From 4bffaf8f3ab755f9479a67f5fd0085532e509621 Mon Sep 17 00:00:00 2001
From: maflcko <6399679+maflcko@users.noreply.github.com>
Date: Tue, 4 Jun 2024 21:18:48 +0200
Subject: [PATCH] infra/presubmit: Use apt-get update before installing
 (#12008)

Otherwise, this may lead to issues such as
https://github.com/google/oss-fuzz/pull/11943#issue-2290477404

Also, fix the broken `.zip` test.

---------

Co-authored-by: MarcoFalke <6399679+MarcoFalke@users.noreply.github.com>
Co-authored-by: jonathanmetzman <31354670+jonathanmetzman@users.noreply.github.com>
---
 infra/presubmit.py          | 36 ++++++++++++++++++++++++++++++++----
 projects/xz-java/Dockerfile |  2 +-
 2 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/infra/presubmit.py b/infra/presubmit.py
index 5a89fd8fb534..86f5cd927fba 100755
--- a/infra/presubmit.py
+++ b/infra/presubmit.py
@@ -232,10 +232,10 @@ def check_project_yaml(paths):
 
 def _check_one_seed_corpus(path):
   """Returns False and prints error if |path| is a seed corpus."""
-  if os.path.dirname(os.path.dirname(path)) != 'projects':
+  if os.path.basename(os.path.dirname(os.path.dirname(path))) != 'projects':
     return True
 
-  if os.path.splitext(path)[1] == 'zip':
+  if os.path.splitext(path)[1] == '.zip':
     print('Don\'t commit seed corpora into the ClusterFuzz repo,'
           'they bloat it forever.')
     return False
@@ -249,11 +249,39 @@ def check_seed_corpus(paths):
   return all([_check_one_seed_corpus(path) for path in paths])
 
 
+def _check_one_apt_update(path):
+  """Checks that a Dockerfile uses apt-update before apt-install"""
+  if os.path.basename(os.path.dirname(os.path.dirname(path))) != 'projects':
+    return True
+
+  if os.path.basename(path) != 'Dockerfile':
+    return True
+
+  with open(path, 'r') as file:
+    dockerfile = file.read()
+    if 'RUN apt install' in dockerfile or 'RUN apt-get install' in dockerfile:
+      print('Please add an "apt-get update" before "apt-get install". '
+            'Otherwise, a cached and outdated RUN layer may lead to install '
+            'failures.')
+      return False
+
+  return True
+
+
+def check_apt_update(paths):
+  """Checks that all Dockerfile use apt-update before apt-install"""
+  return all([_check_one_apt_update(path) for path in paths])
+
+
 def do_checks(changed_files):
   """Runs all presubmit checks. Returns False if any fails."""
   checks = [
-      check_license, yapf, check_project_yaml, check_lib_fuzzing_engine,
-      check_seed_corpus
+      check_license,
+      yapf,
+      check_project_yaml,
+      check_lib_fuzzing_engine,
+      check_seed_corpus,
+      check_apt_update,
   ]
   # Use a list comprehension here and in other cases where we use all() so that
   # we don't quit early on failure. This is more user-friendly since the more
diff --git a/projects/xz-java/Dockerfile b/projects/xz-java/Dockerfile
index eedbb1cb0734..bd0a7b92c3b5 100644
--- a/projects/xz-java/Dockerfile
+++ b/projects/xz-java/Dockerfile
@@ -16,7 +16,7 @@
 
 FROM gcr.io/oss-fuzz-base/base-builder-jvm
 
-RUN apt-get install ant -y
+RUN apt-get update && apt-get install ant -y
 RUN git clone --depth 1 https://github.com/tukaani-project/xz-java $SRC/xz-java
 
 COPY build.sh $SRC/