brew/Library/Homebrew/extend/os/mac/formula_cellar_checks.rb

# typed: strict
# frozen_string_literal: true

require "cache_store"
require "linkage_checker"

module OS
  module Mac
    module FormulaCellarChecks
      extend T::Helpers

      requires_ancestor { Homebrew::FormulaAuditor }
      requires_ancestor { ::FormulaCellarChecks }

      sig { returns(T.nilable(String)) }
      def check_shadowed_headers
        return if ["libtool", "subversion", "berkeley-db"].any? do |formula_name|
          formula.name.start_with?(formula_name)
        end

        return if formula.name.match?(Version.formula_optionally_versioned_regex(:php))
        return if formula.keg_only? || !formula.include.directory?

        files  = relative_glob(formula.include, "**/*.h")
        files &= relative_glob("#{MacOS.sdk_path}/usr/include", "**/*.h")
        files.map! { |p| File.join(formula.include, p) }

        return if files.empty?

        <<~EOS
          Header files that shadow system header files were installed to "#{formula.include}"
          The offending files are:
            #{files * "\n  "}
        EOS
      end

      sig { returns(T.nilable(String)) }
      def check_openssl_links
        return unless formula.prefix.directory?

        keg = ::Keg.new(formula.prefix)
        system_openssl = keg.mach_o_files.select do |obj|
          dlls = obj.dynamically_linked_libraries
          dlls.any? { |dll| %r{/usr/lib/lib(crypto|ssl|tls)\..*dylib}.match? dll }
        end
        return if system_openssl.empty?

        <<~EOS
          object files were linked against system openssl
          These object files were linked against the deprecated system OpenSSL or
          the system's private LibreSSL.
          Adding `depends_on "openssl"` to the formula may help.
            #{system_openssl * "\n  "}
        EOS
      end

      sig { params(lib: Pathname).returns(T.nilable(String)) }
      def check_python_framework_links(lib)
        python_modules = Pathname.glob lib/"python*/site-packages/**/*.so"
        framework_links = python_modules.select do |obj|
          dlls = obj.dynamically_linked_libraries
          dlls.any? { |dll| dll.include?("Python.framework") }
        end
        return if framework_links.empty?

        <<~EOS
          python modules have explicit framework links
          These python extension modules were linked directly to a Python
          framework binary. They should be linked with -undefined dynamic_lookup
          instead of -lpython or -framework Python.
            #{framework_links * "\n  "}
        EOS
      end

      sig { void }
      def check_linkage
        return unless formula.prefix.directory?

        keg = ::Keg.new(formula.prefix)

        CacheStoreDatabase.use(:linkage) do |db|
          checker = ::LinkageChecker.new(keg, formula, cache_db: db)
          next unless checker.broken_library_linkage?

          output = <<~EOS
            #{formula} has broken dynamic library links:
              #{checker.display_test_output}
          EOS

          tab = keg.tab
          if tab.poured_from_bottle
            output += <<~EOS
              Rebuild this from source with:
                brew reinstall --build-from-source #{formula}
              If that's successful, file an issue#{formula.tap ? " here:\n  #{formula.tap.issues_url}" : "."}
            EOS
          end
          problem_if_output output
        end
      end

      sig { params(formula: ::Formula).returns(T.nilable(String)) }
      def check_flat_namespace(formula)
        return unless formula.prefix.directory?
        return if formula.tap&.audit_exception(:flat_namespace_allowlist, formula.name)

        keg = ::Keg.new(formula.prefix)
        flat_namespace_files = keg.mach_o_files.reject do |file|
          next true unless file.dylib?

          macho = MachO.open(file)
          if MachO::Utils.fat_magic?(macho.magic)
            macho.machos.map(&:header).all? { |h| h.flag? :MH_TWOLEVEL }
          else
            macho.header.flag? :MH_TWOLEVEL
          end
        end
        return if flat_namespace_files.empty?

