Change the code generation README.html to use the new

"pkg_admin audit-history" command to print the full list of
vulnerabilities and use further pkg_admin pmatch logic to mark them as
fixed or still open. For pkg_install versions before 20080415, skip the
vulnerability processing.

Discussed with: dmcmahill

3 files changed, 47 insertions, 103 deletions

diff --git a/mk/bsd.pkg.readme.mk b/mk/bsd.pkg.readme.mk
index 1a56ccfddc1..25b0e038473 100644
--- a/mk/bsd.pkg.readme.mk
+++ b/mk/bsd.pkg.readme.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.pkg.readme.mk,v 1.19 2008/03/15 16:27:42 joerg Exp $
+# $NetBSD: bsd.pkg.readme.mk,v 1.20 2008/04/18 14:26:36 joerg Exp $
 #
 # This Makefile fragment is included by bsd.pkg.mk and encapsulates the
 # code to produce README.html files in each package directory.
@@ -230,21 +230,6 @@ SED_HOMEPAGE_EXPR=	-e 's|%%HOMEPAGE%%|<p>This package has a home page at <a HREF
 SED_HOMEPAGE_EXPR=	-e 's|%%HOMEPAGE%%||'
 .endif
 
-.PHONY: show-vulnerabilities-html
-show-vulnerabilities-html:
-	${RUN}					\
-	_PKGVULNDIR=`${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR`; \
-	if [ -f $$_PKGVULNDIR/pkg-vulnerabilities ]; then	\
-		${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -n ${PKGNAME} 2>&1| ${AWK} \
-			'{ printurl = $$8;			\
-				gsub("\<", "\\&lt;", $$2);		\
-			gsub("\>", "\\&gt;", $$2);		\
-			gsub("\<", "\\&lt;", printurl);		\
-			gsub("\>", "\\&gt;", printurl);		\
-			gsub("\&", "\\&amp;", printurl);	\
-			printf("<LI><STRONG>%s has a %s exploit (see <a href=\"%s\">%s</a> for more details)</STRONG></LI>\n", $$2, $$5, $$8, printurl) }'; \
-	fi
-
 # If PACKAGES is set to the default (../../packages), the current
 # ${MACHINE_ARCH} and "release" (uname -r) will be used. Otherwise a directory
 # structure of ...pkgsrc/packages/`uname -r`/${MACHINE_ARCH} is assumed.
@@ -265,22 +250,31 @@ README.html: .PRECIOUS
 		esac;							\
 		cd ${.CURDIR} ;						\
 	fi;								\
-	_PVDIR=`${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR`; \
+	if [ `${PKG_ADMIN} -V` -lt 20080415 ]; then			\
+		SCAN_VULNERABILITIES=0;					\
+	else								\
+	_PVDIR=`${PKG_ADMIN} config-var PKGVULNDIR`;			\
+	if [ -e "$${_PVDIR}"/pkg-vulnerabilities ]; then		\
+		SCAN_VULNERABILITIES=2;					\
+	else								\
+		SCAN_VULNERABILITIES=1;					\
+	fi;								\
+	fi;								\
 	${AWK} -f ../../mk/scripts/genreadme.awk \
 		builddependsfile=/dev/null \
 		dependsfile=/dev/null \
-		AUDIT_PACKAGES=${AUDIT_PACKAGES:Q} \
 		AWK=${AWK:Q} \
 		CMP=${CMP:Q} \
 		DISTDIR=${DISTDIR:Q} \
 		GREP=${GREP:Q} \
 		PACKAGES=${PACKAGES:Q} \
+		PKG_ADMIN=${PKG_ADMIN:Q} \
 		PKG_INFO=${PKG_INFO:Q} \
 		PKG_SUFX=${PKG_SUFX:Q} \
 		PKG_URL=${PKG_URL:Q} \
 		PKGSRCDIR=${.CURDIR:C|/[^/]*/[^/]*$||:Q} \
-		PVDIR=$$_PVDIR \
 		PKGTOOLS_VERSION=${PKGTOOLS_VERSION} \
+		SCAN_VULNERABILITIES=$${SCAN_VULNERABILITIES} \
 		SED=${SED:Q} \
 		SETENV=${SETENV:Q} \
 		SORT=${SORT:Q} \
diff --git a/mk/scripts/genreadme.awk b/mk/scripts/genreadme.awk
index ce70a884fc7..02c02339c98 100755
--- a/mk/scripts/genreadme.awk
+++ b/mk/scripts/genreadme.awk
@@ -1,5 +1,5 @@
 #!/usr/bin/awk -f
-# $NetBSD: genreadme.awk,v 1.31 2008/03/15 16:27:43 joerg Exp $
+# $NetBSD: genreadme.awk,v 1.32 2008/04/18 14:26:37 joerg Exp $
 #
 # Copyright (c) 2002, 2003, 2005, 2006 The NetBSD Foundation, Inc.
 # All rights reserved.
@@ -255,55 +255,11 @@ END {
 	}
 	close(builddependsfile);
 
