pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/audit-packages Add several new command line o...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/cb5f8ec3c51f
branches:  trunk
changeset: 503230:cb5f8ec3c51f
user:      erh <erh%pkgsrc.org@localhost>
date:      Wed Nov 16 20:47:55 2005 +0000

description:
Add several new command line options so audit-packages can be used as part of
the improved ALLOW_VULNERABILITIES support.  This now has the ability to:
  -p : Only check a single package
  -i : Provide a list of vulnerabilities to ignore
  -K : Specify an alternate pkg dbdir.
Bump the version to 0.40.

diffstat:

 security/audit-packages/Makefile               |    6 +-
 security/audit-packages/files/audit-packages   |  104 +++++++++++++++++++++++-
 security/audit-packages/files/audit-packages.8 |   46 ++++++++--
 3 files changed, 136 insertions(+), 20 deletions(-)

diffs (253 lines):

diff -r 6bc7aadee8e6 -r cb5f8ec3c51f security/audit-packages/Makefile
--- a/security/audit-packages/Makefile  Wed Nov 16 20:43:03 2005 +0000
+++ b/security/audit-packages/Makefile  Wed Nov 16 20:47:55 2005 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.61 2005/10/31 21:33:19 erh Exp $
+# $NetBSD: Makefile,v 1.62 2005/11/16 20:47:55 erh Exp $
 
-DISTNAME=      audit-packages-1.39
+DISTNAME=      audit-packages-1.40
 CATEGORIES=    security pkgtools
 MASTER_SITES=  # empty
 DISTFILES=     # empty
@@ -20,6 +20,8 @@
 OWN_DIRS=      ${PKGVULNDIR}
 INSTALLATION_DIRS=     man/cat8 man/man8 sbin
 
+SKIP_AUDIT_PACKAGES=   yes
+
 .include "../../mk/bsd.prefs.mk"
 
 do-build:
diff -r 6bc7aadee8e6 -r cb5f8ec3c51f security/audit-packages/files/audit-packages
--- a/security/audit-packages/files/audit-packages      Wed Nov 16 20:43:03 2005 +0000
+++ b/security/audit-packages/files/audit-packages      Wed Nov 16 20:47:55 2005 +0000
@@ -1,6 +1,6 @@
 #! @SH@
 #
-# $NetBSD: audit-packages,v 1.23 2005/10/20 10:26:54 agc Exp $
+# $NetBSD: audit-packages,v 1.24 2005/11/16 20:47:56 erh Exp $
 #
 # Copyright (c) 2000-2003 Alistair Crooks.  All rights reserved.
 #
@@ -41,8 +41,25 @@
 
 FORMAT_MAJOR=1
 FORMAT_MINOR=0
+FORMAT_TEENY=1
 PKG_INSTALL_REQUIRED=20050530
 
+usage() {
+       argv0="${1##*/}"
+       cat <<EOF
+$2
+Usage: $argv0 [-vd] [-K <pkg_dbdir>] [-p <package>]
+               [-i [<vulnid>|pkgpat:<pkgpat> [...]]
+    -v : Verbose mode
+    -d : Run download-vulnerability-list before anything else.
+    -i : Ignore packages matching one of the specified vulnerabilities,
+          or matching one of the provided patterns.
+          Repeated -i options add to the ignore list.
+    -p : Check a specific package for vulnerabilities.
+EOF
+       exit 1
+}
+
 if [ -r @PKG_SYSCONFDIR@/audit-packages.conf ]; then
        echo "Reading settings from @PKG_SYSCONFDIR@/audit-packages.conf"
        . @PKG_SYSCONFDIR@/audit-packages.conf
@@ -52,14 +69,44 @@
 
 download=no
 verbose=no
+ignore_list=
+pkg_patterns=
+vulnids=
+one_package=
 while [ $# -gt 0 ]; do
        case "$1" in
        -d)     download=yes ;;
        -v)     verbose=yes ;;
+       -i)
+               ignore_list="$ignore_list $2"
+               shift
+               ;;
+       -p)
+               one_package="$2"
+               shift
+               ;;
+       -K)
+               export PKG_DBDIR="$2"
+               shift
+               ;;
+       *)
+               usage "$0" "Unknown option $1"
        esac
        shift
 done
 
+for ign in $ignore_list ; do
+       case "$ign" in
+       pkgpat:*)
+               ign="${ign#*:}"
+               pkg_patterns="$pkg_patterns $ign"
+               ;;
+       *)
+               vulnids="$vulnids $ign"
+               ;;
+       esac
+done
+
 # try to download vulnerability list, as requested
 # the integrity of the list is checked below
 # so just issue a warning if there was a failure
@@ -96,14 +143,20 @@
 