        <<~EOS
          Libraries were compiled with a flat namespace.
          This can cause linker errors due to name collisions and
          is often due to a bug in detecting the macOS version.
            #{flat_namespace_files * "\n  "}
        EOS
      end

      sig { void }
      def audit_installed
        super
        problem_if_output(check_shadowed_headers)
        problem_if_output(check_openssl_links)
        problem_if_output(check_python_framework_links(formula.lib))
        check_linkage
        problem_if_output(check_flat_namespace(formula))
      end

      MACOS_LIB_EXTENSIONS = %w[.dylib .framework].freeze

      sig { params(filename: Pathname).returns(T::Boolean) }
      def valid_library_extension?(filename)
        super || MACOS_LIB_EXTENSIONS.include?(filename.extname)
      end
    end
  end
end

FormulaCellarChecks.prepend(OS::Mac::FormulaCellarChecks)
Make more files Sorbet `typed: strict` - According to Spoom, these could be bumped automatically with no errors. 2024-06-02 15:14:25 +01:00			`# typed: strict`
Add frozen_string_literal to all files. 2019-04-19 15:38:03 +09:00			`# frozen_string_literal: true`

Separated `os/mac/cache_store.rb` into `cache_store.rb` and `os/mac/linkage_cache_store.rb`. 2018-02-28 10:39:15 -05:00			`require "cache_store"`
Move linkage_checker from os/mac to generic 2018-02-28 09:13:17 -08:00			`require "linkage_checker"`
formula_cellar_checks: add check_linkage This means linkage checks will be invoked during `brew install` and `brew audit` Closes #470. Signed-off-by: Xu Cheng <xucheng@me.com> 2016-07-14 13:14:03 +08:00
Remove `alias generic_*` definitions in favour of using `super` This is the pattern we've been adopting for a while and it's a bit cleaner. Let's remove all of the existing usage of the existing pattern to avoid confusion when adopting the new one. 2025-06-13 16:59:10 +01:00			`module OS`
			`module Mac`
			`module FormulaCellarChecks`
			`extend T::Helpers`
formula_cellar_checks: port to generic OS. (#452) 2016-07-09 13:51:53 +01:00
Remove `alias generic_*` definitions in favour of using `super` This is the pattern we've been adopting for a while and it's a bit cleaner. Let's remove all of the existing usage of the existing pattern to avoid confusion when adopting the new one. 2025-06-13 16:59:10 +01:00			`requires_ancestor { Homebrew::FormulaAuditor }`
			`requires_ancestor { ::FormulaCellarChecks }`
formula_cellar_checks: port to generic OS. (#452) 2016-07-09 13:51:53 +01:00
Remove `alias generic_*` definitions in favour of using `super` This is the pattern we've been adopting for a while and it's a bit cleaner. Let's remove all of the existing usage of the existing pattern to avoid confusion when adopting the new one. 2025-06-13 16:59:10 +01:00			`sig { returns(T.nilable(String)) }`
			`def check_shadowed_headers`
			`return if ["libtool", "subversion", "berkeley-db"].any? do \|formula_name\|`
			`formula.name.start_with?(formula_name)`
			`end`
formula_cellar_checks: port to generic OS. (#452) 2016-07-09 13:51:53 +01:00
Remove `alias generic_*` definitions in favour of using `super` This is the pattern we've been adopting for a while and it's a bit cleaner. Let's remove all of the existing usage of the existing pattern to avoid confusion when adopting the new one. 2025-06-13 16:59:10 +01:00			`return if formula.name.match?(Version.formula_optionally_versioned_regex(:php))`
			`return if formula.keg_only? \|\| !formula.include.directory?`
Update to RuboCop 0.59.1. 2018-09-17 02:45:00 +02:00
Remove `alias generic_*` definitions in favour of using `super` This is the pattern we've been adopting for a while and it's a bit cleaner. Let's remove all of the existing usage of the existing pattern to avoid confusion when adopting the new one. 2025-06-13 16:59:10 +01:00			`files = relative_glob(formula.include, "*/.h")`
			`files &= relative_glob("#{MacOS.sdk_path}/usr/include", "*/.h")`
			`files.map! { \|p\| File.join(formula.include, p) }`
formula_cellar_checks: port to generic OS. (#452) 2016-07-09 13:51:53 +01:00
Remove `alias generic_*` definitions in favour of using `super` This is the pattern we've been adopting for a while and it's a bit cleaner. Let's remove all of the existing usage of the existing pattern to avoid confusion when adopting the new one. 2025-06-13 16:59:10 +01:00			`return if files.empty?`
formula_cellar_checks: port to generic OS. (#452) 2016-07-09 13:51:53 +01:00
Remove `alias generic_*` definitions in favour of using `super` This is the pattern we've been adopting for a while and it's a bit cleaner. Let's remove all of the existing usage of the existing pattern to avoid confusion when adopting the new one. 2025-06-13 16:59:10 +01:00			`<<~EOS`
			`Header files that shadow system header files were installed to "#{formula.include}"`
			`The offending files are:`
			`#{files * "\n "}`
			`EOS`
			`end`
Update to RuboCop 0.59.1. 2018-09-17 02:45:00 +02:00
Remove `alias generic_*` definitions in favour of using `super` This is the pattern we've been adopting for a while and it's a bit cleaner. Let's remove all of the existing usage of the existing pattern to avoid confusion when adopting the new one. 2025-06-13 16:59:10 +01:00			`sig { returns(T.nilable(String)) }`
			`def check_openssl_links`
			`return unless formula.prefix.directory?`

