mirror of
https://git.FreeBSD.org/ports.git
synced 2024-10-20 20:09:11 +00:00
update to 0.3.1:
- use passive ftp by default, don't retry on failure [1] - add a -C flag, portlint style - don't keep databases that are tool old [2] Requested by: hubs [1] Noticed by: Nicolas Rachinsky <nicolas@rachinsky.de> [2]
This commit is contained in:
parent
2bcf92159e
commit
10813956a8
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=105829
@ -6,7 +6,7 @@
|
||||
#
|
||||
|
||||
PORTNAME= portaudit
|
||||
PORTVERSION= 0.3
|
||||
PORTVERSION= 0.3.1
|
||||
CATEGORIES= security
|
||||
DISTFILES=
|
||||
|
||||
@ -28,7 +28,7 @@ SED_SCRIPT= -e 's,%%PREFIX%%,${PREFIX},g' \
|
||||
-e 's,%%DATABASEDIR%%,${DATABASEDIR},g'
|
||||
|
||||
PKG_INFO_BASE?= /usr/sbin/pkg_info
|
||||
BASEPKGVER!= ${PKG_INFO_BASE} -qP 2>/dev/null
|
||||
BASEPKGVER!= ${PKG_INFO_BASE} -qP 2>/dev/null || ${TRUE}
|
||||
|
||||
.if ${BASEPKGVER} < 20040125
|
||||
RUN_DEPENDS= ${LOCALBASE}/sbin/pkg_info:${PORTSDIR}/sysutils/pkg_install-devel
|
||||
|
@ -1,4 +1,4 @@
|
||||
#!/bin/sh -ef
|
||||
#!/bin/sh -e
|
||||
#
|
||||
# Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
|
||||
#
|
||||
@ -35,6 +35,9 @@
|
||||
portaudit_confs
|
||||
|
||||
opt_audit=false
|
||||
opt_auditcwd=false
|
||||
opt_audittree=false
|
||||
opt_verbose=false
|
||||
opt_version=false
|
||||
opt_dbversion=false
|
||||
opt_fetch=false
|
||||
@ -44,25 +47,31 @@ if [ $# -eq 0 ] ; then
|
||||
opt_audit=true
|
||||
fi
|
||||
|
||||
while getopts aVdFq opt; do
|
||||
while getopts aACvVdFq opt; do
|
||||
case "$opt" in
|
||||
a)
|
||||
opt_audit=true;;
|
||||
A)
|
||||
opt_audittree=true;;
|
||||
C)
|
||||
opt_auditcwd=true;;
|
||||
d)
|
||||
opt_dbversion=true;;
|
||||
F)
|
||||
opt_fetch=true;;
|
||||
q)
|
||||
opt_quiet=true;;
|
||||
v)
|
||||
opt_verbose=true;;
|
||||
V)
|
||||
opt_version=true;;
|
||||
?)
|
||||
echo "Usage: $0 -adFqV"
|
||||
echo "Usage: $0 -aACvVdFq"
|
||||
exit 2;;
|
||||
esac
|
||||
done
|
||||
|
||||
shift $(($OPTIND - 1))
|
||||
shift $((${OPTIND}-1))
|
||||
|
||||
if $opt_version; then
|
||||
echo "portaudit version %%PORTVERSION%%"
|
||||
@ -81,10 +90,56 @@ if $opt_dbversion; then
|
||||
echo "portaudit: database corrupt."
