pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/audit-packages Add several new command line o...
details: https://anonhg.NetBSD.org/pkgsrc/rev/cb5f8ec3c51f
branches: trunk
changeset: 503230:cb5f8ec3c51f
user: erh <erh%pkgsrc.org@localhost>
date: Wed Nov 16 20:47:55 2005 +0000
description:
Add several new command line options so audit-packages can be used as part of
the improved ALLOW_VULNERABILITIES support. This now has the ability to:
-p : Only check a single package
-i : Provide a list of vulnerabilities to ignore
-K : Specify an alternate pkg dbdir.
Bump the version to 0.40.
diffstat:
security/audit-packages/Makefile | 6 +-
security/audit-packages/files/audit-packages | 104 +++++++++++++++++++++++-
security/audit-packages/files/audit-packages.8 | 46 ++++++++--
3 files changed, 136 insertions(+), 20 deletions(-)
diffs (253 lines):
diff -r 6bc7aadee8e6 -r cb5f8ec3c51f security/audit-packages/Makefile
--- a/security/audit-packages/Makefile Wed Nov 16 20:43:03 2005 +0000
+++ b/security/audit-packages/Makefile Wed Nov 16 20:47:55 2005 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.61 2005/10/31 21:33:19 erh Exp $
+# $NetBSD: Makefile,v 1.62 2005/11/16 20:47:55 erh Exp $
-DISTNAME= audit-packages-1.39
+DISTNAME= audit-packages-1.40
CATEGORIES= security pkgtools
MASTER_SITES= # empty
DISTFILES= # empty
@@ -20,6 +20,8 @@
OWN_DIRS= ${PKGVULNDIR}
INSTALLATION_DIRS= man/cat8 man/man8 sbin
+SKIP_AUDIT_PACKAGES= yes
+
.include "../../mk/bsd.prefs.mk"
do-build:
diff -r 6bc7aadee8e6 -r cb5f8ec3c51f security/audit-packages/files/audit-packages
--- a/security/audit-packages/files/audit-packages Wed Nov 16 20:43:03 2005 +0000
+++ b/security/audit-packages/files/audit-packages Wed Nov 16 20:47:55 2005 +0000
@@ -1,6 +1,6 @@
#! @SH@
#
-# $NetBSD: audit-packages,v 1.23 2005/10/20 10:26:54 agc Exp $
+# $NetBSD: audit-packages,v 1.24 2005/11/16 20:47:56 erh Exp $
#
# Copyright (c) 2000-2003 Alistair Crooks. All rights reserved.
#
@@ -41,8 +41,25 @@
FORMAT_MAJOR=1
FORMAT_MINOR=0
+FORMAT_TEENY=1
PKG_INSTALL_REQUIRED=20050530
+usage() {
+ argv0="${1##*/}"
+ cat <<EOF
+$2
+Usage: $argv0 [-vd] [-K <pkg_dbdir>] [-p <package>]
+ [-i [<vulnid>|pkgpat:<pkgpat> [...]]
+ -v : Verbose mode
+ -d : Run download-vulnerability-list before anything else.
+ -i : Ignore packages matching one of the specified vulnerabilities,
+ or matching one of the provided patterns.
+ Repeated -i options add to the ignore list.
+ -p : Check a specific package for vulnerabilities.
+EOF
+ exit 1
+}
+
if [ -r @PKG_SYSCONFDIR@/audit-packages.conf ]; then
echo "Reading settings from @PKG_SYSCONFDIR@/audit-packages.conf"
. @PKG_SYSCONFDIR@/audit-packages.conf
@@ -52,14 +69,44 @@
download=no
verbose=no
+ignore_list=
+pkg_patterns=
+vulnids=
+one_package=
while [ $# -gt 0 ]; do
case "$1" in
-d) download=yes ;;
-v) verbose=yes ;;
+ -i)
+ ignore_list="$ignore_list $2"
+ shift
+ ;;
+ -p)
+ one_package="$2"
+ shift
+ ;;
+ -K)
+ export PKG_DBDIR="$2"
+ shift
+ ;;
+ *)
+ usage "$0" "Unknown option $1"
esac
shift
done
+for ign in $ignore_list ; do
+ case "$ign" in
+ pkgpat:*)
+ ign="${ign#*:}"
+ pkg_patterns="$pkg_patterns $ign"
+ ;;
+ *)
+ vulnids="$vulnids $ign"
+ ;;
+ esac
+done
+
# try to download vulnerability list, as requested
# the integrity of the list is checked below
# so just issue a warning if there was a failure
@@ -96,14 +143,20 @@
case "$errmsg" in
"") # check format version of vulnerabilities file
- file_major=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[1] }' "$vuls"`
- file_minor=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[2] }' "$vuls"`
+ file_major=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[1]; exit; }' "$vuls"`
+ file_minor=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[2]; exit; }' "$vuls"`
+ file_teeny=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[3]; exit; }' "$vuls"`
+ if [ -z "$file_teeny" ] ; then
+ file_teeny=0
+ fi
if [ "x$file_major" = "x" -o "x$file_minor" = "x" ]; then
errmsg="No file format version found in $vuls"
errsolution="$ERR_DOWNLOAD"
elif [ "$file_major" -ne "$FORMAT_MAJOR" -o "$file_minor" -gt "$FORMAT_MINOR" ]; then
- errmsg="Unsupported file format version $file_major.$file_minor in $vuls (supported version: $FORMAT_MAJOR.$FORMAT_MINOR)."
