fix(yara): modified Source0 with malware-scanner-tripping fixture stripped

base/comps/components.toml

@@ -7182,7 +7182,6 @@ includes = ["**/*.comp.toml", "component-check-disablement.toml"]
 [components.yajl]
 [components.yaksa]
 [components.yaml-cpp]
-[components.yara]
 [components.yarnpkg]
 [components.yelp]
 [components.yelp-tools]

base/comps/yara/modify_source.sh

@@ -0,0 +1,141 @@
+#!/usr/bin/env bash
+#
+# yara — strip benign-but-scanner-tripping fixture from upstream tarball.
+#
+# Background
+# ----------
+# An automated malware scan in the package signing pipeline rejects
+# `tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated` inside the upstream
+# `yara-4.5.4.tar.gz` tarball.  The file is a deliberately obfuscated
+# .NET binary used as an oss-fuzz seed-corpus input for YARA's `.NET`
+# parser fuzzer; it is benign but matches generic .NET-obfuscator
+# heuristics by design.
+#
+# The `*_fuzzer.cc` oss-fuzz harnesses (and their `*_fuzzer_corpus/`
+# directories) are NOT referenced from upstream's `Makefile.am`, so the
+# autotools `make check` driver does not exercise them.  Removing
+# `tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated` (and, optionally,
+# the rest of the dotnet fuzzer corpus) does not affect the Azure Linux
+# build or `%check`.
+#
+# This script repacks the upstream tarball with the offending file
+# stripped, then prints the SHA512 of the modified artefact for use in
+# `base/comps/yara/yara.comp.toml`'s `source-files` block.  The
+# modified tarball must be uploaded to the Azure Linux modified-source
+# blob storage; its blob URL becomes the `source-files.origin.uri` in
+# the comp TOML.
+#
+# Reproducibility notes
+# ---------------------
+# - The script uses `tar --sort=name --mtime=` flags to produce a
+#   byte-deterministic output, so re-running on the same upstream
+#   tarball must always yield the same SHA512.
+# - `gzip -n` strips mtime/filename metadata from the gzip header for
+#   the same reason.
+#
+# Output location
+# ---------------
+# The script writes its outputs to `base/build/work/scratch/yara/`
+# (resolved relative to the repository root).  This path is covered by
+# the repository's top-level `.gitignore` via `build/`, so no
+# component-level `.gitignore` is needed and no script artefact can be
+# accidentally committed.
+#
+# Usage:
+#   bash modify_source.sh
+#
+# Outputs (under base/build/work/scratch/yara/):
+#   yara-4.5.4-azl-stripped.tar.gz
+#   yara-4.5.4-azl-stripped.tar.gz.sha512
+#
+# After running upload `yara-4.5.4-azl-stripped.tar.gz` as the blob payload at
+# the lookaside URL pattern (modified container) for filename
+# `yara-4.5.4.tar.gz`.  The exact URL is printed by this script.
+
+set -euo pipefail
+
+UPSTREAM_URL="https://github.com/VirusTotal/yara/archive/v4.5.4.tar.gz"
+ORIGINAL_NAME="yara-4.5.4.tar.gz"
+ORIGINAL_SHA512="b1da40636f9e55bb07cc911479e6dfa8dc7a4fa3f6b9f10b9f669d741d7af51a1d31e044f9842ec3ab9c6ac9788fbdb89a1686c9e3f22f68d1f9e5fb3db22167"
+MODIFIED_NAME="yara-4.5.4-azl-stripped.tar.gz"
+EXTRACTED_DIRNAME="yara-4.5.4"
+
+# Files to remove from the upstream tarball.
+declare -a STRIP_PATHS=(
+    "${EXTRACTED_DIRNAME}/tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated"
+)
+
+SCRIPT_DIR="$(cd "$(dirname "$(realpath "$0")")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
+WORKDIR="${REPO_ROOT}/base/build/work/scratch/yara"
+mkdir -p "${WORKDIR}"
+cd "${WORKDIR}"
+
+echo "[1/5] Downloading ${ORIGINAL_NAME} from upstream into ${WORKDIR}"
+curl -fsSL --retry 3 -o "${ORIGINAL_NAME}" "${UPSTREAM_URL}"
+
+echo "[2/5] Verifying original SHA512"
+COMPUTED_ORIGINAL_SHA512=$(sha512sum "${ORIGINAL_NAME}" | awk '{print $1}')
+if [[ "${COMPUTED_ORIGINAL_SHA512}" != "${ORIGINAL_SHA512}" ]]; then
+    echo "ERROR: upstream SHA512 mismatch" >&2
+    echo "  expected: ${ORIGINAL_SHA512}" >&2
+    echo "  computed: ${COMPUTED_ORIGINAL_SHA512}" >&2
+    exit 1
+fi
+
+echo "[3/5] Extracting"
+rm -rf "${EXTRACTED_DIRNAME}"
+tar -xzf "${ORIGINAL_NAME}"
+
+echo "[4/5] Stripping flagged paths"
+for p in "${STRIP_PATHS[@]}"; do
+    if [[ ! -e "${p}" ]]; then
+        echo "ERROR: expected path not present in upstream: ${p}" >&2
+        exit 1
+    fi
+    rm -v "${p}"
+done
+
+echo "[5/5] Repacking deterministically as ${MODIFIED_NAME}"
+# --sort=name        : deterministic file ordering
+# --mtime            : pin mtime to a fixed epoch so the output is reproducible
+# --owner=0 --group=0 --numeric-owner : strip uid/gid/uname/gname
+# gzip -n            : do not store the mtime/filename in the gzip header
+rm -f "${MODIFIED_NAME}"
+tar --sort=name \
+    --mtime='2024-01-01 00:00:00 UTC' \
+    --owner=0 --group=0 --numeric-owner \
+    -cf - "${EXTRACTED_DIRNAME}" | gzip -n -9 > "${MODIFIED_NAME}"
+
+MODIFIED_SHA512=$(sha512sum "${MODIFIED_NAME}" | awk '{print $1}')
+echo "${MODIFIED_SHA512}  ${MODIFIED_NAME}" > "${MODIFIED_NAME}.sha512"
+
+cat <<EOF
+
+================================================================
+DONE
+  modified tarball: ${WORKDIR}/${MODIFIED_NAME}
+  SHA512:           ${MODIFIED_SHA512}
+================================================================
+
+Next steps:
+  1. Make sure you are logged in to Azure (one-time per shell):
+       az login
+  2. Upload the modified tarball with this ready-to-paste command
+     (uploads to the lookaside 'repo' container under the
+     'pkgs_modified/' prefix at the exact path
+     base/comps/yara/yara.comp.toml's source-files.origin.uri expects):
+
+       az storage blob upload \\
+           --auth-mode login \\
+           --account-name azltempstaginglookaside \\
+           --container-name repo \\
+           --name "pkgs_modified/yara/yara-4.5.4.tar.gz/sha512/${MODIFIED_SHA512}/yara-4.5.4.tar.gz" \\
+           --file "${WORKDIR}/${MODIFIED_NAME}"
+
+  3. The hash + URI in base/comps/yara/yara.comp.toml are
+     already populated for SHA512 ${MODIFIED_SHA512:0:16}...; if the
+     SHA512 above does NOT match, this means the regeneration was not deterministic.
+     This requires further investigation and the comp TOML must NOT be updated with
+     the new hash/URI until the root cause of non-determinism is identified and resolved.
+EOF

