Hello,
I observer a Unicode check failure in fedora-ci.koji-build.rpminspect.static-analysis test on
perl-Prima-1.70-1.fc40 package in Fedora CI
<https://bodhi.fedoraproject.org/updates/FEDORA-2023-54d3e14b6e>:
A forbidden code point, 0x202D, was found in the
Prima-1.70/Prima/Drawable/Glyphs.pm source file on line 999 at column 3.
This source file is used by perl-Prima.spec.
Suggested remedy:
The rpminspect configuration file contains a list of forbidden Unicode
code points. One was found in the extracted and patched source tree or in
one of the text source files in the source RPM. Either remove this code
point or discuss the situation with the Product Security Team to determine
the correct course of action.
This is an excerpt from the Glyphs.pm file:
995 =for latex-makedoc cut
996
997 use Prima;
998 $::application-> begin_paint;
999 $::application-> text_shape_out('אפס123', 0,0);
1000
1001 123ספא
1002
1003 =for latex-makedoc cut
As you can see it's a text from a documentation in POD format. The
documentation is interleaved with a Perl code.
I classify the test finding a false positive because Fedora rpminspect policy
excludes documentation files. Though rpminspect cannot split a documentation
from a code in a single file.
I tried to disable the unicode check with a local rpminspect.yaml file, but
rpminspect insists on security checks not to be overrided be pacakge:
$ rpminspect -c /usr/share/rpminspect/fedora.yaml -T unicode perl-Prima-1.70-1.fc40.src.rpm
rpminspect: *** ignoring 'unicode' section in /tmp/rpminspect.yaml; only allowed in system-wide configuration
My questions:
Do you agree it's a false positve?
Can you sanction ammending Fedora rpminspct policy with:
unicode:
ignore:
# 0x202D character used on purpose to demonstrate RLE in
# a documentation.
- Prima-*/Prima/Drawable/Glyphs.pm
-- Petr
