redhat-plumbers-in-action/differential-shellcheck-5 branch November 2, 2023 14:21

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

build(deps): bump redhat-plumbers-in-action/differential-shellcheck from 4 to 5 #6

build(deps): bump redhat-plumbers-in-action/differential-shellcheck from 4 to 5 #6

Uh oh!

Uh oh!

Uh oh!

Uh oh!

build(deps): bump redhat-plumbers-in-action/differential-shellcheck from 4 to 5 #6

build(deps): bump redhat-plumbers-in-action/differential-shellcheck from 4 to 5 #6

Uh oh!

Conversation

Uh oh!

v5.0.0

What's Changed

Breaking

New

Bug Fixes

Maintenance

Documentation

Automation and CI changes

Dependency Updates

Changelog

Next release

v5.0.0

v4.2.2

v4.2.1

v4.2.0

v4.1.0

v4.0.2

v4.0.0

Uh oh!

Uh oh!

Uh oh!