From 4915dfbc0fc52d1607b58d1801ba24683c4db07b Mon Sep 17 00:00:00 2001
From: Jacob Wang <jacob.wang@openanolis.org>
Date: Wed, 23 Oct 2024 10:04:29 +0800
Subject: [PATCH 1/3] update to grafana-9.2.10-20.src.rpm

Signed-off-by: Jacob Wang <jacob.wang@openanolis.org>
---
 0014-resolve-dompurify-CVE.patch | 58 ++++++++++++++++++++++++++++++++
 create_bundles.sh                |  1 +
 create_bundles_in_container.sh   |  2 +-
 download                         |  4 +--
 grafana.spec                     | 40 +++++++++-------------
 grafana.te                       |  2 +-
 6 files changed, 79 insertions(+), 28 deletions(-)
 create mode 100644 0014-resolve-dompurify-CVE.patch

diff --git a/0014-resolve-dompurify-CVE.patch b/0014-resolve-dompurify-CVE.patch
new file mode 100644
index 0000000..450c9fd
--- /dev/null
+++ b/0014-resolve-dompurify-CVE.patch
@@ -0,0 +1,58 @@
+diff --git a/package.json b/package.json
+index e26f95d855a..14b3826a64d 100644
+--- a/package.json
++++ b/package.json
+@@ -316,7 +316,7 @@
+     "dangerously-set-html-content": "1.0.9",
+     "date-fns": "2.29.1",
+     "debounce-promise": "3.1.2",
+-    "dompurify": "^2.4.1",
++    "dompurify": "^2.5.0",
+     "emotion": "11.0.0",
+     "eventemitter3": "4.0.7",
+     "fast-deep-equal": "^3.1.3",
+@@ -422,7 +422,8 @@
+     "@storybook/react/webpack": "5.74.0",
+     "ngtemplate-loader/loader-utils": "^2.0.0",
+     "node-fetch": "2.6.7",
+-    "slate-dev-environment@^0.2.2": "patch:slate-dev-environment@npm:0.2.5#.yarn/patches/slate-dev-environment-npm-0.2.5-9aeb7da7b5.patch"
++    "slate-dev-environment@^0.2.2": "patch:slate-dev-environment@npm:0.2.5#.yarn/patches/slate-dev-environment-npm-0.2.5-9aeb7da7b5.patch",
++    "dompurify": "^2.5.0"
+   },
+   "workspaces": {
+     "packages": [
+diff --git a/yarn.lock b/yarn.lock
+index f374e10e333..834cfee2642 100644
+--- a/yarn.lock
++++ b/yarn.lock
+@@ -18739,17 +18739,10 @@ __metadata:
+   languageName: node
+   linkType: hard
+ 
+-"dompurify@npm:^2.2.0":
+-  version: 2.3.8
+-  resolution: "dompurify@npm:2.3.8"
+-  checksum: dc7b32ee57a03fe5166a850071200897cc13fa069287a709e3b2138052d73ec09a87026b9e28c8d2f254a74eaa52ef30644e98e54294c30acbca2a53f1bbc5f4
+-  languageName: node
+-  linkType: hard
+-
+-"dompurify@npm:^2.4.1":
+-  version: 2.4.1
+-  resolution: "dompurify@npm:2.4.1"
+-  checksum: 1169177465b3cbb25a44322937fba549f6c4e1a91b83245d144471be26619c835cccf0f8e20aa78c25ac11a06efd17cc1b9db9cacadceb78a4c08a1029eafee5
++"dompurify@npm:^2.5.0":
++  version: 2.5.7
++  resolution: "dompurify@npm:2.5.7"
++  checksum: 9652139743130b5ebaf5278fadec06d9b3920019b80c205565b9b8d52cd0cea90ff690c1994c5c0da5bc9d57a94dc19236cdf1ccabdc1c6cff7c255e1e597031
+   languageName: node
+   linkType: hard
+ 
+@@ -21953,7 +21946,7 @@ __metadata:
+     dangerously-set-html-content: 1.0.9
+     date-fns: 2.29.1
+     debounce-promise: 3.1.2
+-    dompurify: ^2.4.1
++    dompurify: ^2.5.0
+     emotion: 11.0.0
+     enzyme: 3.11.0
+     enzyme-to-json: 3.6.2
diff --git a/create_bundles.sh b/create_bundles.sh
index 647ad5c..94171aa 100755
--- a/create_bundles.sh
+++ b/create_bundles.sh
@@ -40,6 +40,7 @@ awk '$2 ~ /^v/ && $4 != "indirect" {print "Provides: bundled(golang(" $1 ")) = "
 