base/comps/yara/yara.comp.toml

@@ -0,0 +1,30 @@
+[components.yara]
+
+# Upstream Fedora dist-git ships a `sources` file with the hash of
+# the original `yara-4.5.4.tar.gz` tarball.  Since we want to serve
+# a *modified* tarball under the SAME filename (so the spec's
+# Source0 line does not need to change), drop the upstream
+# `sources` file before the `source-files` block below re-creates
+# it with the modified-tarball SHA512.
+[[components.yara.overlays]]
+description = "Drop upstream Fedora `sources` file so the modified-tarball SHA512 in `source-files` below replaces (rather than conflicts with) the original `yara-4.5.4.tar.gz` entry."
+type = "file-remove"
+file = "sources"
+
+[[components.yara.source-files]]
+filename = "yara-4.5.4.tar.gz"
+hash = "57d3388dc9a84f58769679e26624be852d7c83e403ed60a21ae3ba4e1da9162dbc9bacf53d439793df67f4bc6a7fd38d600f10052df2e62255aed50687d2754a"
+hash-type = "SHA512"
+# The URI below mirrors the `lookaside-base-uri` pattern from
+# `overrides/fedora.distro.azl.sources.toml` but routes to the
+# `pkgs_modified` first path segment (instead of `pkgs`) inside
+# the same `repo` container, so the source-fetch pipeline can
+# serve the locally-modified tarball alongside upstream lookaside
+# content while keeping all locally-modified tarballs trivially
+# enumerable under one prefix.  Pattern:
+#   https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/$pkg/$filename/$hashtype/$hash/$filename
+# The maintainer must upload `yara-4.5.4-azl-stripped.tar.gz`
+# (produced by `modify_source.sh` in this directory; its output
+# lands at `base/build/work/scratch/yara/`) to this blob path
+# before the component can fetch its source.
+origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/yara/yara-4.5.4.tar.gz/sha512/57d3388dc9a84f58769679e26624be852d7c83e403ed60a21ae3ba4e1da9162dbc9bacf53d439793df67f4bc6a7fd38d600f10052df2e62255aed50687d2754a/yara-4.5.4.tar.gz" }

locks/yara.lock

@@ -2,5 +2,5 @@
 version = 1
 import-commit = 'ec3a8c26f3312d5d8c24c3e66d53cd8c75e416b3'
 upstream-commit = 'ec3a8c26f3312d5d8c24c3e66d53cd8c75e416b3'
-input-fingerprint = 'sha256:022aa495b534857b8f135ebb7413367cad98f1bfc60336284c9616d0a685e0f8'
+input-fingerprint = 'sha256:7c28a81998ea8835ada261c370411042b93fcca18221d29b88fdc64e0bccea1a'
 resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e'

specs/y/yara/sources

@@ -1 +1 @@
-SHA512 (yara-4.5.4.tar.gz) = b1da40636f9e55bb07cc911479e6dfa8dc7a4fa3f6b9f10b9f669d741d7af51a1d31e044f9842ec3ab9c6ac9788fbdb89a1686c9e3f22f68d1f9e5fb3db22167
+SHA512 (yara-4.5.4.tar.gz) = 57d3388dc9a84f58769679e26624be852d7c83e403ed60a21ae3ba4e1da9162dbc9bacf53d439793df67f4bc6a7fd38d600f10052df2e62255aed50687d2754a

specs/y/yara/yara.spec

@@ -2,7 +2,7 @@
 ## (rpmautospec version 0.8.3)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 4;
+    release_number = 5;
     base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
     print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@@ -201,6 +201,10 @@ make check || (
 
 %changelog
 ## START: Generated by rpmautospec
+* Thu May 07 2026 Pawel Winogrodzki <pawelwi@microsoft.com> - 4.5.4-5
+- yara: serve modified Source0 with malware-scanner-tripping fixture
+  stripped
+
 * Thu Apr 30 2026 Daniel McIlvaney <damcilva@microsoft.com> - 4.5.4-4
 - feat: introduce deterministic commit resolution via Azure Linux lock file