From bf6d5df0ec4c0177a59e32c20f2c7128edb679d2 Mon Sep 17 00:00:00 2001
From: Michael Kuhn <michael.kuhn@ovgu.de>
Date: Mon, 23 Oct 2023 20:22:39 +0200
Subject: audit: add check for GitLab patches (#40656)

GitLab's .patch URLs only provide abbreviated hashes, while .diff URLs
provide full hashes. There does not seem to be a parameter to force
.patch URLs to also return full hashes, so we should make sure to use
the .diff ones.
---
 .../packages/invalid-gitlab-patch-url/package.py     | 20 ++++++++++++++++++++
 .../invalid-selfhosted-gitlab-patch-url/package.py   | 20 ++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 var/spack/repos/builtin.mock/packages/invalid-gitlab-patch-url/package.py
 create mode 100644 var/spack/repos/builtin.mock/packages/invalid-selfhosted-gitlab-patch-url/package.py

(limited to 'var')

diff --git a/var/spack/repos/builtin.mock/packages/invalid-gitlab-patch-url/package.py b/var/spack/repos/builtin.mock/packages/invalid-gitlab-patch-url/package.py
new file mode 100644
index 0000000000..527a1815e6
--- /dev/null
+++ b/var/spack/repos/builtin.mock/packages/invalid-gitlab-patch-url/package.py
@@ -0,0 +1,20 @@
+# Copyright 2013-2023 Lawrence Livermore National Security, LLC and other
+# Spack Project Developers. See the top-level COPYRIGHT file for details.
+#
+# SPDX-License-Identifier: (Apache-2.0 OR MIT)
+
+from spack.package import *
+
+
+class InvalidGitlabPatchUrl(Package):
+    """Package that has GitLab patch URLs that fail auditing."""
+
+    homepage = "http://www.example.com"
+    url = "http://www.example.com/patch-1.0.tar.gz"
+
+    version("1.0", md5="0123456789abcdef0123456789abcdef")
+
+    patch(
+        "https://gitlab.com/QEF/q-e/-/commit/4ca3afd4c6f27afcf3f42415a85a353a7be1bd37.patch",
+        sha256="d7dec588efb5c04f99d949d8b9bb4a0fbc98b917ae79e12e4b87ad7c3dc9e268",
+    )
diff --git a/var/spack/repos/builtin.mock/packages/invalid-selfhosted-gitlab-patch-url/package.py b/var/spack/repos/builtin.mock/packages/invalid-selfhosted-gitlab-patch-url/package.py
new file mode 100644
index 0000000000..818876405c
--- /dev/null
+++ b/var/spack/repos/builtin.mock/packages/invalid-selfhosted-gitlab-patch-url/package.py
@@ -0,0 +1,20 @@
+# Copyright 2013-2023 Lawrence Livermore National Security, LLC and other
+# Spack Project Developers. See the top-level COPYRIGHT file for details.
+#
+# SPDX-License-Identifier: (Apache-2.0 OR MIT)
+
+from spack.package import *
+
+
+class InvalidSelfhostedGitlabPatchUrl(Package):
+    """Package that has GitLab patch URLs that fail auditing."""
+
+    homepage = "http://www.example.com"
+    url = "http://www.example.com/patch-1.0.tar.gz"
+
+    version("1.0", md5="0123456789abcdef0123456789abcdef")
+
+    patch(
+        "https://gitlab.gnome.org/GNOME/glib/-/commit/bda87264372c006c94e21ffb8ff9c50ecb3e14bd.patch",
+        sha256="2e811ec62cb09044c95a4d0213993f09af70cdcc1c709257b33bc9248ae950ed",
+    )
-- 
cgit v1.2.3-70-g09d2