 # Vendor Node.js dependencies
 patch -p1 --fuzz=0 < ../0005-remove-unused-frontend-crypto.patch
+patch -p1 --fuzz=0 < ../0014-resolve-dompurify-CVE.patch
 export HUSKY=0
 yarn install --frozen-lockfile
 
diff --git a/create_bundles_in_container.sh b/create_bundles_in_container.sh
index bbed4ca..4640068 100755
--- a/create_bundles_in_container.sh
+++ b/create_bundles_in_container.sh
@@ -6,7 +6,7 @@
 #
 
 cat <<EOF | podman build -t grafana-build -f - .
-FROM fedora:35
+FROM fedora:36
 
 RUN dnf upgrade -y && \
     dnf install -y rpmdevtools python3-packaging python3-pyyaml make golang nodejs yarnpkg
diff --git a/download b/download
index df3e703..03b2e27 100644
--- a/download
+++ b/download
@@ -1,3 +1,3 @@
 1317b091eccaf37938eb7775976a50b3  grafana-9.2.10.tar.gz
-00b858a367cbc9ca9d077ba6e5ee697e  grafana-vendor-9.2.10-2.tar.xz
-83934d4aea7dfd70dde3d8d3eb62557f  grafana-webpack-9.2.10-2.tar.gz
+eb851438c212def807c761e4e259db6f  grafana-vendor-9.2.10-20.tar.xz
+f4da1cc1fd9260768b1827fc105d9417  grafana-webpack-9.2.10-20.tar.gz
diff --git a/grafana.spec b/grafana.spec
index 9f01f18..6746658 100644
--- a/grafana.spec
+++ b/grafana.spec
@@ -1,4 +1,3 @@
-%define anolis_release .0.1
 # gobuild and gotest macros are not available on CentOS Stream
 # remove once BZ 1965292 is resolved
 # definitions lifted from Fedora 34 podman.spec
@@ -36,7 +35,7 @@ end}
 
 Name:             grafana
 Version:          9.2.10
-Release:          18%{anolis_release}%{?dist}
+Release:          20%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPLv3
 URL:              https://grafana.org
@@ -47,13 +46,13 @@ Source0:          https://github.com/grafana/grafana/archive/v%{version}/%{name}
 # Source1 contains the bundled Go and Node.js dependencies
 # Note: In case there were no changes to this tarball, the NVR of this tarball
 # lags behind the NVR of this package.
-Source1:          grafana-vendor-%{version}-2.tar.xz
+Source1:          grafana-vendor-%{version}-20.tar.xz
 
 %if %{compile_frontend} == 0
 # Source2 contains the precompiled frontend
 # Note: In case there were no changes to this tarball, the NVR of this tarball
 # lags behind the NVR of this package.
-Source2:          grafana-webpack-%{version}-2.tar.gz
+Source2:          grafana-webpack-%{version}-20.tar.gz
 %endif
 
 # Source3 contains the systemd-sysusers configuration
@@ -89,6 +88,7 @@ Patch10:          0010-skip-tests.patch
 Patch11:          0011-remove-email-lookup.patch
 Patch12:          0012-coredump-selinux-error.patch
 Patch13:          0013-snapshot-delete-check-org.patch
+Patch14:          0014-resolve-dompurify-CVE.patch
 