-	vfile = PVDIR "/pkg-vulnerabilities";
-
 # extract date for vulnerabilities file
-	cmd = "ls -l " vfile;
-	if ((cmd | getline) > 0) {
-		vuldate = sprintf("at %s %s %s\n",$6,$7,$8);
-# read the vulnerabilities file
-		printf("Reading vulnerability file \"%s\"\n which was updated %s\n",
-		       vfile, vuldate);
-		i = 1;
-		vul_major = 0;
-		vul_minor = 0;
-		vul_teeny = 0;
-		while((getline < vfile) > 0) {
-			if( $0 ~ /#FORMAT/ ) {
-			  split($2, vul_format, ".");
-			  vul_major = vul_format[1];
-			  vul_minor = vul_format[2];
-			  vul_teeny = vul_format[3];
-			}
-			if ( $0 ~ /^-----BEGIN PGP SIGNATURE-----.*/ ) {
-				break;
-			}
-			if ( ( $0 !~ /^\#/ ) &&
-			     ( $0 !~ /^Hash:.*/ ) &&
-			     ( $0 !~ /^-----BEGIN PGP SIGNED.*/ ) &&
-			     ( $0 != "" ) ) {
-				vulpkg[i] = $1;
-				vultype[i] = $2;
-				vulref[i] = $3;
-				i = i + 1;
-			}
-		}
-		if( (vul_major > 1) ||
-		    (vul_minor > 1) ||
-		    (vul_teeny > 0) ) {
-			printf("Version %d.%d.%d of the vulnerability file is out of sync with",
-				vul_major, vul_minor, vul_teeny);
-			printf("the genreadme.awk script\n");
-		}
-		printf("   Loaded %d vulnerabilities\n", i - 1);
-		close(vfile);
-		have_vfile = 1;
-	} else {
+	if (SCAN_VULNERABILITIES == 0)
+		vuldate="<TR><TD><I>(no vulnerabilities list, update pkg_install)</I>";
+	else if (SCAN_VULNERABILITIES == 1)
 		vuldate="<TR><TD><I>(no vulnerabilities list available)</I>";
-		printf("No vulnerability file found (%s).\n", vfile);
-		have_vfile = 0;
-	}
-	close(cmd);
 
 	if (SINGLEPKG != "" ) {
 		printf("Only creating README for %s\n",SINGLEPKG);
@@ -372,28 +328,28 @@ END {
 			if (debug) printf("wrote = %d entries to \"%s\"\n",
 					  i-1, htmldeps_file);
 
-# XXX: Post pkg_install-20070714 only currently known vulnerabilities are
-# XXX: shown in the generated README.html files for packages.
-
 			vul = "";
 
