Date: Thu, 12 Oct 2017 11:00:50 +0000 (UTC) From: Stefan Esser <se@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r451847 - in head/security/cvechecker: . files Message-ID: <201710121100.v9CB0oUj032087@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: se Date: Thu Oct 12 11:00:49 2017 New Revision: 451847 URL: https://svnweb.freebsd.org/changeset/ports/451847 Log: Check installed packages for vulnerabilities recorded in the CVE database. Approved by: antoine (mentor) Added: head/security/cvechecker/ head/security/cvechecker/Makefile (contents, props changed) head/security/cvechecker/distinfo (contents, props changed) head/security/cvechecker/files/ head/security/cvechecker/files/patch-scripts_cverules (contents, props changed) head/security/cvechecker/pkg-deinstall (contents, props changed) head/security/cvechecker/pkg-descr (contents, props changed) head/security/cvechecker/pkg-plist (contents, props changed) Added: head/security/cvechecker/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/cvechecker/Makefile Thu Oct 12 11:00:49 2017 (r451847) @@ -0,0 +1,47 @@ +# Created by: Stefan Esser <se@FreeBSD.org> +# $FreeBSD$ + +PORTNAME= cvechecker +PORTVERSION= 3.8 +CATEGORIES= security + +MAINTAINER= se@FreeBSD.org +COMMENT= Check CVE database for vulnerabilities affecting installed packages + +LICENSE= GPLv3 + +LIB_DEPENDS= libargp.so:devel/argp-standalone \ + libconfig.so:devel/libconfig +RUN_DEPENDS= bash:shells/bash + +MAKE_ENV+= LDADD=-largp + +USES= autoreconf pkgconfig shebangfix + +SHEBANG_FILES= scripts/cverules scripts/cvegenversdat + +GNU_CONFIGURE= yes +CONFIGURE_ARGS= --localstatedir=/var/db + +bash_OLD_CMD+= /bin/sh + +OPTIONS_MULTI= DB +OPTIONS_MULTI_DB= MYSQL SQLITE +OPTIONS_DEFAULT= SQLITE +DB_DESC= CVE Database + +MYSQL_USES= mysql ssl +MYSQL_CONFIGURE_ENABLE= mysql + +SQLITE_USES= sqlite +SQLITE_CONFIGURE_ENABLE= sqlite3 + +USE_GITHUB= yes +GH_ACCOUNT= sjvermeu +GH_PROJECT= cvechecker +GH_TAGNAME= v${PORTVERSION} + +post-stage: + ${MV} ${STAGEDIR}${PREFIX}/etc/cvechecker.conf ${STAGEDIR}${PREFIX}/etc/cvechecker.conf.sample + +.include <bsd.port.mk> Added: head/security/cvechecker/distinfo ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/cvechecker/distinfo Thu Oct 12 11:00:49 2017 (r451847) @@ -0,0 +1,3 @@ +TIMESTAMP = 1507628153 +SHA256 (sjvermeu-cvechecker-3.8-v3.8_GH0.tar.gz) = 53a2f0edab34ea75d3d33b8c840f27c60464f0433c2b82bc8b02298306c53268 +SIZE (sjvermeu-cvechecker-3.8-v3.8_GH0.tar.gz) = 3329220 Added: head/security/cvechecker/files/patch-scripts_cverules ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/cvechecker/files/patch-scripts_cverules Thu Oct 12 11:00:49 2017 (r451847) @@ -0,0 +1,37 @@ +--- scripts/cverules.orig 2017-10-11 10:44:44 UTC ++++ scripts/cverules +@@ -19,26 +19,11 @@ then + fi + + +-if [ -f /etc/gentoo-release ]; +-then +- cd /var/db/pkg; +- for CAT in *; +- do +- cd ${CAT}; +- for PKG in *; +- do +- echo "!!!! Checking ${PKG}"; +- typeset PKGNAME=$(echo ${PKG} | sed -e 's:\(.*\)-[0-9][0-9]*.*:\1:g'); +- typeset PKGVERSION=$(echo ${PKG} | sed -e 's:.*-\([0-9][0-9]*.*\):\1:g' | sed -e 's:-r[0-9]*$::g' | sed -e 's:\.:\\.:g'); +- export IGNORESTRINGS="tmp/portage"; +- qlist ${PKG} | egrep '(bin/|\.so)' | cvegenversdat ${PKGNAME} ${PKGVERSION} ${CONFFILE} breakon; +- done +- cd .. +- done +-else +- echo "Could not deduce if this system is a supported distribution or platform."; +- echo "Currently supported platforms are: Gentoo." +- echo "If you wish to help expand the supported distributions or platforms, please"; +- echo "do not hesitate to contact the author at sven.vermeulen@siphos.be."; +- exit 1; +-fi ++for PKG in $(pkg info -q) ++do ++ echo "!!!! Checking ${PKG}" ++ set -- $(echo ${PKG} | sed -e 's:,[0-9][0-9]*$::; s:_[0-9][0-9]*$::; s:\(.*\)-r\{0,1\}\([0-9][0-9]*.*\):\1 \2:; s:\.:\\.:g') ++ PKGNAME=$1 ++ PKGVERSION=$2 ++ pkg list ${PKG} | egrep '(/bin/|/sbin/|/libexec/|\.so\.|\.so$)' | cvegenversdat ${PKGNAME} ${PKGVERSION} ${CONFFILE} breakon ++done Added: head/security/cvechecker/pkg-deinstall ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/cvechecker/pkg-deinstall Thu Oct 12 11:00:49 2017 (r451847) @@ -0,0 +1,13 @@ +#!/bin/sh + +[ "$2" = DEINSTALL ] && cat <<***EOM +------------------------------------------------------------------------------ + +If you are no longer using the $1 port, then manually delete +the following directory: + + /var/db/cvechecker + +------------------------------------------------------------------------------ +***EOM +exit 0 Added: head/security/cvechecker/pkg-descr ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/cvechecker/pkg-descr Thu Oct 12 11:00:49 2017 (r451847) @@ -0,0 +1,11 @@ +------------------------------------------------------------------------------ +The goal of cvechecker is to report about possible vulnerabilities on your +system, by scanning a list of installed software and matching results with +the CVE database. + +This is not a bullet-proof method and you may have many false positives (ie: +vulnerability is fixed with a revision-release, but the tool isn't able to +detect the revision itself), yet it is still better than nothing, especially +if you are running a distribution with little security coverage. + +WWW: https://github.com/sjvermeu/cvechecker/wiki Added: head/security/cvechecker/pkg-plist ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/cvechecker/pkg-plist Thu Oct 12 11:00:49 2017 (r451847) @@ -0,0 +1,21 @@ +bin/cvechecker +bin/cvegenversdat +bin/cvereport +bin/cverules +bin/pullcves +@sample %%ETCDIR%%.conf.sample +man/man1/cvechecker.1.gz +man/man1/cvegenversdat.1.gz +man/man1/cvereport.1.gz +man/man1/cverules.1.gz +man/man1/pullcves.1.gz +%%DATADIR%%/csv2xml.awk +%%DATADIR%%/cvereport.xsl +%%DATADIR%%/mysql_cvechecker.sql +%%DATADIR%%/nvdcve2simple.xsl +%%DATADIR%%/report.css +%%PORTDOCS%%%%DOCSDIR%%/acknowledgements.xml +%%PORTDOCS%%%%DOCSDIR%%/userguide.xml +@dir /var/db/cvechecker/cache +@dir /var/db/cvechecker/local +@dir /var/db/cvechecker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201710121100.v9CB0oUj032087>