fix: Be more flexible in GCC detection logic

[qmfrederik]

No description provided.

[qmfrederik]

This detects GCC in a number of packages, mainly (but not exclusively) on NetBSD. Seems reasonable, but you may want to double check.

[ffontaine]

You made a mistake when adding gcc in other_products for zsh, it shall be added to zsh-5.8nb2.tgz, not to zsh_5.8-6+b1_amd64.deb:

FAILED test/test_scanner.py::TestScanner::test_version_in_package[https://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/9.1/All/-zsh-5.8nb2.tgz-zsh-5.8-other_products1248] - AssertionError: gcc found in zsh-5.8nb2.tgz. If that's expected, make sure to add gcc to the expected list of other_products.
assert 'gcc' not in {'gcc', 'zsh'}
FAILED test/test_scanner.py::TestScanner::test_version_in_package[http://ftp.debian.org/debian/pool/main/z/zsh/-zsh_5.8-6+b1_amd64.deb-zsh-5.8-other_products1249] - AssertionError: gcc not found in zsh_5.8-6+b1_amd64.deb. Remove gcc from other_products.
assert 'gcc' in {'zsh'}

[qmfrederik]

You are right @ffontaine , thanks. Rebased and amended.

[qmfrederik]

@terriko This will require one more approval.

[terriko]

Looks like there's still a test failure here:

 =========================== short test summary info ============================
FAILED test/test_scanner.py::TestScanner::test_version_in_package[https://mirror.msys2.org/mingw/ucrt64/-mingw-w64-ucrt-x86_64-cairo-1.18.2-2-any.pkg.tar.zst-cairo-1.18.2-other_products92] - AssertionError: gcc found in mingw-w64-ucrt-x86_64-cairo-1.18.2-2-any.pkg.tar.zst. If that's expected, make sure to add gcc to the expected list of other_products.
assert 'gcc' not in {'cairo', 'gcc'}
=========== 1 failed, 1903 passed, 18 warnings in 1211.34s (0:20:11) ===========

And I have to ask... is GCC really in all of these products or are we making more false positives here because they were compiled with gcc but don't actually contain it? Because I feel like at least some of these may be false positives.

[terriko]

Oh, and updating the branch will fix the spelling error; sorry about that.

[ffontaine]

And I have to ask... is GCC really in all of these products or are we making more false positives here because they were compiled with gcc but don't actually contain it? Because I feel like at least some of these may be false positives.

Indeed, gcc is not really in all of these products. Most (all?) of them are just binaries compiled with gcc. However, a lot of the CVEs related to gcc are related to the binary code generated by gcc such as CVE-2023-4039.

So I think that this PR shall be merged. @qmfrederik can you update this PR (i.e., fix cairo test)?

[qmfrederik]

I think those binaries are compiled with GCC and most likely also contain a static copy of the GCC runtime library, which causes them to show up. I've fixed the cairo issue and rebased on main. Let's see what CI has to say, hopefully good to go!

[ffontaine]

jbigkit test package raises an error:

FAILED test/test_scanner.py::TestScanner::test_version_in_package[https://mirror.msys2.org/mingw/ucrt64/-mingw-w64-ucrt-x86_64-jbigkit-2.1-5-any.pkg.tar.zst-jbig-kit-2.1-other_products440] - AssertionError: gcc found in mingw-w64-ucrt-x86_64-jbigkit-2.1-5-any.pkg.tar.zst. If that's expected, make sure to add gcc to the expected list of other_products.
assert 'gcc' not in {'gcc', 'jbig-kit'}

PR has been updated by @qmfrederik as requested by @terriko

[ffontaine]

All checks successful, merging