rpminspect.conf

#
# rpminspect configuration file
# See rpminspect.conf(5) for more information.
#

[common]
# Directory where individual rpminspect jobs will expand packages
# and generate all of the test output.  This needs to be a
# location with plenty of storage space.
workdir = /var/tmp/rpminspect

# Location of runtime profile configuration files.  These are files
# that contain overrides for the settings in rpminspect.conf (except
# for the [common] section).  Profiles are referred to by NAME and
# the file would be NAME.conf.  Any profile used at runtime must
# exist in the profile directory.
profiledir = /etc/rpminspect/profiles

[koji]
# The root URL of the XMLRPC API provided by the Koji hub
hub = https://koji.fedoraproject.org/kojihub

# The download URL for regular packages built in Koji
download_ursine = https://kojipkgs.fedoraproject.org

# The download URL for modular packages built in Koji
download_mbs = https://kojipkgs.fedoraproject.org

# Do the download URLs require the Koji volume name? (true/false)
use_volume_name = false

[vendor]
# Where the vendor data files can be found.  The rpminspect-data-generic
# package provides a template of where these files should live.
#
# These settings name the specific subdirectories.  The files within them
# depend on the data file being read.  Most will have filenames matching the
# product release (which is usually the %{disttag} value for the builds.

# Main directory for the vendor-specific data.
vendor_data_dir = "/usr/share/rpminspect"

# Location of the license database file under the 'licenses/'
# subdirectory in the vendor_data_dir.  This database is used
# by the 'license' inspection.
licensedb = "fedora.json"

# Which product release string to favor.  By default, rpminspect
# expects the product release strings for the before and after builds
# to match.  You can change this here to:
#
#     oldest      Favor the oldest product release string.
#     newest      Favor the newest product release string.
#     none        Default behavior, require matching release strings.
#
# If this is set to anything other than 'none', rpminspect will use
# strverscmp() to compare the strings and return the one that matches
# based on the rule here.  Setting this any value other than the ones
# listed here will be ignored and the default behavior will remain in
# effect.
#
# The product release string tells rpminspect which vendor data files
# to use from the vendor_data_dir.
favor_release = newest

[inspections]
# By default all inspections are enabled.  You can enable and disable
# inspections using the command line -T and -E options, or you can add
# them to this section in the config file.  The format is:
#
#     inspection_name = [on|off]
#
# The default is enabled, so it is really only necessary to list the
# inspections to disable.  Here is a list of all inspections with a
# disable setting that you can uncomment to turn off certain ones.
#
#addedfiles = off
#annocheck = off
#arch = off
#capabilities = off
#changedfiles = off
#desktop = off
#disttag = off
#DT_NEEDED = off
#elf = off
#emptyrpm = off
#filesize = off
#javabytecode = off
#kmod = off
#license = off
#manpage = off
#metadata = off
#modularity = off
#ownership = off
#pathmigration = off
#permissions = off
#removedfiles = off
#shellsyntax = off
#specname = off
#subpackages = off
#upstream = off
#xml = off

[settings]
# List of unprofessional or prohibited words.  rpminspect will check for
# these words via a case-insensitive regular expression test in various
# string data, such as the license tag and package description.  Please
# only list individual words and not phrases as the test is meant to
# capture substrings for instances where some care needs to be taken for
# phrasing or name abbreviations.
#
# Separate words by whitespace and keep the value of this setting as a
# single string.
badwords = "shit piss fuck cunt tits cocksucker motherfucker"

# Required Vendor string.  This is part of the RPM header and is the
# value expected in packages checked by rpminspect.
vendor = "Fedora Project"

# Allowed build host subdomain.  The RPM header contains information about
# where the package was built.  rpminspect verifies the hostnames are in
# the expected subdomain listed below.  Multiple subdomains may be listed,
# just delimit them with spaces.
buildhost_subdomain = ".fedoraproject.org .bos.redhat.com"

# File paths to include in or exclude from specific tests. Each value is a
# POSIX extended regular expression. Individual tests may apply additional
# filters (e.g., ELF tests only run on ELF files)
#
# A missing or empty include key indicates that all paths should be included.
# A missing or empty exclude key indicates that no paths should be excluded.

# For ELF, skip the kernel, kernel modules, and two additional paths for
# ppc/ppc64:
# crtsavres.o is linked against kernel modules, and kernel-wrapper is a boot
# wrapper that should not be inspected.
elf_path_include = ""
elf_path_exclude = "(^(/boot/vmlinu|/lib/modules|/lib64/modules).*)|(.*/powerpc/lib/crtsavres.o$)|(^/usr/lib(64)?/kernel-wrapper$)"

# Blacklist of functions which indicate broken support for IPv6. Depending
# on how they are used, their usage could be benign but it requires manual
# inspection.
elf_ipv6_blacklist = "gethostbyname gethostbyname2 gethostbyaddr inet_addr inet_aton inet_nsap_addr inet_ntoa inet_nsap_ntoa inet_makeaddr inet_netof inet_network inet_neta inet_net_ntop inet_net_pton rcmd rexec rresvport"

manpage_path_include = "^/usr/share/man/.*"
manpage_path_exclude = ""

# Skip JSP and RHTML files, which contain a mix of XML and code.
xml_path_include = ""
xml_path_exclude = ".*(\.jsp|\.rhtml|\.xml\.in)$"

# Where desktop entry files live
desktop_entry_files_dir = "/usr/share/applications"

# Optional: Path prefixes for files with security concerns.
# You can list more than one here separated by spaces.
security_path_prefix = "/etc/sudoers.d/ /etc/polkit-1/ /usr/share/polkit-1/actions/"

# Optional: Filename extensions expected for C and C++ header files
header_file_extensions = ".h .hh .hxx .hpp .H"

# Optional: Path prefixes, suffixes, and directories to forbid.
# To have rpminspect reporting out if packages have gained files
# that are forbidden by policy, adjust these lists.

