[CORE-6867] Smoke-test ficus binary after vendor download

[ahamid-fossa]

See: https://github.com/fossas/ficus/pull/169

The pre-existing version-check loop runs --version on every binary but swallows failures via || echo "failed to get version information", so a non-runnable ficus (wrong glibc, wrong arch, corrupt download) prints a warning and the script continues. The binary then gets embedded into the CLI (and downstream consumers like Hubble) via Template Haskell and the failure only manifests at run time.

Add a strict smoke-execute of vendor-bins/ficus that fails the build if the binary cannot load in the build image's libc/arch.

Overview

Ensure compatibility with downstream consumers by failing when ficus binary cannot be run.

Acceptance criteria

Incompatible consumers cannot build against in incompatible ficus. Specifically wrt to libc version.

Testing plan

I think maybe if we accept this PR (without rebuilt ficus from https://github.com/fossas/ficus/pull/169), and then rebuild Hubble against this branch of ficus-cli, we should expect it to fail. If it fails then this change has succeeded in preventing a bad Hubble/ficus build.

Risks

The previous logic was testing, but NOT failing. Maybe there is a use case where we don't want to fail if ficus is not runnable?

Metrics

References

Add links to any referenced GitHub issues, Zendesk tickets, Jira tickets, Slack threads, etc.

Example:

• ANE-123: Implement X.

Checklist

• I added tests for this PR's change (or explained in the PR description why tests don't make sense).
• If this PR introduced a user-visible change, I added documentation into docs/.
• If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
• If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
• If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
• If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

[coderabbitai]

Walkthrough

The vendor_download.sh script has been modified to include an explicit runtime validation check for the ficus binary. Previously, the script iterated over executable files in the vendor-bins directory and reported their version output without verifying executability. The updated version now runs vendor-bins/ficus --version as a direct test. If the ficus binary fails to execute, the script terminates with an error rather than continuing execution. This change adds nine lines to the script and represents a medium-effort code review task.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a smoke-test for the ficus binary after vendor download.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description covers key sections (Overview, Acceptance criteria, Testing plan, Risks) and explains the change well, but is missing concrete testing steps and does not address the checklist items.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[spatten]

This looks like a good change to me.

I tested like this. You'll need a GITHUB_TOKEN that has access to ficus, themis, etc, if you want to try it:

git checkout aaron/ficus-smoketest
docker run --rm -it --platform=linux/amd64 -v "$PWD":/src -w /src debian:buster bash

sed -i 's|deb.debian.org|archive.debian.org|g; /-updates/d; /-security/d' /etc/apt/sources.list
apt-get -o Acquire::Check-Valid-Until=false update -qq
apt-get install -y -qq curl jq xz-utils ca-certificates

export GITHUB_TOKEN=...
./vendor_download.sh
echo $?

I see this when I do that:

vendor-bins/ficus: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by vendor-bins/ficus)
vendor-bins/ficus: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by vendor-bins/ficus)
vendor-bins/ficus: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by vendor-bins/ficus)
failed to get version information
lernie: lernie v0.3.1
themis-cli: 2026/05/06 23:31:24 maxprocs: Leaving GOMAXPROCS=14: CPU quota undefined
Version: 1.0.50
./vendor-bins/ficus: /lib/x86_64-linux-gnu/libm.so.6: version `GLIBC_2.29' not found (required by ./vendor-bins/ficus)
./vendor-bins/ficus: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.30' not found (required by ./vendor-bins/ficus)
./vendor-bins/ficus: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./vendor-bins/ficus)
./vendor-bins/ficus: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./vendor-bins/ficus)
./vendor-bins/ficus: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./vendor-bins/ficus)
ERROR: vendor-bins/ficus does not run in this image
root@efdac803c8bb:/src# echo $?
1