mirror of
https://git.freebsd.org/ports.git
synced 2025-07-17 17:29:23 -04:00
Check installed packages for vulnerabilities recorded in the CVE database.
Approved by: antoine (mentor)
This commit is contained in:
Stefan Eßer
parent
a0e2d97661
commit
7bd275a7c6
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=451847
6 changed files with 132 additions and 0 deletions
47
security/cvechecker/Makefile
Normal file
47
security/cvechecker/Makefile
Normal file
|
|
@ -0,0 +1,47 @@
|
|||
# Created by: Stefan Esser <se@FreeBSD.org>
|
||||
# $FreeBSD$
|
||||
|
||||
PORTNAME= cvechecker
|
||||
PORTVERSION= 3.8
|
||||
CATEGORIES= security
|
||||
|
||||
MAINTAINER= se@FreeBSD.org
|
||||
COMMENT= Check CVE database for vulnerabilities affecting installed packages
|
||||
|
||||
LICENSE= GPLv3
|
||||
|
||||
LIB_DEPENDS= libargp.so:devel/argp-standalone \
|
||||
libconfig.so:devel/libconfig
|
||||
RUN_DEPENDS= bash:shells/bash
|
||||
|
||||
MAKE_ENV+= LDADD=-largp
|
||||
|
||||
USES= autoreconf pkgconfig shebangfix
|
||||
|
||||
SHEBANG_FILES= scripts/cverules scripts/cvegenversdat
|
||||
|
||||
GNU_CONFIGURE= yes
|
||||
CONFIGURE_ARGS= --localstatedir=/var/db
|
||||
|
||||
bash_OLD_CMD+= /bin/sh
|
||||
|
||||
OPTIONS_MULTI= DB
|
||||
OPTIONS_MULTI_DB= MYSQL SQLITE
|
||||
OPTIONS_DEFAULT= SQLITE
|
||||
DB_DESC= CVE Database
|
||||
|
||||
MYSQL_USES= mysql ssl
|
||||
MYSQL_CONFIGURE_ENABLE= mysql
|
||||
|
||||
SQLITE_USES= sqlite
|
||||
SQLITE_CONFIGURE_ENABLE= sqlite3
|
||||
|
||||
USE_GITHUB= yes
|
||||
GH_ACCOUNT= sjvermeu
|
||||
GH_PROJECT= cvechecker
|
||||
GH_TAGNAME= v${PORTVERSION}
|
||||
|
||||
post-stage:
|
||||
${MV} ${STAGEDIR}${PREFIX}/etc/cvechecker.conf ${STAGEDIR}${PREFIX}/etc/cvechecker.conf.sample
|
||||
|
||||
.include <bsd.port.mk>
|
||||
3
security/cvechecker/distinfo
Normal file
3
security/cvechecker/distinfo
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
TIMESTAMP = 1507628153
|
||||
SHA256 (sjvermeu-cvechecker-3.8-v3.8_GH0.tar.gz) = 53a2f0edab34ea75d3d33b8c840f27c60464f0433c2b82bc8b02298306c53268
|
||||
SIZE (sjvermeu-cvechecker-3.8-v3.8_GH0.tar.gz) = 3329220
|
||||
37
security/cvechecker/files/patch-scripts_cverules
Normal file
37
security/cvechecker/files/patch-scripts_cverules
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
--- scripts/cverules.orig 2017-10-11 10:44:44 UTC
|
||||
+++ scripts/cverules
|
||||
@@ -19,26 +19,11 @@ then
|
||||
fi
|
||||
|
||||
|
||||
-if [ -f /etc/gentoo-release ];
|
||||
-then
|
||||
- cd /var/db/pkg;
|
||||
- for CAT in *;
|
||||
- do
|
||||
- cd ${CAT};
|
||||
- for PKG in *;
|
||||
- do
|
||||
- echo "!!!! Checking ${PKG}";
|
||||
- typeset PKGNAME=$(echo ${PKG} | sed -e 's:\(.*\)-[0-9][0-9]*.*:\1:g');
|
||||
- typeset PKGVERSION=$(echo ${PKG} | sed -e 's:.*-\([0-9][0-9]*.*\):\1:g' | sed -e 's:-r[0-9]*$::g' | sed -e 's:\.:\\.:g');
|
||||
- export IGNORESTRINGS="tmp/portage";
|
||||
- qlist ${PKG} | egrep '(bin/|\.so)' | cvegenversdat ${PKGNAME} ${PKGVERSION} ${CONFFILE} breakon;
|
||||
- done
|
||||
- cd ..