|
||||
exit 2
|
||||
fi
|
||||
echo "database created: `getcreated_auditfile`"
|
||||
created=`getcreated_auditfile`
|
||||
echo "database created: `/bin/date -j -f '%Y-%m-%d %H:%M:%S %Z' \"${created} GMT\"`"
|
||||
fi
|
||||
|
||||
if $opt_audit; then
|
||||
portaudit_prerequisites
|
||||
audit_installed || true
|
||||
fi
|
||||
|
||||
if $opt_auditcwd; then
|
||||
portaudit_prerequisites
|
||||
audit_cwd
|
||||
fi
|
||||
|
||||
if $opt_audittree; then
|
||||
echo "auditing ports tree for known vulnerabilities"
|
||||
VULCNT=0
|
||||
|
||||
portaudit_prerequisites
|
||||
|
||||
cd "${PORTSDIR:=/usr/ports}"
|
||||
CATEGORIES=`echo [a-z]*`
|
||||
|
||||
for category in ${CATEGORIES}; do
|
||||
if [ ! -d "${PORTSDIR}/${category}" ]; then continue; fi
|
||||
case "${category}" in
|
||||
CVS) continue ;;
|
||||
Mk) continue ;;
|
||||
Templates) continue ;;
|
||||
Tools) continue ;;
|
||||
distfiles) continue ;;
|
||||
packages) continue ;;
|
||||
esac
|
||||
|
||||
$opt_quiet || echo "==> ${category}"
|
||||
|
||||
cd "${PORTSDIR}/${category}"
|
||||
PORTS=`echo *`
|
||||
|
||||
for port in ${PORTS}; do
|
||||
if [ ! -d "${PORTSDIR}/${category}/${port}" ]; then continue; fi
|
||||
case "${port}" in
|
||||
pkg) continue ;;
|
||||
CVS) continue ;;
|
||||
esac
|
||||
|
||||
cd "${PORTSDIR}/${category}/${port}"
|
||||
audit_cwd;
|
||||
done
|
||||
done
|
||||
|
||||
echo "${VULCNT} ports with unmarked vulnerabilities."
|
||||
fi
|
||||
|
@ -43,6 +43,8 @@
|
||||
.
|
||||
.Nm
|
||||
.Op Fl a
|
||||
.Op Fl A
|
||||
.Op Fl C
|
||||
.Op Fl V
|
||||
.Op Fl d
|
||||
.Op Fl F
|
||||
@ -74,6 +76,11 @@ The following options are supported:
|
||||
.Bl -tag -width ".Fl X"
|
||||
.It Fl a
|
||||
Print a vulnerability report for all installed packages
|
||||
.It Fl A
|
||||
Print a vulnerability report for all ports in PORTSDIR (slow).
|
||||
.It Fl C
|
||||
Print a vulnerability report for the port in the current working directory.
|
||||
Mostly useful for committers.
|
||||
.It Fl F
|
||||
Fetch the current database from the
|
||||
.Fx servers
|
||||
@ -118,7 +125,7 @@ Print a vulnerability report for all installed packages:
|
||||
.Sh CAVEATS
|
||||
.
|
||||
The format of
|
||||
.Pa %%DATABASEDIR%%/auditfile.tbz
|
||||
.Pa %%PREFIX%%/etc/portaudit.conf
|
||||
might change.
|
||||
.
|
||||
.
|
||||
|
@ -10,10 +10,10 @@
|
||||
#FETCH_ENV="FTP_PROXY=http://ftp.proxy.sample/ HTTP_PROXY=http://http.proxy.sample:80/"
|
||||
|
||||
# default fetch command
|
||||
#FETCH_CMD="/usr/bin/fetch -1am"
|
||||
#FETCH_CMD="/usr/bin/fetch -1m"
|
||||
|
||||
# uncoment to use passive ftp, see fetch(1)
|
||||
#FETCH_BEFORE_ARGS="-p"
|
||||
# use passive ftp transfers with extra verbose mode, see fetch(1)
|
||||
#FETCH_BEFORE_ARGS="-p -vvv"
|
||||
|
||||
#FETCH_AFTER_ARGS=
|
||||
|
||||
|
@ -37,8 +37,8 @@ portaudit_confs()
|
||||
portaudit_filename=${portaudit_filename:-"auditfile.tbz"}
|
||||
|
||||
