This is an unretirement request for the nuclei package. Spec URL: https://infraw.fedorapeople.org/nuclei.spec SRPM URL: https://infraw.fedorapeople.org/nuclei-3.7.1-1.fc45.src.rpm Description: Nuclei is a fast, customizable vulnerability scanner powered by the global security community. It uses a YAML-based DSL for detecting vulnerabilities in applications, APIs, networks, DNS, and cloud configurations. Notes: - The package was generated initially with go2rpm and then manually adjusted. - Upstream contains a large number of integration tests requiring network access, DNS resolution, external services, and headless browser downloads. These tests fail in the mock/Koji build environment where network access is disabled. Therefore only safe unit test packages are executed in the %check section. Licensing note: - One vendored dependency (github.com/censys/censys-sdk-go) does not include a LICENSE file in the repository tree, but the README explicitly states the project is licensed under MIT and links to the MIT license text. The license was therefore explicitly declared in go-vendor-tools using: go_vendor_license explicit -f vendor/github.com/censys/censys-sdk-go/README.md MIT Build status: - Successfully built in mock for Fedora Rawhide (x86_64). - FAS Username: infraw
Copr build: https://copr.fedorainfracloud.org/coprs/build/10200634 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2445513-nuclei/fedora-rawhide-x86_64/10200634-nuclei/fedora-review/review.txt Found issues: - A package with this name already exists. Please check https://src.fedoraproject.org/rpms/nuclei Read more: https://docs.fedoraproject.org/en-US/packaging-guidelines/Naming/#_conflicting_package_names Please know that there can be false-positives. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
[fedora-review-service-build] I have updated the Spec and SRPM files to fix the rpmlint warnings regarding the summary length and the executable permissions on the documentation file.
Created attachment 2132616 [details] The .spec file difference from Copr build 10200634 to 10203041
Copr build: https://copr.fedorainfracloud.org/coprs/build/10203041 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2445513-nuclei/fedora-rawhide-x86_64/10203041-nuclei/fedora-review/review.txt Found issues: - A package with this name already exists. Please check https://src.fedoraproject.org/rpms/nuclei Read more: https://docs.fedoraproject.org/en-US/packaging-guidelines/Naming/#_conflicting_package_names Please know that there can be false-positives. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Thanks for your patience Emir. Spec is mostly good, but have a few comments: - rpmlint warning: > # Fix spurious-executable-perm warning from rpmlint > chmod -x SYNTAX-REFERENCE.md This is fixed upstream, so remove for next release https://github.com/projectdiscovery/nuclei/pull/7282 - tests: > %if %{with check} > # Upstream includes many integration tests requiring network access, > # DNS resolution, remote template downloads, and headless browsers. > # These cannot run in the restricted mock/Koji build environment. > # Run only unit-test packages. > go test -v ./pkg/utils/... > go test -v ./pkg/workflows > go test -v ./pkg/utils/monitor > go test -v ./pkg/testutils/fuzzplayground > %endif Try with this: %if %{with check} %global ignores %{shrink: -s TestContextCancelNucleiEngine -s TestHeadlessOptionInitialization -s ExampleNucleiEngine -s ExampleThreadSafeNucleiEngine -s TestSimpleNuclei -s TestSimpleNucleiRemote -s TestThreadSafeNuclei -s TestWithVarsNuclei -s TestDownloadCustomTemplatesFromGitHub -s TestTemplateInstallation -s TestVersionCheck -s TestDslExpressions -s TestEvaluateWithInteractshOverrideOrder -s TestDNSExecuteWithResults -s TestMakeRequestFromModelUniqueInteractsh -s TestReqURLPattern -s TestSSLProtocol -s TestMultiProtoWithDynamicExtractor -s TestMultiProtoWithProtoPrefix } %gocheck2 %{ignores} -t pkg/protocols/headless -t pkg/tmplexec %endif - I don't think all these docs are needed: > %doc cmd/functional-test/targets-1000.txt cmd/functional-test/targets-150.txt > %doc cmd/functional-test/targets-250.txt cmd/functional-test/targets.txt > %doc cmd/functional-test/testcases.txt helm/templates/NOTES.txt > %doc integration_tests/subdomains.txt > %doc integration_tests/protocols/file/data/test1.txt > %doc integration_tests/protocols/file/data/test2.txt > %doc integration_tests/protocols/file/data/test3.txt > %doc integration_tests/protocols/keys/README.md > %doc integration_tests/protocols/offlinehttp/data/req-resp-with-http-keywords.txt > %doc lib/README.md pkg/input/README.md pkg/input/formats/README.md > %doc pkg/js/CONTRIBUTE.md pkg/js/DESIGN.md pkg/js/THANKS.md > %doc pkg/js/devtools/README.md pkg/js/devtools/bindgen/INSTALL.md > %doc pkg/js/devtools/bindgen/README.md pkg/js/devtools/scrapefuncs/README.md > %doc pkg/js/devtools/tsgen/README.md pkg/js/generated/README.md > %doc pkg/tmplexec/README.md pkg/tmplexec/flow/README.md > %doc pkg/tmplexec/multiproto/README.md static/regression-cycle.md
