diff options
author | eik <eik@FreeBSD.org> | 2004-04-01 06:52:01 +0800 |
---|---|---|
committer | eik <eik@FreeBSD.org> | 2004-04-01 06:52:01 +0800 |
commit | 738a30d88b41b61f1a48fb63bcf0f5e06b83d310 (patch) | |
tree | a814e65da88813817666c4a486a8d00ad82f7d45 /security/portaudit | |
parent | 7965fb7b67d0135237d020fe5d52e0cefd99312e (diff) | |
download | freebsd-ports-gnome-738a30d88b41b61f1a48fb63bcf0f5e06b83d310.tar.gz freebsd-ports-gnome-738a30d88b41b61f1a48fb63bcf0f5e06b83d310.tar.zst freebsd-ports-gnome-738a30d88b41b61f1a48fb63bcf0f5e06b83d310.zip |
update to 0.3.1:
- use passive ftp by default, don't retry on failure [1]
- add a -C flag, portlint style
- don't keep databases that are tool old [2]
Requested by: hubs [1]
Noticed by: Nicolas Rachinsky <nicolas@rachinsky.de> [2]
Diffstat (limited to 'security/portaudit')
-rw-r--r-- | security/portaudit/Makefile | 4 | ||||
-rw-r--r-- | security/portaudit/files/portaudit-cmd.sh | 65 | ||||
-rw-r--r-- | security/portaudit/files/portaudit.1 | 9 | ||||
-rw-r--r-- | security/portaudit/files/portaudit.conf | 6 | ||||
-rw-r--r-- | security/portaudit/files/portaudit.functions | 51 |
5 files changed, 117 insertions, 18 deletions
diff --git a/security/portaudit/Makefile b/security/portaudit/Makefile index c574bff71052..6cd41e3658d6 100644 --- a/security/portaudit/Makefile +++ b/security/portaudit/Makefile @@ -6,7 +6,7 @@ # PORTNAME= portaudit -PORTVERSION= 0.3 +PORTVERSION= 0.3.1 CATEGORIES= security DISTFILES= @@ -28,7 +28,7 @@ SED_SCRIPT= -e 's,%%PREFIX%%,${PREFIX},g' \ -e 's,%%DATABASEDIR%%,${DATABASEDIR},g' PKG_INFO_BASE?= /usr/sbin/pkg_info -BASEPKGVER!= ${PKG_INFO_BASE} -qP 2>/dev/null +BASEPKGVER!= ${PKG_INFO_BASE} -qP 2>/dev/null || ${TRUE} .if ${BASEPKGVER} < 20040125 RUN_DEPENDS= ${LOCALBASE}/sbin/pkg_info:${PORTSDIR}/sysutils/pkg_install-devel diff --git a/security/portaudit/files/portaudit-cmd.sh b/security/portaudit/files/portaudit-cmd.sh index 7b48e0be3888..2df9a0fc4533 100644 --- a/security/portaudit/files/portaudit-cmd.sh +++ b/security/portaudit/files/portaudit-cmd.sh @@ -1,4 +1,4 @@ -#!/bin/sh -ef +#!/bin/sh -e # # Copyright (c) 2004 Oliver Eikemeier. All rights reserved. # @@ -35,6 +35,9 @@ portaudit_confs opt_audit=false +opt_auditcwd=false +opt_audittree=false +opt_verbose=false opt_version=false opt_dbversion=false opt_fetch=false @@ -44,25 +47,31 @@ if [ $# -eq 0 ] ; then opt_audit=true fi -while getopts aVdFq opt; do +while getopts aACvVdFq opt; do case "$opt" in a) opt_audit=true;; + A) + opt_audittree=true;; + C) + opt_auditcwd=true;; d) opt_dbversion=true;; F) opt_fetch=true;; q) opt_quiet=true;; + v) + opt_verbose=true;; V) opt_version=true;; ?) - echo "Usage: $0 -adFqV" + echo "Usage: $0 -aACvVdFq" exit 2;; esac done -shift $(($OPTIND - 1)) +shift $((${OPTIND}-1)) if $opt_version; then echo "portaudit version %%PORTVERSION%%" @@ -81,10 +90,56 @@ if $opt_dbversion; then echo "portaudit: database corrupt." exit 2 fi - echo "database created: `getcreated_auditfile`" + created=`getcreated_auditfile` + echo "database created: `/bin/date -j -f '%Y-%m-%d %H:%M:%S %Z' \"${created} GMT\"`" fi if $opt_audit; then portaudit_prerequisites audit_installed || true fi + +if $opt_auditcwd; then + portaudit_prerequisites + audit_cwd +fi + +if $opt_audittree; then + echo "auditing ports tree for known vulnerabilities" + VULCNT=0 + + portaudit_prerequisites + + cd "${PORTSDIR:=/usr/ports}" + CATEGORIES=`echo [a-z]*` + + for category in ${CATEGORIES}; do + if [ ! -d "${PORTSDIR}/${category}" ]; then continue; fi + case "${category}" in + CVS) continue ;; + Mk) continue ;; + Templates) continue ;; + Tools) continue ;; + distfiles) continue ;; + packages) continue ;; + esac + + $opt_quiet || echo "==> ${category}" + + cd "${PORTSDIR}/${category}" + PORTS=`echo *` + + for port in ${PORTS}; do + if [ ! -d "${PORTSDIR}/${category}/${port}" ]; then continue; fi + case "${port}" in + pkg) continue ;; + CVS) continue ;; + esac + + cd "${PORTSDIR}/${category}/${port}" + audit_cwd; + done + done + + echo "${VULCNT} ports with unmarked vulnerabilities." +fi diff --git a/security/portaudit/files/portaudit.1 b/security/portaudit/files/portaudit.1 index 4950ff868b2f..4e6dfde7d673 