 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@@ -115,10 +115,6 @@ BuildRequires:    yarnpkg
 BuildRequires:    openssl-devel
 %endif
 
-%ifarch loongarch64
-BuildRequires:    golang-vendored-golang.org
-%endif
-
 %global           GRAFANA_USER %{name}
 %global           GRAFANA_GROUP %{name}
 
@@ -536,7 +532,7 @@ Provides: bundled(npm(date-fns)) = 2.25.0
 Provides: bundled(npm(debounce-promise)) = 3.1.2
 Provides: bundled(npm(deep-freeze)) = 0.0.1
 Provides: bundled(npm(devtools-protocol)) = 0.0.927104
-Provides: bundled(npm(dompurify)) = 2.3.8
+Provides: bundled(npm(dompurify)) = 2.5.7
 Provides: bundled(npm(emotion)) = 10.0.27
 Provides: bundled(npm(enzyme)) = 3.11.0
 Provides: bundled(npm(enzyme-to-json)) = 3.6.2
@@ -780,6 +776,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
 %patch -P 11 -p1
 %patch -P 12 -p1
 %patch -P 13 -p1
+%patch -P 14 -p1
 
 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@@ -794,8 +791,6 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
 # Build the frontend
 %if %{compile_frontend}
 %{SOURCE5}
-# export GO111MODULE=off
-go env -w GOPROXY=https://goproxy.cn
 %endif
 
 # Build the backend
@@ -805,12 +800,6 @@ go env -w GOPROXY=https://goproxy.cn
 # can be removed in a future Go release
 export GOEXPERIMENT=boringcrypto
 # see grafana-X.Y.Z/pkg/build/cmd.go
-
-%ifarch loongarch64
-rm -rf vendor/golang.org/x/sys
-cp -arp %{_datadir}/golang/vendor/golang.org/x/sys/ vendor/golang.org/x/
-%endif
-
 export LDFLAGS="-X main.version=%{version} -X main.buildstamp=${SOURCE_DATE_EPOCH}"
 for cmd in grafana-cli grafana-server; do
     %gobuild -o %{_builddir}/bin/${cmd} ./pkg/cmd/${cmd}
@@ -1034,15 +1023,18 @@ fi
 %{_datadir}/selinux/*/grafana.pp
 
 %changelog
-* Mon Sep 30 2024 Xiaoping Liu <liuxiaoping@openanolis.com> 9.2.10-18.0.1
-- fix CVE-2024-24791
+* Thu Oct 17 2024 Sam Feifer <sfeifer@redhat.com> 9.2.10-20
+- Resolves RHEL-62307: CVE-2024-47875
+
+* Thu Oct 10 2024 Sam Feifer <sfeifer@redhat.com> 9.2.10-19
+- Resolves RHEL-61779: CVE-2024-9355
 
-* Tue Aug 27 2024 Kaiqiang Wang <wangkaiqiang@ieisystem.com> 9.2.10-17.0.1
-- fix CVE-2024-24788 CVE-2024-24789 CVE-2024-24790
+* Mon Jul 22 2024 Lauren Chilton <lchilton@redhat.com> 9.2.10-18
+- Resolves RHEL-47191
 
-* Tue May 28 2024 Liwei Ge <geliwei@openanolis.com> 9.2.10-16.0.1
-- Use cn proxy for go build
-- Support loongarch build
+* Wed Jun 26 2024 Sam Feifer <sfeifer@redhat.com> 9.2.10-17
+- Allow for mssql datasource in selinux policy
+- Resolves RHEL-43435
 
 * Fri Apr 5 2024 Sam Feifer <sfeifer@redhat.com> 9.2.10-16
 - Check OrdID is correct before deleting snapshot
diff --git a/grafana.te b/grafana.te
index 498ce14..c4d6a50 100644
--- a/grafana.te
+++ b/grafana.te
@@ -82,7 +82,7 @@ can_exec(grafana_t, grafana_pcp_exec_t)
 corenet_tcp_connect_all_ephemeral_ports(grafana_t)
 grafana_exec(grafana_t)
 