FETCH_ENV=${FETCH_ENV:-}
|
||||
FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1am"}
|
||||
FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-}
|
||||
FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1m"}
|
||||
FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-"-p"}
|
||||
FETCH_AFTER_ARGS=${FETCH_AFTER_ARGS:-}
|
||||
|
||||
MASTER_SITES=${MASTER_SITES:-"
|
||||
@ -80,6 +80,12 @@ checksum_auditfile()
|
||||
}
|
||||
|
||||
getcreated_auditfile()
|
||||
{
|
||||
extract_auditfile |
|
||||
/usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}) *([0-9]{2}):?([0-9]{2}):?([0-9]{2}).*$/\1-\2-\3 \4:\5:\6/p'
|
||||
}
|
||||
|
||||
gettimestamp_auditfile()
|
||||
{
|
||||
extract_auditfile |
|
||||
/usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p'
|
||||
@ -87,7 +93,7 @@ getcreated_auditfile()
|
||||
|
||||
checkexpiry_auditfile()
|
||||
{
|
||||
created=`getcreated_auditfile`
|
||||
created=`gettimestamp_auditfile`
|
||||
expiry=`/bin/date -u -v-$1d '+%Y%m%d'`
|
||||
[ "${created}" -ge "${expiry}" ];
|
||||
}
|
||||
@ -95,13 +101,15 @@ checkexpiry_auditfile()
|
||||
portaudit_prerequisites()
|
||||
{
|
||||
if [ -z "${PKG_INFO}" ]; then
|
||||
if [ -x %%LOCALBASE%%/sbin/pkg_info ]; then
|
||||
PKG_INFO=%%LOCALBASE%%/sbin/pkg_info
|
||||
if [ -x "%%LOCALBASE%%/sbin/pkg_info" ]; then
|
||||
PKG_INFO="%%LOCALBASE%%/sbin/pkg_info"
|
||||
else
|
||||
PKG_INFO=/usr/sbin/pkg_info
|
||||
PKG_INFO="/usr/sbin/pkg_info"
|
||||
fi
|
||||
fi
|
||||
|
||||
PKG_VERSION="${PKG_INFO%/*}/pkg_version"
|
||||
|
||||
if [ ! -x "${PKG_INFO}" ]; then
|
||||
echo "${PKG_INFO} missing, please install port sysutils/pkg_install-devel"
|
||||
return 1
|
||||
@ -155,6 +163,36 @@ audit_installed()
|
||||
"
|
||||
}
|
||||
|
||||
audit_cwd()
|
||||
{
|
||||
if [ ! -r "Makefile" ]; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
PKGSTATE=`/usr/bin/make -VPKGNAME -VFORBIDDEN -VPKGORIGIN 2>/dev/null || true"`
|
||||
PKGNAME=`echo "${PKGSTATE}" | /usr/bin/sed -ne '1p'`
|
||||
FORBIDDEN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '2p'`
|
||||
PKGORIGIN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '3p'`
|
||||
|
||||
VLIST=`extract_auditfile | /usr/bin/awk -F\| " \
|
||||
/^[^#]/ { \
|
||||
if (!system(\"${PKG_VERSION} -T '${PKGNAME}' '\" \\$1 \"'\")) \
|
||||
print \"- <\" \\$2 \">\" \
|
||||
} \
|
||||
"`
|
||||
|
||||
if [ -n "${VLIST}" -a -z "${FORBIDDEN}" ]; then
|
||||
echo
|
||||
echo "Port ${PKGNAME} (${PKGORIGIN}) should be marked FORBIDDEN:"
|
||||
echo "${VLIST}"
|
||||
VULCNT=$((${VULCNT}+1))
|
||||
elif $opt_verbose && [ -n "${VLIST}" ]; then
|
||||
echo
|
||||
echo "Good: port ${PKGNAME} (${PKGORIGIN}) is marked FORBIDDEN: ${FORBIDDEN}"
|
||||
echo "${VLIST}"
|
||||
fi
|
||||
}
|
||||
|
||||
fetch_locations()
|
||||
{
|
||||
# site sort order is not overly smart
|
||||
@ -204,7 +242,6 @@ fetch_auditfile()
|
||||
echo "fetched database corrupt."