- if [ "$file_major" -le "$FORMAT_MAJOR" ]; then
+ errmsg="Unsupported file format version $file_major.$file_minor${file_teeny:+.${file_teeny}} in $vuls (supported version: $FORMAT_MAJOR.$FORMAT_MINOR.$FORMAT_TEENY)."
+ if [ "$file_major" -le "$FORMAT_MAJOR" -o
+ \( "$file_major" -eq "$FORMAT_MAJOR" -a
+ "$file_minor" -lt "$FORMAT_MINOR" \) ]; then
errsolution="$ERR_DOWNLOAD"
else
errsolution="$ERR_UPGRADE"
@@ -151,10 +204,45 @@
\#*|'') continue;;
esac
- if @PKG_TOOLS_BIN@/pkg_info -qe "$pat"; then
- echo Package `@PKG_TOOLS_BIN@/pkg_info -e "$pat"` has a \
- "$type" vulnerability, see "$url"
+ vulnid=unknown
+ if [ $file_teeny -gt 0 ] ; then
+ vulnid=${type%%,*}
+ type=${type#*,}
+
+ skipit=0
+ for ign in $vulnids; do
+ if [ "$ign" = "$vulnid" ] ; then
+ skipit=1
+ fi
+ done
+ if [ $skipit -eq 1 ] ; then
+ continue;
+ fi
fi
+
+ if [ -z "$one_package" ] ; then
+ vulnpkgs=`@PKG_TOOLS_BIN@/pkg_info -e "$pat"`
+ else
+ vulnpkgs=
+ if `@PKG_TOOLS_BIN@/pkg_admin pmatch "$pat" "$one_package"` ; then
+ vulnpkgs=$one_package
+ fi
+ fi
+ for pkg in $vulnpkgs ; do
+ skipit=0
+ for ign in $pkg_patterns; do
+ ign="${ign#*:}"
+ if @PKG_TOOLS_BIN@/pkg_admin pmatch "${ign}" "$pkg" ; then
+ skipit=1
+ break
+ fi
+ done
+ if [ $skipit -eq 1 ] ; then
+ continue
+ fi
+ echo "Package $pkg has a" \
+ "$type vulnerability (vulnid:$vulnid), see $url"
+ done
done < "$vuls"
exit 0
diff -r 6bc7aadee8e6 -r cb5f8ec3c51f security/audit-packages/files/audit-packages.8
--- a/security/audit-packages/files/audit-packages.8 Wed Nov 16 20:43:03 2005 +0000
+++ b/security/audit-packages/files/audit-packages.8 Wed Nov 16 20:47:55 2005 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: audit-packages.8,v 1.15 2005/10/20 10:26:54 agc Exp $
+.\" $NetBSD: audit-packages.8,v 1.16 2005/11/16 20:47:56 erh Exp $
.\"
.\" Copyright (c) 2003 Jeremy C. Reed. All rights reserved.
.\"
@@ -40,6 +40,8 @@
.Sh SYNOPSIS
.Nm
.Op Fl dv
+.Op Fl K Ar pkg_dbdir
+.Op Fl i Ar ignore-list
.Nm download-vulnerability-list
.Sh DESCRIPTION
The
@@ -50,16 +52,30 @@
This output contains the name and version of the package, the
type of vulnerability, and an URL for further information for each
vulnerable package.
-If the
-.Fl v
-option is specified,
+.Pp
+The following flags are supported:
+.Bl -tag -width Ar
+.It Fl d
+.Nm
+will attempt to download the vulnerabilities
+file before scanning
+the installed packages for vulnerabilities.
+.It Fl i
+Specify an list of vulnerabilities or packages to ignore.
+Packages can be specified using package wildcards (see
+.Xr pkg_info 1
+).
+Vulnerabilities can be specified with the form
+.Sm off
+.Cm vulnid:
+.Ar vulnid .
+.Sm on
+Vulnerability ids are only present in file format 1.0.1 or higher.
+.It Fl v
+Set verbose mode.
.Nm
will warn when the vulnerabilities file is more than a week old.
-The
-.Fl d
-option will attempt to download this vulnerabilities
-file before scanning
-the installed packages for vulnerabilities.
+.El
.Pp
The
.Nm download-vulnerability-list
@@ -73,7 +89,17 @@
packages team.
.Pp
Each line lists the package and vulnerable versions, the type of exploit,
-and an Internet address for further information.
+and an Internet address for further information:
+.Bl -item
+.It
+.Aq package pattern
+.Sm off
+.Aq vulnid ,
+.Aq type
+.Sm on
+.Aq url
+.El
+.Pp
The type of exploit can be any text, although
some common types of exploits listed are:
.Bl -bullet -compact -offset indent
Home |
Main Index |
Thread Index |
Old Index