|
||||
- done
|
||||
-else
|
||||
- echo "Could not deduce if this system is a supported distribution or platform.";
|
||||
- echo "Currently supported platforms are: Gentoo."
|
||||
- echo "If you wish to help expand the supported distributions or platforms, please";
|
||||
- echo "do not hesitate to contact the author at sven.vermeulen@siphos.be.";
|
||||
- exit 1;
|
||||
-fi
|
||||
+for PKG in $(pkg info -q)
|
||||
+do
|
||||
+ echo "!!!! Checking ${PKG}"
|
||||
+ set -- $(echo ${PKG} | sed -e 's:,[0-9][0-9]*$::; s:_[0-9][0-9]*$::; s:\(.*\)-r\{0,1\}\([0-9][0-9]*.*\):\1 \2:; s:\.:\\.:g')
|
||||
+ PKGNAME=$1
|
||||
+ PKGVERSION=$2
|
||||
+ pkg list ${PKG} | egrep '(/bin/|/sbin/|/libexec/|\.so\.|\.so$)' | cvegenversdat ${PKGNAME} ${PKGVERSION} ${CONFFILE} breakon
|
||||
+done
|
||||
13
security/cvechecker/pkg-deinstall
Normal file
13
security/cvechecker/pkg-deinstall
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
#!/bin/sh
|
||||
|
||||
[ "$2" = DEINSTALL ] && cat <<***EOM
|
||||
------------------------------------------------------------------------------
|
||||
|
||||
If you are no longer using the $1 port, then manually delete
|
||||
the following directory:
|
||||
|
||||
/var/db/cvechecker
|
||||
|
||||
------------------------------------------------------------------------------
|
||||
***EOM
|
||||
exit 0
|
||||
11
security/cvechecker/pkg-descr
Normal file
11
security/cvechecker/pkg-descr
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
------------------------------------------------------------------------------
|
||||
The goal of cvechecker is to report about possible vulnerabilities on your
|
||||
system, by scanning a list of installed software and matching results with
|
||||
the CVE database.
|
||||
|
||||
This is not a bullet-proof method and you may have many false positives (ie:
|
||||
vulnerability is fixed with a revision-release, but the tool isn't able to
|
||||
detect the revision itself), yet it is still better than nothing, especially
|
||||
if you are running a distribution with little security coverage.
|
||||
|
||||
WWW: https://github.com/sjvermeu/cvechecker/wiki
|
||||
21
security/cvechecker/pkg-plist
Normal file
21
security/cvechecker/pkg-plist
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
bin/cvechecker
|
||||
bin/cvegenversdat
|
||||
bin/cvereport
|
||||
bin/cverules
|
||||
bin/pullcves
|
||||
@sample %%ETCDIR%%.conf.sample
|
||||
man/man1/cvechecker.1.gz
|
||||
man/man1/cvegenversdat.1.gz
|
||||
man/man1/cvereport.1.gz
|
||||
man/man1/cverules.1.gz
|
||||
man/man1/pullcves.1.gz
|
||||
%%DATADIR%%/csv2xml.awk
|
||||
%%DATADIR%%/cvereport.xsl
|
||||
%%DATADIR%%/mysql_cvechecker.sql
|
||||
%%DATADIR%%/nvdcve2simple.xsl
|
||||
%%DATADIR%%/report.css
|
||||
%%PORTDOCS%%%%DOCSDIR%%/acknowledgements.xml
|
||||
%%PORTDOCS%%%%DOCSDIR%%/userguide.xml
|
||||
@dir /var/db/cvechecker/cache
|
||||
@dir /var/db/cvechecker/local
|
||||
@dir /var/db/cvechecker
|
||||
Loading…
Add table
Reference in a new issue