|
||||
elif ! checkexpiry_auditfile 7; then
|
||||
echo "fetched database too old."
|
||||
rc=0
|
||||
else
|
||||
echo "new database installed."
|
||||
rc=0
|
||||
|
@ -6,7 +6,7 @@
|
||||
#
|
||||
|
||||
PORTNAME= portaudit
|
||||
PORTVERSION= 0.3
|
||||
PORTVERSION= 0.3.1
|
||||
CATEGORIES= security
|
||||
DISTFILES=
|
||||
|
||||
@ -28,7 +28,7 @@ SED_SCRIPT= -e 's,%%PREFIX%%,${PREFIX},g' \
|
||||
-e 's,%%DATABASEDIR%%,${DATABASEDIR},g'
|
||||
|
||||
PKG_INFO_BASE?= /usr/sbin/pkg_info
|
||||
BASEPKGVER!= ${PKG_INFO_BASE} -qP 2>/dev/null
|
||||
BASEPKGVER!= ${PKG_INFO_BASE} -qP 2>/dev/null || ${TRUE}
|
||||
|
||||
.if ${BASEPKGVER} < 20040125
|
||||
RUN_DEPENDS= ${LOCALBASE}/sbin/pkg_info:${PORTSDIR}/sysutils/pkg_install-devel
|
||||
|
@ -1,4 +1,4 @@
|
||||
#!/bin/sh -ef
|
||||
#!/bin/sh -e
|
||||
#
|
||||
# Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
|
||||
#
|
||||
@ -35,6 +35,9 @@
|
||||
portaudit_confs
|
||||
|
||||
opt_audit=false
|
||||
opt_auditcwd=false
|
||||
opt_audittree=false
|
||||
opt_verbose=false
|
||||
opt_version=false
|
||||
opt_dbversion=false
|
||||
opt_fetch=false
|
||||
@ -44,25 +47,31 @@ if [ $# -eq 0 ] ; then
|
||||
opt_audit=true
|
||||
fi
|
||||
|
||||
while getopts aVdFq opt; do
|
||||
while getopts aACvVdFq opt; do
|
||||
case "$opt" in
|
||||
a)
|
||||
opt_audit=true;;
|
||||
A)
|
||||
opt_audittree=true;;
|
||||
C)
|
||||
opt_auditcwd=true;;
|
||||
d)
|
||||
opt_dbversion=true;;
|
||||
F)
|
||||
opt_fetch=true;;
|
||||
q)
|
||||
opt_quiet=true;;
|
||||
v)
|
||||
opt_verbose=true;;
|
||||
V)
|
||||
opt_version=true;;
|
||||
?)
|
||||
echo "Usage: $0 -adFqV"
|
||||
echo "Usage: $0 -aACvVdFq"
|
||||
exit 2;;
|
||||
esac
|
||||
done
|
||||
|
||||
shift $(($OPTIND - 1))
|
||||
shift $((${OPTIND}-1))
|
||||
|
||||
if $opt_version; then
|
||||
echo "portaudit version %%PORTVERSION%%"
|
||||
@ -81,10 +90,56 @@ if $opt_dbversion; then
|
||||
echo "portaudit: database corrupt."