			`keg = ::Keg.new(formula.prefix)`
			`system_openssl = keg.mach_o_files.select do \|obj\|`
			`dlls = obj.dynamically_linked_libraries`
			`dlls.any? { \|dll\| %r{/usr/lib/lib(crypto\|ssl\|tls)\..*dylib}.match? dll }`
			`end`
			`return if system_openssl.empty?`

			`<<~EOS`
			`object files were linked against system openssl`
			`These object files were linked against the deprecated system OpenSSL or`
			`the system's private LibreSSL.`
			Adding `depends_on "openssl"` to the formula may help.
			`#{system_openssl * "\n "}`
			`EOS`
			`end`
Removed redundant documentation, use database_cache as a block, and use symbolic keys over string keys in function calls. 2018-02-24 17:32:29 -05:00
Remove `alias generic_*` definitions in favour of using `super` This is the pattern we've been adopting for a while and it's a bit cleaner. Let's remove all of the existing usage of the existing pattern to avoid confusion when adopting the new one. 2025-06-13 16:59:10 +01:00			`sig { params(lib: Pathname).returns(T.nilable(String)) }`
			`def check_python_framework_links(lib)`
			`python_modules = Pathname.glob lib/"python/site-packages//.so"`
			`framework_links = python_modules.select do \|obj\|`
			`dlls = obj.dynamically_linked_libraries`
			`dlls.any? { \|dll\| dll.include?("Python.framework") }`
			`end`
			`return if framework_links.empty?`

			`<<~EOS`
			`python modules have explicit framework links`
			`These python extension modules were linked directly to a Python`
			`framework binary. They should be linked with -undefined dynamic_lookup`
			`instead of -lpython or -framework Python.`
			`#{framework_links * "\n "}`
			`EOS`
			`end`
Refactor cache store code. 2018-05-22 14:46:14 +01:00
Remove `alias generic_*` definitions in favour of using `super` This is the pattern we've been adopting for a while and it's a bit cleaner. Let's remove all of the existing usage of the existing pattern to avoid confusion when adopting the new one. 2025-06-13 16:59:10 +01:00			`sig { void }`
			`def check_linkage`
			`return unless formula.prefix.directory?`

			`keg = ::Keg.new(formula.prefix)`

			`CacheStoreDatabase.use(:linkage) do \|db\|`
			`checker = ::LinkageChecker.new(keg, formula, cache_db: db)`
			`next unless checker.broken_library_linkage?`

			`output = <<~EOS`
			`#{formula} has broken dynamic library links:`
			`#{checker.display_test_output}`
			`EOS`