Hi Mikel, thanks for taking the review and for the excellent feedback I have applied all of your suggestions: * Added the TODO comment for the upstream PR (#7282) regarding the chmod fix. * Implemented the %gocheck2 macro with your provided ignore list. The test suite runs and passes cleanly in mock. * Cleaned up the %doc section to remove the unnecessary internal test data and developer readmes. Spec URL: https://infraw.fedorapeople.org/nuclei.spec SRPM URL: https://infraw.fedorapeople.org/nuclei-3.7.1-1.fc44.src.rpm [fedora-review-service-build]
Copr build: https://copr.fedorainfracloud.org/coprs/build/10274420 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2445513-nuclei/fedora-rawhide-x86_64/10274420-nuclei/fedora-review/review.txt Found issues: - A package with this name already exists. Please check https://src.fedoraproject.org/rpms/nuclei Read more: https://docs.fedoraproject.org/en-US/packaging-guidelines/Naming/#_conflicting_package_names Please know that there can be false-positives. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
I think spec is perfect now, but there is one licensing issue. nuclei depends on github.com/zeebo/blake3 that is licensed as CC0-1.0 and it's not allowed in Fedora. I reported this upstream to see if it can be changed: https://github.com/zeebo/blake3/issues/30 The dependency chain: $ go mod why github.com/zeebo/blake3 # github.com/zeebo/blake3 github.com/projectdiscovery/nuclei/v3/pkg/output github.com/projectdiscovery/interactsh/pkg/server github.com/projectdiscovery/interactsh/pkg/server/acme github.com/caddyserver/certmagic github.com/zeebo/blake3
Thank you for opening issue. The upstream maintainer just replied and added the MIT license. Since our current go.mod for nuclei 3.7.1 is still locked to the older commit that only contains the CC0 license, I want to make sure I handle the update the right way. Should I patch go.mod locally to bump blake3 to this new commit and regenerate the vendor.tar.bz2? Or is there a better solution you recommend for Fedora Go packages? Thanks again for catching this and for your guidance.
After some discussion in https://matrix.to/#/#golang:fedoraproject.org the best option would be: - Override blake3 dependency to latest commit - As both licenses will be detected, create a license explicit override with an empty string as the expression You can do it by editing go-vendor-tools.toml with this information: [archive] [archive.dependency_overrides] "github.com/zeebo/blake3" v0.2.5-0.20260331135518-b032e7b6def0 [licensing] detector = "askalono" exclude_files = ["vendor/github.com/DataDog/gostackparse/LICENSE-3rdparty.csv", "vendor/github.com/minio/selfupdate/LICENSE.minisig"] [[licensing.licenses]] path = "vendor/github.com/zeebo/blake3/LICENSE" sha256sum = "0589f544f68ffc436e6e21efec2cf7cc2dbb2ac09ce6cb8a8cdb75ab74489716" expression = "" (...) and recreate the vendor tarball with: go_vendor_archive create --config go-vendor-tools.toml nuclei.spec
I have updated the TOML file with the dependency and license overrides exactly as requested, and regenerated the vendor tarball. Spec URL: https://infraw.fedorapeople.org/nuclei.spec SRPM URL: https://infraw.fedorapeople.org/nuclei-3.7.1-1.fc44.src.rpm [fedora-review-service-build]
Copr build: https://copr.fedorainfracloud.org/coprs/build/10280947 (failed) Build log: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2445513-nuclei/fedora-rawhide-x86_64/10280947-nuclei/builder-live.log.gz Please make sure the package builds successfully at least for Fedora Rawhide. - If the build failed for unrelated reasons (e.g. temporary network unavailability), please ignore it. - If the build failed because of missing BuildRequires, please make sure they are listed in the "Depends On" field --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Build failed because you need to update the .spec file to remove the CC0-1.0 license that was detected before the changes. " AND CC0-1.0" You can do it automatically with: go_vendor_license --config go-vendor-tools.toml --path nuclei.spec report --update-spec --prompt --autofill=auto