-# Allow grafana to connect to mssql's default tcp port of 1433
+# Allow grafana to connect to mssql's default tcp port of 1433 
 corenet_tcp_connect_mssql_port(grafana_t)
 
 ########################################
-- 
Gitee


From 99d9f0997af979b4fe1ea74b6a7d5f4d555420b5 Mon Sep 17 00:00:00 2001
From: songmingliang <songmingliang@uniontech.com>
Date: Tue, 26 Apr 2022 17:07:50 +0800
Subject: [PATCH 2/3] build: use cn proxy for go build

---
 grafana.spec | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/grafana.spec b/grafana.spec
index 6746658..42e6913 100644
--- a/grafana.spec
+++ b/grafana.spec
@@ -1,3 +1,4 @@
+%define anolis_release .0.1
 # gobuild and gotest macros are not available on CentOS Stream
 # remove once BZ 1965292 is resolved
 # definitions lifted from Fedora 34 podman.spec
@@ -35,7 +36,7 @@ end}
 
 Name:             grafana
 Version:          9.2.10
-Release:          20%{?dist}
+Release:          20%{anolis_release}%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPLv3
 URL:              https://grafana.org
@@ -791,6 +792,8 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
 # Build the frontend
 %if %{compile_frontend}
 %{SOURCE5}
+# export GO111MODULE=off
+go env -w GOPROXY=https://goproxy.cn
 %endif
 
 # Build the backend
@@ -1023,6 +1026,9 @@ fi
 %{_datadir}/selinux/*/grafana.pp
 
 %changelog
+* Wed Oct 23 2024 Liwei Ge <geliwei@openanolis.com> 9.2.10-20.0.1
+- Use cn proxy for go build
+
 * Thu Oct 17 2024 Sam Feifer <sfeifer@redhat.com> 9.2.10-20
 - Resolves RHEL-62307: CVE-2024-47875
 
-- 
Gitee


From 25e5b0f5a60bd873234160cba79558f0be37412e Mon Sep 17 00:00:00 2001
From: Liwei Ge <geliwei@openanolis.org>
Date: Wed, 28 Dec 2022 20:40:59 +0800
Subject: [PATCH 3/3] spec: support loongarch build

---
 grafana.spec | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/grafana.spec b/grafana.spec
index 42e6913..9fcd2d7 100644
--- a/grafana.spec
+++ b/grafana.spec
@@ -116,6 +116,10 @@ BuildRequires:    yarnpkg
 BuildRequires:    openssl-devel
 %endif
 
+%ifarch loongarch64
+BuildRequires:    golang-vendored-golang.org
+%endif
+
 %global           GRAFANA_USER %{name}
 %global           GRAFANA_GROUP %{name}
 
@@ -803,6 +807,12 @@ go env -w GOPROXY=https://goproxy.cn
 # can be removed in a future Go release
 export GOEXPERIMENT=boringcrypto
 # see grafana-X.Y.Z/pkg/build/cmd.go
+
+%ifarch loongarch64
+rm -rf vendor/golang.org/x/sys
+cp -arp %{_datadir}/golang/vendor/golang.org/x/sys/ vendor/golang.org/x/
+%endif
+
 export LDFLAGS="-X main.version=%{version} -X main.buildstamp=${SOURCE_DATE_EPOCH}"
 for cmd in grafana-cli grafana-server; do
     %gobuild -o %{_builddir}/bin/${cmd} ./pkg/cmd/${cmd}
@@ -1028,6 +1038,7 @@ fi
 %changelog
 * Wed Oct 23 2024 Liwei Ge <geliwei@openanolis.com> 9.2.10-20.0.1
 - Use cn proxy for go build
+- Support loongarch build
 
 * Thu Oct 17 2024 Sam Feifer <sfeifer@redhat.com> 9.2.10-20
 - Resolves RHEL-62307: CVE-2024-47875
-- 
Gitee