# Optional: Forbidden path prefixes, space delimited list.
forbidden_path_prefixes = "tmp/ var/tmp etc/init.d etc/xinetd.d"

# Optional: Forbidden path suffixes, space delimited list.
forbidden_path_suffixes = "~ .orig"

# Optional: Forbidden directories, space delimited list.
forbidden_directories = "__MACOSX CVS .svn .hg .git"

# Path prefixes where executable files live
bin_paths = "/bin /sbin /usr/bin /usr/sbin"

# Owner name for executable files
bin_owner = "root"

# Group name for executable files
bin_group = "root"

# Optional: List of forbidden file owners
forbidden_owners = "mockbuild"

# Optional: List of forbidden file groups
forbidden_groups = "mockbuild"

# List of shells used to perform syntax checking (must support -n)
# This is used by the shellsyntax inspection.  For every shell
# script encountered in the build, the program will get the
# name of the shell from the #! line and check to see if it's
# in this list.  If it is, it performs a -n check on the script
# and if that returns non-zero, it gets reported out.
# NOTE: Each shell listed must be listed by basename only and must
# support the '-n' option for syntax checking.
shells = "sh ksh zsh csh tcsh rc bash"

# File size reporting threshold percentage.  What percentage change
# warrants reporting a VERIFY result?  This change can be file size
# increase or decrease.  The default is 20%
size_threshold = 20

[specname]
# Spec filename test matching type.
# The spec filename should match the %{name} defined in the spec file.
# For example.  If the spec file sets "Name: someprogram" then the
# spec file should be named "someprogram.spec".  There are cases where
# the spec file may vary slightly from that, so you can set the match
# type here.  It can be 'prefix', 'full', or 'suffix'.  Here are some
# examples using the someprogram example above:
#
#     %{name}          specname           Match Type     Passes?
#     someprogram      someprogram.spec   full           yes
#     someprogram      some_program.spec  full           no
#     my-someprogram   someprogram.spec   full           no
#     my-someprogram   someprogram.spec   prefix         no
#     my-someprogram   someprogram.spec   suffix         yes
#     someprogram-opt  someprogram.spec   prefix         yes
#
# By default this inspection uses 'full' matching.
match = full
#match = prefix
#match = suffix

# Where should rpminspect get the primary name value?  The filename
# without the .spec extension or the package's %{name} value?  By
# default this is the %{name}.
primary = name
#primary = filename

# Expected major JVM version number for each product release.  The key
# should be the product release string that you will use consistently
# throughout the run of rpminspect (e.g., a dist tag for Fedora).  The
# value is the JVM major version.  For example:
#     fc30 = 52
# You should also always specify a default, like this:
#     default = 43
# If the product release string is not found, the javabytecode test will
# use the default entry.  You can have as many entries as you want in
# this section.  Default is 43 because that was the first JVM major
# version in the .class file format.
[javabytecode]
fc28 = 52
fc29 = 52
fc30 = 52
fc31 = 52
fc32 = 52
default = 43

# Path migrations.  Over time the established best practices or
# packaging policies change.  Directories we once used are now
# replaced by a new directory.  The 'pathmigration' inspection looks
# for any old path names and if found reports what they should be.
# Under this config section use the left side of the equal sign to
# note the old path and the right side of the equal sign to note the
# new path.  For example:
#
#    /bin = /usr/bin
#
# Any package containing a file in /bin will have a failure reporting
# that file should be in /usr/bin.
[pathmigration]
/bin = /usr/bin
/sbin = /usr/sbin
/lib = /usr/lib
/lib64 = /usr/lib64

# annocheck(1) tests to run.  The left side of the equal sign is the test
# name and the right side are the arguments to the annocheck executable
# before giving it the full path to the filename.
#
# This section is optional.  If not annocheck tests are defined, rpminspect
# will skip the annocheck inspection.
[annocheck]
hardened = --skip-glibcxx-assertions --skip-stack-realign --ignore-unknown --enable-builtby --verbose

# Path migrations.  Over time the established best practices or
# packaging policies change.  Directories we once used are now
# replaced by a new directory.  The 'pathmigration' inspection looks
# for any old path names and if found reports what they should be.
# Under this config section use the left side of the equal sign to
# note the old path and the right side of the equal sign to note the
# new path.  For example:
#
#    /bin = /usr/bin
#
# Any package containing a file in /bin will have a failure reporting
# that file should be in /usr/bin.
[pathmigration]
/bin = /usr/bin
/sbin = /usr/sbin
/lib = /usr/lib
/lib64 = /usr/lib64

# Product release string matches.  rpminspect uses product release strings
# to determine what metadata files to use from the rpminspect-data package.
# By default, rpminspect tries to figure out the product by extracting the
# dist tag portion of the Release tag in the RPM.  If you are comparing two
# builds, the product release string needs to match.  If they do not match,
# you have two options:
#
#     1) Specify the "-r" option and give rpminspect a product release string.
#     2) Rely on the product release string regexps in rpminspect.conf
#
# Some products may have a variety of dist tags, so you can construct a
# regular expression to match them.  For example, let's say your dist tags
# are ".fc31, .fc31server, .fc31laptop".  You want to use "fc31" for all of
# these, so you can add a rule here that looks like:
#
#     fc31 = ^\.fc31.*$
#
# And rpminspect will match the longer ones to fc31.  By default there is no
# product release regexp mapping enabled.
#[products]
#fc31 = ^\.fc31.*$