			`tab = keg.tab`
			`if tab.poured_from_bottle`
			`output += <<~EOS`
			`Rebuild this from source with:`
			`brew reinstall --build-from-source #{formula}`
			`If that's successful, file an issue#{formula.tap ? " here:\n #{formula.tap.issues_url}" : "."}`
			`EOS`
			`end`
			`problem_if_output output`
			`end`
			`end`
Fixed broken test due to changing usage of `DatabaseCache` to block usage. 2018-04-09 14:19:07 -04:00
Remove `alias generic_*` definitions in favour of using `super` This is the pattern we've been adopting for a while and it's a bit cleaner. Let's remove all of the existing usage of the existing pattern to avoid confusion when adopting the new one. 2025-06-13 16:59:10 +01:00			`sig { params(formula: ::Formula).returns(T.nilable(String)) }`
			`def check_flat_namespace(formula)`
			`return unless formula.prefix.directory?`
			`return if formula.tap&.audit_exception(:flat_namespace_allowlist, formula.name)`

			`keg = ::Keg.new(formula.prefix)`
			`flat_namespace_files = keg.mach_o_files.reject do \|file\|`
			`next true unless file.dylib?`

			`macho = MachO.open(file)`
			`if MachO::Utils.fat_magic?(macho.magic)`
			`macho.machos.map(&:header).all? { \|h\| h.flag? :MH_TWOLEVEL }`
			`else`
			`macho.header.flag? :MH_TWOLEVEL`
			`end`
			`end`
			`return if flat_namespace_files.empty?`