 case "$errmsg" in
 "")    # check format version of vulnerabilities file
-       file_major=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[1] }' "$vuls"`
-       file_minor=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[2] }' "$vuls"`
+       file_major=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[1]; exit; }' "$vuls"`
+       file_minor=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[2]; exit; }' "$vuls"`
+       file_teeny=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[3]; exit; }' "$vuls"`
+       if [ -z "$file_teeny" ] ; then
+               file_teeny=0
+       fi
        if [ "x$file_major" = "x" -o "x$file_minor" = "x" ]; then
                errmsg="No file format version found in $vuls"
                errsolution="$ERR_DOWNLOAD"
        elif [ "$file_major" -ne "$FORMAT_MAJOR" -o "$file_minor" -gt "$FORMAT_MINOR" ]; then
-               errmsg="Unsupported file format version $file_major.$file_minor in $vuls (supported version: $FORMAT_MAJOR.$FORMAT_MINOR)."
-               if [ "$file_major" -le "$FORMAT_MAJOR" ]; then
+               errmsg="Unsupported file format version $file_major.$file_minor${file_teeny:+.${file_teeny}} in $vuls (supported version: $FORMAT_MAJOR.$FORMAT_MINOR.$FORMAT_TEENY)."
+               if [ "$file_major" -le "$FORMAT_MAJOR" -o
+                    \( "$file_major" -eq "$FORMAT_MAJOR" -a
+                       "$file_minor" -lt "$FORMAT_MINOR" \) ]; then
                        errsolution="$ERR_DOWNLOAD"
                else
                        errsolution="$ERR_UPGRADE"
@@ -151,10 +204,45 @@
        \#*|'') continue;;
        esac
 
-       if @PKG_TOOLS_BIN@/pkg_info -qe "$pat"; then
-               echo Package `@PKG_TOOLS_BIN@/pkg_info -e "$pat"` has a \
-                       "$type" vulnerability, see "$url"
+       vulnid=unknown
+       if [ $file_teeny -gt 0 ] ; then
+               vulnid=${type%%,*}
+               type=${type#*,}
+
+               skipit=0
+               for ign in $vulnids; do
+                       if [ "$ign" = "$vulnid" ] ; then
+                               skipit=1
+                       fi
+               done
+               if [ $skipit -eq 1 ] ; then
+                       continue;
+               fi
        fi
+
+       if [ -z "$one_package" ] ; then
+               vulnpkgs=`@PKG_TOOLS_BIN@/pkg_info -e "$pat"`
+       else
+               vulnpkgs=
+               if `@PKG_TOOLS_BIN@/pkg_admin pmatch "$pat" "$one_package"` ; then
+                       vulnpkgs=$one_package
+               fi
+       fi
+       for pkg in $vulnpkgs ; do
+               skipit=0
+               for ign in $pkg_patterns; do
+                       ign="${ign#*:}"
+                       if @PKG_TOOLS_BIN@/pkg_admin pmatch "${ign}" "$pkg" ; then
+                               skipit=1
+                               break
+                       fi
+               done
+               if [ $skipit -eq 1 ] ; then
+                       continue
+               fi
+               echo "Package $pkg has a" \
+                       "$type vulnerability (vulnid:$vulnid), see $url"
+       done
 done < "$vuls"
 
 exit 0
diff -r 6bc7aadee8e6 -r cb5f8ec3c51f security/audit-packages/files/audit-packages.8
--- a/security/audit-packages/files/audit-packages.8    Wed Nov 16 20:43:03 2005 +0000
+++ b/security/audit-packages/files/audit-packages.8    Wed Nov 16 20:47:55 2005 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: audit-packages.8,v 1.15 2005/10/20 10:26:54 agc Exp $
+.\" $NetBSD: audit-packages.8,v 1.16 2005/11/16 20:47:56 erh Exp $
 .\"
 .\" Copyright (c) 2003 Jeremy C. Reed.  All rights reserved.
 .\"
@@ -40,6 +40,8 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl dv
+.Op Fl K Ar pkg_dbdir
+.Op Fl i Ar ignore-list
 .Nm download-vulnerability-list
 .Sh DESCRIPTION
 The
@@ -50,16 +52,30 @@
 This output contains the name and version of the package, the
 type of vulnerability, and an URL for further information for each
 vulnerable package.
-If the
-.Fl v
-option is specified,
+.Pp
+The following flags are supported:
+.Bl -tag -width Ar
+.It Fl d
+.Nm
+will attempt to download the vulnerabilities
+file before scanning
+the installed packages for vulnerabilities.
+.It Fl i
+Specify an list of vulnerabilities or packages to ignore.
+Packages can be specified using package wildcards (see
+.Xr pkg_info 1
+).
+Vulnerabilities can be specified with the form
+.Sm off
+.Cm vulnid:
+.Ar vulnid .
+.Sm on
+Vulnerability ids are only present in file format 1.0.1 or higher.
+.It Fl v
+Set verbose mode.
 .Nm
 will warn when the vulnerabilities file is more than a week old.
-The
-.Fl d
-option will attempt to download this vulnerabilities
-file before scanning
-the installed packages for vulnerabilities.
+.El
 .Pp
 The
 .Nm download-vulnerability-list
@@ -73,7 +89,17 @@
 packages team.
 .Pp
 Each line lists the package and vulnerable versions, the type of exploit,
-and an Internet address for further information.
+and an Internet address for further information:
+.Bl -item
+.It
+.Aq package pattern
+.Sm off
+.Aq vulnid ,
+.Aq type
+.Sm on
+.Aq url
+.El
+.Pp
 The type of exploit can be any text, although
 some common types of exploits listed are:
 .Bl -bullet -compact -offset indent



Home | Main Index | Thread Index | Old Index