pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/mk Improve the handling of allowed vulnerabilities. I...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/fe71cc877f9f
branches:  trunk
changeset: 503232:fe71cc877f9f
user:      erh <erh%pkgsrc.org@localhost>
date:      Wed Nov 16 20:59:22 2005 +0000

description:
Improve the handling of allowed vulnerabilities.  Instead of the single
ALLOW_VULNERABLE_PACKAGES settings that applies to all packages, there can
now be per-package lists of allowed vulnerability ids:
        ALLOW_VULNERABILITIES.<pkgname>=<space separated list of vulnids>

To avoid duplication of code, audit-packages is now used to do these checks.
It can be skipped altogether by setting:
        SKIP_AUDIT_PACKAGES=yes

diffstat:

 mk/bsd.pkg.mk       |  48 ++++++++++++++++++++++++++++++------------------
 mk/bsd.prefs.mk     |   4 +++-
 mk/defaults/mk.conf |  18 +++++++++++++-----
 3 files changed, 46 insertions(+), 24 deletions(-)

diffs (140 lines):

diff -r c73410c80aea -r fe71cc877f9f mk/bsd.pkg.mk
--- a/mk/bsd.pkg.mk     Wed Nov 16 20:49:21 2005 +0000
+++ b/mk/bsd.pkg.mk     Wed Nov 16 20:59:22 2005 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: bsd.pkg.mk,v 1.1751 2005/11/15 21:21:01 rillig Exp $
+#      $NetBSD: bsd.pkg.mk,v 1.1752 2005/11/16 20:59:22 erh Exp $
 #
 # This file is in the public domain.
 #
@@ -1363,35 +1363,45 @@
        esac
 
 # check for any vulnerabilities in the package
-# Please do not modify the leading "@" here
+
+_AUDIT_PACKAGES_MIN_VERSION=0.40
+_AUDIT_PACKAGES_OK!=   ${PKG_INFO} -qe 'audit-packages>=${AUDIT_PACKAGES_MIN_VERSION}' ; echo $$?
+
+# Note: _any_ output from check-vulnerable is considered an error by do-fetch.
 .PHONY: check-vulnerable
 check-vulnerable:
-       @if [ ! -z "${PKG_SYSCONFDIR.audit-packages}" -a -f ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf ]; then \
-               . ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf; \
-       elif [ ! -z "${PKG_SYSCONFDIR}" -a -f ${PKG_SYSCONFDIR}/audit-packages.conf ]; then \
-               . ${PKG_SYSCONFDIR}/audit-packages.conf;                \
-       fi;                                                             \
-       if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then               \
-               ${SETENV} PKGNAME=${PKGNAME:Q}                          \
-                         PKGBASE=${PKGBASE:Q}                          \
-                       ${AWK} '/^$$/ { next }                          \
-                               /^#.*/ { next }                         \
-                               $$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next } \
-                               { s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ECHO} \"*** WARNING - %s vulnerability in %s - see %s for more information ***\"", $$1, ENVIRON["PKGNAME"], $$2, 
ENVIRON["PKGNAME"], $$3); system(s); }' < ${PKGVULNDIR}/pkg-vulnerabilities || ${FALSE}; \
-       fi
+.if empty(AUDIT_PACKAGES_OK:M0)
+       @${ECHO_MSG} "${_PKGSRC_IN}> *** The audit-packages package must be at least version ${AUDIT_PACKAGES_MIN_VERSION}"
+       @${ECHO_MSG} "${_PKGSRC_IN}> *** Please install pkgsrc/security/audit-packages package and run";
+       @${ECHO_MSG} "${_PKGSRC_IN}> *** '${LOCALBASE}/sbin/download-vulnerability-list'.";
+       @false
+.else
+       @${AUDIT_PACKAGES} -i ""${ALLOW_VULNERABILITIES.${PKGBASE}:Q} -p ${PKGNAME:Q}
+.endif
+
+
+.if defined(ALLOW_VULNERABILITIES.${PKGBASE})
+_ALLOW_VULNERABILITIES=${ALLOW_VULNERABILITIES.${PKGBASE}}
+.else
+_ALLOW_VULNERABILITIES=#none
+.endif
 