			`<<~EOS`
			`Libraries were compiled with a flat namespace.`
			`This can cause linker errors due to name collisions and`
			`is often due to a bug in detecting the macOS version.`
			`#{flat_namespace_files * "\n "}`
Fixed broken test due to changing usage of `DatabaseCache` to block usage. 2018-04-09 14:19:07 -04:00			`EOS`
			`end`
formula_cellar_checks: add check_linkage This means linkage checks will be invoked during `brew install` and `brew audit` Closes #470. Signed-off-by: Xu Cheng <xucheng@me.com> 2016-07-14 13:14:03 +08:00
Remove `alias generic_*` definitions in favour of using `super` This is the pattern we've been adopting for a while and it's a bit cleaner. Let's remove all of the existing usage of the existing pattern to avoid confusion when adopting the new one. 2025-06-13 16:59:10 +01:00			`sig { void }`
			`def audit_installed`
			`super`
			`problem_if_output(check_shadowed_headers)`
			`problem_if_output(check_openssl_links)`
			`problem_if_output(check_python_framework_links(formula.lib))`
			`check_linkage`
			`problem_if_output(check_flat_namespace(formula))`
			`end`
mac/formula_cellar_checks: check for flat namespace libraries There are at least five instances where a formula has libraries compiled with `-flat_namespace` due to a bug in detecting the macOS version (cf. Homebrew/homebrew-core#87103, Homebrew/homebrew-core#85974, Homebrew/homebrew-core#85973). I think it makes sense to check for this more generally. It is sometimes intentional, so I've added a check for an allowlist for those instances. Running this on the current `util-linux` bottle produces ❯ brew audit --strict util-linux util-linux: * Libraries were compiled with a flat namespace. This can cause linker errors due to name collisions, and is often due to a bug in detecting the macOS version. /usr/local/Cellar/util-linux/2.37.2/lib/libblkid.1.dylib /usr/local/Cellar/util-linux/2.37.2/lib/libfdisk.1.dylib /usr/local/Cellar/util-linux/2.37.2/lib/libsmartcols.1.dylib /usr/local/Cellar/util-linux/2.37.2/lib/libuuid.1.dylib Error: 1 problem in 1 formula detected Some things that still need to be done here: - fix this check for universal binaries - check if we want to restrict this audit check to newer versions of macOS - fix false positives (try `brew audit --strict llvm` and compare the output of `otool -hV` on the identified files) While we're here, let's fix the formatting of the output of these other audits (cf. #12217). 2021-10-12 13:11:23 +08:00
Remove `alias generic_*` definitions in favour of using `super` This is the pattern we've been adopting for a while and it's a bit cleaner. Let's remove all of the existing usage of the existing pattern to avoid confusion when adopting the new one. 2025-06-13 16:59:10 +01:00			`MACOS_LIB_EXTENSIONS = %w[.dylib .framework].freeze`
mac/formula_cellar_checks: check for flat namespace libraries There are at least five instances where a formula has libraries compiled with `-flat_namespace` due to a bug in detecting the macOS version (cf. Homebrew/homebrew-core#87103, Homebrew/homebrew-core#85974, Homebrew/homebrew-core#85973). I think it makes sense to check for this more generally. It is sometimes intentional, so I've added a check for an allowlist for those instances. Running this on the current `util-linux` bottle produces ❯ brew audit --strict util-linux util-linux: * Libraries were compiled with a flat namespace. This can cause linker errors due to name collisions, and is often due to a bug in detecting the macOS version. /usr/local/Cellar/util-linux/2.37.2/lib/libblkid.1.dylib /usr/local/Cellar/util-linux/2.37.2/lib/libfdisk.1.dylib /usr/local/Cellar/util-linux/2.37.2/lib/libsmartcols.1.dylib /usr/local/Cellar/util-linux/2.37.2/lib/libuuid.1.dylib Error: 1 problem in 1 formula detected Some things that still need to be done here: - fix this check for universal binaries - check if we want to restrict this audit check to newer versions of macOS - fix false positives (try `brew audit --strict llvm` and compare the output of `otool -hV` on the identified files) While we're here, let's fix the formatting of the output of these other audits (cf. #12217). 2021-10-12 13:11:23 +08:00
Remove `alias generic_*` definitions in favour of using `super` This is the pattern we've been adopting for a while and it's a bit cleaner. Let's remove all of the existing usage of the existing pattern to avoid confusion when adopting the new one. 2025-06-13 16:59:10 +01:00			`sig { params(filename: Pathname).returns(T::Boolean) }`
			`def valid_library_extension?(filename)`
			`super \|\| MACOS_LIB_EXTENSIONS.include?(filename.extname)`
Fix universal binary handling in `check_flat_namespace` 2021-10-12 13:49:53 +08:00			`end`
mac/formula_cellar_checks: check for flat namespace libraries There are at least five instances where a formula has libraries compiled with `-flat_namespace` due to a bug in detecting the macOS version (cf. Homebrew/homebrew-core#87103, Homebrew/homebrew-core#85974, Homebrew/homebrew-core#85973). I think it makes sense to check for this more generally. It is sometimes intentional, so I've added a check for an allowlist for those instances. Running this on the current `util-linux` bottle produces ❯ brew audit --strict util-linux util-linux: * Libraries were compiled with a flat namespace. This can cause linker errors due to name collisions, and is often due to a bug in detecting the macOS version. /usr/local/Cellar/util-linux/2.37.2/lib/libblkid.1.dylib /usr/local/Cellar/util-linux/2.37.2/lib/libfdisk.1.dylib /usr/local/Cellar/util-linux/2.37.2/lib/libsmartcols.1.dylib /usr/local/Cellar/util-linux/2.37.2/lib/libuuid.1.dylib Error: 1 problem in 1 formula detected Some things that still need to be done here: - fix this check for universal binaries - check if we want to restrict this audit check to newer versions of macOS - fix false positives (try `brew audit --strict llvm` and compare the output of `otool -hV` on the identified files) While we're here, let's fix the formatting of the output of these other audits (cf. #12217). 2021-10-12 13:11:23 +08:00			`end`
formula_cellar_checks: .dylib and .framework are macOS-specific 2018-08-22 21:25:00 -05:00			`end`
formula_cellar_checks: port to generic OS. (#452) 2016-07-09 13:51:53 +01:00			`end`
Remove `alias generic_*` definitions in favour of using `super` This is the pattern we've been adopting for a while and it's a bit cleaner. Let's remove all of the existing usage of the existing pattern to avoid confusion when adopting the new one. 2025-06-13 16:59:10 +01:00
			`FormulaCellarChecks.prepend(OS::Mac::FormulaCellarChecks)`