Chercher Dans Les Dépôts De Paquets Fedora En Utilisant Sourcegraph

Roseline Bassey, Communauté Fedora

À mesure que notre collection de paquets Open-Source grandit, il y a un besoin de rendre la recherche de paquets dans notre répertoire dist-git plus facile. En 2022, les personnes de Sourcegraph se sont associées à notre communauté Fedora pour intégrer leur outil avancé de moteur de recherche de code dans nos répertoires de distribution de paquets, qui incluent maintenant plus de 38,000 paquets. Avec le moteur de recherche de Sourcegraph, nos dévelopeurs, contributeurs et mainteneurs peuvent chercher notre répertoire git-dist pour des specfiles RPM, définitions de modules et de conteneurs, patchs spécifiques à Fedora, tests, et bien plus encore, depuis un seul endroit, réduisant le temps passé à chercher des fichiers.

Qu’est-ce que Sourcegraph ?

Sourcegraph is a code intelligence platform. You can think of it as a search engine for code. It can be used to search code across all code hosts, repositories, and branches. Sourcegraph has many great features, such as code intelligence, code insights, batch changes, and Cody - an AI Coding Assistant, but at its core, it is a Code Search tool. In this article, we will explore how to use Code Search for src.fedoraproject.org repositories, also known as Fedora dist-git.

Code search is a powerful search capability in Sourcegraph for searching code from a single interface. It supports search filtering by file type, repository, and language. This helps in refining search results.

Sourcegraph provides both a web app and CLI interface. When using the Sourcegraph web app, you will need to start each search with: repo:^src.fedoraproject.org before entering any search queries.

Sourcegraph interface
Figure 1. Sourcegraph code search interface

Filter Search: Using file Keyword to Find Specfiles

The file keyword returns results from files that match the specified file path. The following query searches all repositories for files ending in .spec that contain the term dnf5. The use of the file keyword simplifies the task of locating specfiles.

repo:^src\.fedoraproject\.org/ file:\.spec$ dnf5
find specfiles using the files keyword
Figure 2. Search for specfiles

Use the lang Filter to Find a Fedora Repository to Contribute to

The lang keyword is used to filter search results by programming language.

The following query searches our dist-git repositories for files written in Markdown with instances of the term contributing. This is great for people seeking to assist with projects in need of contributions.

repo:^src\.fedoraproject\.org/ lang:markdown contributing
find projects to contribute to using the lang keyword
Figure 3. Search for files written in Markdown

Search for Specfiles Disabling Debug Packages

By using the query "%global debug_package %{nil}", you can search for specfiles that contain the line where the debug_package macro is set to nil. This line disables the creation of a debug package in the build process.

find files that disable debug package
Figure 4. Search for specfiles disabling debug packages

Find Repositories Using Popular OSI-approved Licenses

The following query will scan all the repositories for software that is compatible with the “Open Source Definition” (OSD).

repo:^src.fedoraproject.org/ lang:"RPM Spec" License: ^.*apache|bsd|gpl|lgpl|mit|mpl|cddl|epl.*$
search for License
Figure 5. License search

Find Files with a Vulnerable Version of Log4j

This query will find any files that are possibly vulnerable to CVE-2021-44228, aka Log4j. Note that false positives can happen, so you should investigate further before making a conclusion on whether a package is actually vulnerable or not. You can also search for other vulnerabilities that can then be reported to project maintainers.

repo:^src.fedoraproject.org/ org.apache.logging.log4j 2.((0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15)(.[0-9]+)) count:all
Search for log4j
Figure 6. Search for log4j

Conclusion

For more search queries, see Sourcegraph official documentation.

Having Sourcegraph Code Search integrated into our dist-git repository is a great addition to our engineering productivity toolkit. With Code Search’s powerful capabilities, our contributors and users can efficiently search across our entire universe of open source repositories from a single place.