100644 --- a/security/portaudit/files/portaudit.1 +++ b/security/portaudit/files/portaudit.1 @@ -43,6 +43,8 @@ . .Nm .Op Fl a +.Op Fl A +.Op Fl C .Op Fl V .Op Fl d .Op Fl F @@ -74,6 +76,11 @@ The following options are supported: .Bl -tag -width ".Fl X" .It Fl a Print a vulnerability report for all installed packages +.It Fl A +Print a vulnerability report for all ports in PORTSDIR (slow). +.It Fl C +Print a vulnerability report for the port in the current working directory. +Mostly useful for committers. .It Fl F Fetch the current database from the .Fx servers @@ -118,7 +125,7 @@ Print a vulnerability report for all installed packages: .Sh CAVEATS . The format of -.Pa %%DATABASEDIR%%/auditfile.tbz +.Pa %%PREFIX%%/etc/portaudit.conf might change. . . diff --git a/security/portaudit/files/portaudit.conf b/security/portaudit/files/portaudit.conf index 612d86357bd7..5b2f5363cbcf 100644 --- a/security/portaudit/files/portaudit.conf +++ b/security/portaudit/files/portaudit.conf @@ -10,10 +10,10 @@ #FETCH_ENV="FTP_PROXY=http://ftp.proxy.sample/ HTTP_PROXY=http://http.proxy.sample:80/" # default fetch command -#FETCH_CMD="/usr/bin/fetch -1am" +#FETCH_CMD="/usr/bin/fetch -1m" -# uncoment to use passive ftp, see fetch(1) -#FETCH_BEFORE_ARGS="-p" +# use passive ftp transfers with extra verbose mode, see fetch(1) +#FETCH_BEFORE_ARGS="-p -vvv" #FETCH_AFTER_ARGS= diff --git a/security/portaudit/files/portaudit.functions b/security/portaudit/files/portaudit.functions index 93437a259130..9475bfeaf805 100644 --- a/security/portaudit/files/portaudit.functions +++ b/security/portaudit/files/portaudit.functions @@ -37,8 +37,8 @@ portaudit_confs() portaudit_filename=${portaudit_filename:-"auditfile.tbz"} FETCH_ENV=${FETCH_ENV:-} - FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1am"} - FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-} + FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1m"} + FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-"-p"} FETCH_AFTER_ARGS=${FETCH_AFTER_ARGS:-} MASTER_SITES=${MASTER_SITES:-" @@ -82,12 +82,18 @@ checksum_auditfile() getcreated_auditfile() { extract_auditfile | + /usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}) *([0-9]{2}):?([0-9]{2}):?([0-9]{2}).*$/\1-\2-\3 \4:\5:\6/p' +} + +gettimestamp_auditfile() +{ + extract_auditfile | /usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p' } checkexpiry_auditfile() { - created=`getcreated_auditfile` + created=`gettimestamp_auditfile` expiry=`/bin/date -u -v-$1d '+%Y%m%d'` [ "${created}" -ge "${expiry}" ]; } @@ -95,13 +101,15 @@ checkexpiry_auditfile() portaudit_prerequisites() { if [ -z "${PKG_INFO}" ]; then - if [ -x %%LOCALBASE%%/sbin/pkg_info ]; then - PKG_INFO=%%LOCALBASE%%/sbin/pkg_info + if [ -x "%%LOCALBASE%%/sbin/pkg_info" ]; then + PKG_INFO="%%LOCALBASE%%/sbin/pkg_info" else - PKG_INFO=/usr/sbin/pkg_info + PKG_INFO="/usr/sbin/pkg_info" fi fi + PKG_VERSION="${PKG_INFO%/*}/pkg_version" + if [ ! -x "${PKG_INFO}" ]; then echo "${PKG_INFO} missing, please install port sysutils/pkg_install-devel" return 1 @@ -155,6 +163,36 @@ audit_installed() " } +audit_cwd() +{ + if [ ! -r "Makefile" ]; then + return 1 + fi + + PKGSTATE=`/usr/bin/make -VPKGNAME -VFORBIDDEN -VPKGORIGIN 2>/dev/null || true"` + PKGNAME=`echo "${PKGSTATE}" | /usr/bin/sed -ne '1p'` + FORBIDDEN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '2p'` + PKGORIGIN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '3p'` + + VLIST=`extract_auditfile | /usr/bin/awk -F\| " \ + /^[^#]/ { \ + if (!system(\"${PKG_VERSION} -T '${PKGNAME}' '\" \\$1 \"'\")) \ + print \"- <\" \\$2 \">\" \ + } \ + "` + + if [ -n "${VLIST}" -a -z "${FORBIDDEN}" ]; then + echo + echo "Port ${PKGNAME} (${PKGORIGIN}) should be marked FORBIDDEN:" + echo "${VLIST}" + VULCNT=$((${VULCNT}+1)) + elif $opt_verbose && [ -n "${VLIST}" ]; then + echo + echo "Good: port ${PKGNAME} (${PKGORIGIN}) is marked FORBIDDEN: ${FORBIDDEN}" + echo "${VLIST}" + fi +} + fetch_locations() { # site sort order is not overly smart @@ -204,7 +242,6 @@ fetch_auditfile() echo "fetched database corrupt." elif ! checkexpiry_auditfile 7; then echo "fetched database too old." - rc=0 else echo "new database installed." rc=0 |