 .PHONY: do-fetch
 .if !target(do-fetch)
 do-fetch:
-.  if !defined(ALLOW_VULNERABLE_PACKAGES)
+.  if empty(SKIP_AUDIT_PACKAGES:M[Yy][Ee][Ss]) && empty(_ALLOW_VULNERABILITIES:M[Yy][Ee][Ss])
        ${_PKG_SILENT}${_PKG_DEBUG}                                     \
        if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then               \
                ${ECHO_MSG} "${_PKGSRC_IN}> Checking for vulnerabilities in ${PKGNAME}"; \
                vul=`${MAKE} ${MAKEFLAGS} check-vulnerable`;            \
                case "$$vul" in                                         \
                "")     ;;                                              \
-               *)      ${ECHO} "$$vul";                                \
-                       ${ECHO} "or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \
+               *)      vulnids=`echo "$$vul" | sed -e's/.*vulnid:\\([[:digit:]]*\\).*/\\1/'`; \
+                       ${ECHO} "$$vul";                                \
+                       ${ECHO} "or if this package is absolutely essential, add this to mk.conf:"; \
+                       for vulnid in $$vulnids ; do \
+                               ${ECHO} " ALLOW_VULNERABILITIES.${PKGBASE}+=$$vulnid"; \
+                       done ; \
                        ${FALSE} ;;                                     \
                esac;                                                   \
        else                                                            \
@@ -1400,6 +1410,8 @@
                ${ECHO_MSG} "${_PKGSRC_IN}> *** the pkgsrc/security/audit-packages package and run"; \
                ${ECHO_MSG} "${_PKGSRC_IN}> *** '${LOCALBASE}/sbin/download-vulnerability-list'."; \
        fi
+.  else
+       @${ECHO_MSG} "${_PKGSRC_IN}> *** Skipping vulnerability checks for ${PKGNAME}"
 .  endif
 .  if !empty(_ALLFILES)
        ${_PKG_SILENT}${_PKG_DEBUG}                                     \
diff -r c73410c80aea -r fe71cc877f9f mk/bsd.prefs.mk
--- a/mk/bsd.prefs.mk   Wed Nov 16 20:49:21 2005 +0000
+++ b/mk/bsd.prefs.mk   Wed Nov 16 20:59:22 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.209 2005/11/14 04:51:47 rillig Exp $
+# $NetBSD: bsd.prefs.mk,v 1.210 2005/11/16 20:59:23 erh Exp $
 #
 # Make file, included to get the site preferences, if any.  Should
 # only be included by package Makefiles before any .if defined()
@@ -497,6 +497,7 @@
 PKG_INFO_CMD?=         ${PKG_TOOLS_BIN}/pkg_info
 PKG_VIEW_CMD?=         ${PKG_TOOLS_BIN}/pkg_view
 LINKFARM_CMD?=         ${PKG_TOOLS_BIN}/linkfarm
+AUDIT_PACKAGES_CMD?=   ${LOCALBASE}/sbin/audit-packages
 
 .if !defined(PKGTOOLS_VERSION)
 PKGTOOLS_VERSION!=     ${PKG_INFO_CMD} -V 2>/dev/null || echo 20010302
@@ -527,6 +528,7 @@
 PKG_INFO?=             ${PKGTOOLS_ENV} ${PKG_INFO_CMD} ${PKGTOOLS_ARGS}
 PKG_VIEW?=             ${PKGTOOLS_ENV} ${PKG_VIEW_CMD} ${PKG_VIEW_ARGS}
 LINKFARM?=             ${LINKFARM_CMD}
+AUDIT_PACKAGES?=       ${PKGTOOLS_ENV} ${AUDIT_PACKAGES_CMD} ${PKGTOOLS_ARGS}
 
 # "${PKG_BEST_EXISTS} pkgpattern" prints out the name of the installed
 # package that best matches pkgpattern.  Use this instead of
diff -r c73410c80aea -r fe71cc877f9f mk/defaults/mk.conf
--- a/mk/defaults/mk.conf       Wed Nov 16 20:49:21 2005 +0000
+++ b/mk/defaults/mk.conf       Wed Nov 16 20:59:22 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.91 2005/11/15 12:54:36 tonio Exp $
+# $NetBSD: mk.conf,v 1.92 2005/11/16 20:59:23 erh Exp $
 #
 
 # This file provides default values for variables that may be overridden
@@ -14,12 +14,20 @@
 # NOTE TO PEOPLE EDITING THIS FILE - USE LEADING SPACES, NOT LEADING TABS.
 # ************************************************************************
 
-#ALLOW_VULNERABLE_PACKAGES=
-# allow the user to build packages which are known to be vulnerable to
-# security exploits
-# Possible: defined, not defined
+#ALLOW_VULNERABILITIES.<pkgname>=
+# List of vulnerability ids to ignore when performing audit-packages
+# check when building a package.  
+# Possible: one or more vulnerabilities ids,
+#           or the word "yes" to allow all. (not recommended)
 # Default: not defined
 
+SKIP_AUDIT_PACKAGES=no
+# Completely skip running audit-packages to check for vulnerable packages.
+# Specifying individual vulnerabilities with
+# ALLOW_VULNERABILITIES.<pkgname>=<vulnid> is preferred to using this.
+# Possible: yes, no
+# Default: no
+
 MANINSTALL?= maninstall catinstall
 # Specify manpage installation types.
 # Possible: maninstall, catinstall, both types or empty



Home | Main Index | Thread Index | Old Index