|
||||
exit 2
|
||||
fi
|
||||
echo "database created: `getcreated_auditfile`"
|
||||
created=`getcreated_auditfile`
|
||||
echo "database created: `/bin/date -j -f '%Y-%m-%d %H:%M:%S %Z' \"${created} GMT\"`"
|
||||
fi
|
||||
|
||||
if $opt_audit; then
|
||||
portaudit_prerequisites
|
||||
audit_installed || true
|
||||
fi
|
||||
|
||||
if $opt_auditcwd; then
|
||||
portaudit_prerequisites
|
||||
audit_cwd
|
||||
fi
|
||||
|
||||
if $opt_audittree; then
|
||||
echo "auditing ports tree for known vulnerabilities"
|
||||
VULCNT=0
|
||||
|
||||
portaudit_prerequisites
|
||||
|
||||
cd "${PORTSDIR:=/usr/ports}"
|
||||
CATEGORIES=`echo [a-z]*`
|
||||
|
||||
for category in ${CATEGORIES}; do
|
||||
if [ ! -d "${PORTSDIR}/${category}" ]; then continue; fi
|
||||
case "${category}" in
|
||||
CVS) continue ;;
|
||||
Mk) continue ;;
|
||||
Templates) continue ;;
|
||||
Tools) continue ;;
|
||||
distfiles) continue ;;
|
||||
packages) continue ;;
|
||||
esac
|
||||
|
||||
$opt_quiet || echo "==> ${category}"
|
||||
|
||||
cd "${PORTSDIR}/${category}"
|
||||
PORTS=`echo *`
|
||||
|
||||
for port in ${PORTS}; do
|
||||
if [ ! -d "${PORTSDIR}/${category}/${port}" ]; then continue; fi
|
||||
case "${port}" in
|
||||
pkg) continue ;;
|
||||
CVS) continue ;;
|
||||
esac
|
||||
|
||||
cd "${PORTSDIR}/${category}/${port}"
|
||||
audit_cwd;
|
||||
done
|
||||
done
|
||||
|
||||
echo "${VULCNT} ports with unmarked vulnerabilities."
|
||||
fi
|
||||
|
@ -43,6 +43,8 @@
|
||||
.
|
||||
.Nm
|
||||
.Op Fl a
|
||||
.Op Fl A
|
||||
.Op Fl C
|
||||
.Op Fl V
|
||||
.Op Fl d
|
||||
.Op Fl F
|
||||
@ -74,6 +76,11 @@ The following options are supported:
|
||||
.Bl -tag -width ".Fl X"
|
||||
.It Fl a
|
||||
Print a vulnerability report for all installed packages
|
||||
.It Fl A
|
||||
Print a vulnerability report for all ports in PORTSDIR (slow).
|
||||
.It Fl C
|
||||
Print a vulnerability report for the port in the current working directory.
|
||||
Mostly useful for committers.
|
||||
.It Fl F
|
||||
Fetch the current database from the
|
||||
.Fx servers
|
||||
@ -118,7 +125,7 @@ Print a vulnerability report for all installed packages:
|
||||
.Sh CAVEATS
|
||||
.
|
||||
The format of
|
||||
.Pa %%DATABASEDIR%%/auditfile.tbz
|
||||
.Pa %%PREFIX%%/etc/portaudit.conf
|
||||
might change.
|
||||
.
|
||||
.
|
||||
|
@ -10,10 +10,10 @@
|
||||
#FETCH_ENV="FTP_PROXY=http://ftp.proxy.sample/ HTTP_PROXY=http://http.proxy.sample:80/"
|
||||
|
||||
# default fetch command
|
||||
#FETCH_CMD="/usr/bin/fetch -1am"
|
||||
#FETCH_CMD="/usr/bin/fetch -1m"
|
||||
|
||||
# uncoment to use passive ftp, see fetch(1)
|
||||
#FETCH_BEFORE_ARGS="-p"
|
||||
# use passive ftp transfers with extra verbose mode, see fetch(1)
|
||||
#FETCH_BEFORE_ARGS="-p -vvv"
|
||||
|
||||
#FETCH_AFTER_ARGS=
|
||||
|
||||
|
@ -37,8 +37,8 @@ portaudit_confs()
|
||||
portaudit_filename=${portaudit_filename:-"auditfile.tbz"}
|
||||
|
||||
FETCH_ENV=${FETCH_ENV:-}
|
||||
FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1am"}
|
||||
FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-}
|
||||
FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1m"}
|
||||
FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-"-p"}
|
||||
FETCH_AFTER_ARGS=${FETCH_AFTER_ARGS:-}
|
||||
|
||||
MASTER_SITES=${MASTER_SITES:-"
|
||||
@ -80,6 +80,12 @@ checksum_auditfile()
|
||||
}
|
||||
|
||||
getcreated_auditfile()
|
||||
{
|
||||
extract_auditfile |
|
||||
/usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}) *([0-9]{2}):?([0-9]{2}):?([0-9]{2}).*$/\1-\2-\3 \4:\5:\6/p'
|
||||
}
|
||||
|
||||
gettimestamp_auditfile()
|
||||
{
|
||||
extract_auditfile |
|
||||
/usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p'
|
||||
@ -87,7 +93,7 @@ getcreated_auditfile()
|
||||
|
||||
checkexpiry_auditfile()
|
||||
{
|
||||
created=`getcreated_auditfile`
|
||||
created=`gettimestamp_auditfile`
|
||||
expiry=`/bin/date -u -v-$1d '+%Y%m%d'`
|
||||
[ "${created}" -ge "${expiry}" ];
|
||||
}
|
||||
@ -95,13 +101,15 @@ checkexpiry_auditfile()
|
||||
portaudit_prerequisites()
|
||||
{
|
||||
if [ -z "${PKG_INFO}" ]; then
|
||||
if [ -x %%LOCALBASE%%/sbin/pkg_info ]; then
|
||||
PKG_INFO=%%LOCALBASE%%/sbin/pkg_info
|
||||
if [ -x "%%LOCALBASE%%/sbin/pkg_info" ]; then
|
||||
PKG_INFO="%%LOCALBASE%%/sbin/pkg_info"
|
||||
else
|
||||
PKG_INFO=/usr/sbin/pkg_info
|
||||
PKG_INFO="/usr/sbin/pkg_info"
|
||||
fi
|
||||
fi
|
||||
|
||||
PKG_VERSION="${PKG_INFO%/*}/pkg_version"
|
||||
|
||||
if [ ! -x "${PKG_INFO}" ]; then
|
||||
echo "${PKG_INFO} missing, please install port sysutils/pkg_install-devel"
|
||||
return 1
|
||||
@ -155,6 +163,36 @@ audit_installed()
|
||||
"
|
||||
}
|
||||
|
||||
audit_cwd()
|
||||
{
|
||||
if [ ! -r "Makefile" ]; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
PKGSTATE=`/usr/bin/make -VPKGNAME -VFORBIDDEN -VPKGORIGIN 2>/dev/null || true"`
|
||||
PKGNAME=`echo "${PKGSTATE}" | /usr/bin/sed -ne '1p'`
|
||||
FORBIDDEN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '2p'`
|
||||
PKGORIGIN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '3p'`
|
||||
|
||||
VLIST=`extract_auditfile | /usr/bin/awk -F\| " \
|
||||
/^[^#]/ { \
|
||||
if (!system(\"${PKG_VERSION} -T '${PKGNAME}' '\" \\$1 \"'\")) \
|
||||
print \"- <\" \\$2 \">\" \
|
||||
} \
|
||||
"`
|
||||
|
||||
if [ -n "${VLIST}" -a -z "${FORBIDDEN}" ]; then
|
||||
echo
|
||||
echo "Port ${PKGNAME} (${PKGORIGIN}) should be marked FORBIDDEN:"
|
||||
echo "${VLIST}"
|
||||
VULCNT=$((${VULCNT}+1))
|
||||
elif $opt_verbose && [ -n "${VLIST}" ]; then
|
||||
echo
|
||||
echo "Good: port ${PKGNAME} (${PKGORIGIN}) is marked FORBIDDEN: ${FORBIDDEN}"
|
||||
echo "${VLIST}"
|
||||
fi
|
||||
}
|
||||
|
||||
fetch_locations()
|
||||
{
|
||||
# site sort order is not overly smart
|
||||
@ -204,7 +242,6 @@ fetch_auditfile()
|
||||
echo "fetched database corrupt."
|
||||
elif ! checkexpiry_auditfile 7; then
|
||||
echo "fetched database too old."
|
||||
rc=0
|
||||
else
|
||||
echo "new database installed."
|
||||
rc=0
|
||||
|
Loading…
Reference in New Issue
Block a user