I regenerated vendor tarball yesterday but forgot to update the license string. I used go_vendor_license to update the spec and ran a local mock build. It builds cleanly. Spec URL: https://infraw.fedorapeople.org/nuclei.spec SRPM URL: https://infraw.fedorapeople.org/nuclei-3.7.1-1.fc44.src.rpm [fedora-review-service-build]
Created attachment 2135611 [details] The .spec file difference from Copr build 10280947 to 10282581
Copr build: https://copr.fedorainfracloud.org/coprs/build/10282581 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2445513-nuclei/fedora-rawhide-x86_64/10282581-nuclei/fedora-review/review.txt Found issues: - A package with this name already exists. Please check https://src.fedoraproject.org/rpms/nuclei Read more: https://docs.fedoraproject.org/en-US/packaging-guidelines/Naming/#_conflicting_package_names Please know that there can be false-positives. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Golang Package Review ============== This package was generated using go2rpm and Go Vendor Tools, which simplifies the review. Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated - [x] The latest version is packaged or packaging an earlier version is justified. - [x] The License tag reflects the package contents and uses the correct identifiers. - [x] The package builds successfully in mock. - [x] Package is installable (checked by fedora-review). - [x] There are no relevant rpmlint errors. - [x] The package runs tests in %check. - [x] `%goipath` is set correctly. - [x] The package's binaries don't conflict with binaries already in the distribution. (Some Go projects include utility binaries with very generic names) - [x] There are no `%{_bindir}/*` wildcards in %files. (go2rpm includes these by default) - [x] The package does not use `%gometa -f` if it has dependents that still build for %ix86. - [x] The package complies with the Golang and general Packaging Guidelines. - [?] GO_LDFLAGS are set correctly. Package approved! On import, don't forget to do the following: - [ ] Add the package to release-monitoring.org - [ ] Give go-sig privileges (at least commit) on the package - [ ] Close the review bug by referencing its ID in the rpm changelog and the Bodhi ticket. - [ ] Consider configuring Packit service to help with maintenance. https://fedora.gitlab.io/sigs/go/go-vendor-tools/scenarios/#packit
FEDORA-2026-6005972a50 (nuclei-3.7.1-1.fc45) has been submitted as an update to Fedora 45. https://bodhi.fedoraproject.org/updates/FEDORA-2026-6005972a50
FEDORA-2026-6005972a50 (nuclei-3.7.1-1.fc45) has been pushed to the Fedora 45 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2026-9ff28072cd (nuclei-3.7.1-1.fc44) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2026-9ff28072cd
FEDORA-2026-fa357725f0 (nuclei-3.7.1-1.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2026-fa357725f0
FEDORA-EPEL-2026-8b0ecd0541 (nuclei-3.7.1-1.el10_3) has been submitted as an update to Fedora EPEL 10.3. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-8b0ecd0541
FEDORA-EPEL-2026-7425d4dfb5 (nuclei-3.7.1-1.el9) has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-7425d4dfb5
FEDORA-EPEL-2026-7425d4dfb5 has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-7425d4dfb5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2026-8b0ecd0541 has been pushed to the Fedora EPEL 10.3 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-8b0ecd0541 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2026-fa357725f0 has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-fa357725f0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-fa357725f0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2026-9ff28072cd has been pushed to the Fedora 44 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-9ff28072cd` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-9ff28072cd See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2026-7425d4dfb5 (nuclei-3.7.1-1.el9) has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2026-8b0ecd0541 (nuclei-3.7.1-1.el10_3) has been pushed to the Fedora EPEL 10.3 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2026-fa357725f0 (nuclei-3.7.1-1.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.