-			if (have_vfile) {
-				pkg = pkgdir2name[toppkg];
-
-				if (debug) {
-				  printf("Checking for %s (%s) vulnerabilities\n",
-					 toppkg, pkg);
-				}
-
-				cmd = sprintf("%s -n %s", AUDIT_PACKAGES, pkg);
+			if (SCAN_VULNERABILITIES == 2) {
+				pkgbase = pkgdir2name[toppkg];
+				sub("-[^-]*$", "", pkgbase);
+				cmd = sprintf("%s audit-history %s", PKG_ADMIN, pkgbase);
 				while (cmd | getline vuln_entry) {
 					split(vuln_entry, entry, " ");
-					vul =  sprintf("%s<LI><STRONG>%s has a <a href=\"%s\">%s</a> vulnerability</STRONG></LI>\n",
-						  vul, pkg, entry[8], entry[5]);
+					status_cmd = sprintf("if %s pmatch '%s' %s; then echo open; else echo fixed; fi",
+					    PKG_ADMIN, entry[1], pkgdir2name[toppkg]);
+					status_cmd | getline status
+					close(status_cmd)
+					if (status == "open")
+						status = "an <STRONG>OPEN</STRONG>";
+					else
+						status = "a " status;
+					vul =  sprintf("%s<LI>%s <a href=\"%s\">%s</a> vulnerability</LI>\n",
+					  vul, status, entry[3], entry[2]);
 				}
 				close(cmd);
 
-				if ( vul == "" ){
+				if ( vul == "" ) {
 					vul="<I>(no vulnerabilities known)</I>";
 				}
 			}
diff --git a/mk/scripts/mkreadme b/mk/scripts/mkreadme
index 1f40258b56a..1728ee6881f 100755
--- a/mk/scripts/mkreadme
+++ b/mk/scripts/mkreadme
@@ -1,5 +1,5 @@
 #!/bin/sh
-# $NetBSD: mkreadme,v 1.22 2008/03/15 16:27:43 joerg Exp $
+# $NetBSD: mkreadme,v 1.23 2008/04/18 14:26:37 joerg Exp $
 #
 # Script for README.html generation
 #
@@ -63,7 +63,6 @@ usage(){
     echo "                  [-P|--packages directory] [-r|--restart] "
     echo "                  [-s|--summary]"
     echo "                  [-S|--save-database]"
-    echo "                  [-V|--pkg-vuln directory]"
     echo " "
     echo "            $prog -h|--help"
     echo " "
@@ -99,9 +98,6 @@ usage(){
     echo "                      This is useful for debugging or re-running this script"
     echo "                      with the -r option."
     echo " "
-    echo "  -V|--pkg-vuln dir   Specify the pkg-vulnerability directory."
-    echo "                      Defaults to the value of the DISTDIR."
-    echo " "
     echo "  -v|--version        Displays the version of this script and exits."
     echo " "
     echo "Example:    $prog -p /pub/NetBSD/packages/pkgsrc -P /pub/NetBSD/packages -f"
@@ -210,13 +206,6 @@ do
 	exit 0
         ;;
 
-    # Specify pkg-vulnerability directory
-    -V|--pkg-vuln)
-	PVDIR=$2
-	pv=custom
-	shift 2
-	;;
-
     -*) echo "$prog:  ERROR:  $1 is not a valid option"
 	usage
 	clean_and_exit
@@ -303,14 +292,19 @@ else
     exit 1
 fi
 
-# this needs to happen here as the variables referenced have not been
-# populated until this stage (see above)
-#
-if [ "$pv" = "default" ]; then
-    PVDIR=`${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR`
+if [ `${PKG_ADMIN} -V` -lt 20080415 ]; then
+	SCAN_VULNERABILITIES=0
+	echo "---->  NOT checking for vulnerabilities, pkg_install too old"
+else
+	_PVDIR=`${PKG_ADMIN} config-var PKGVULNDIR`;
+	if [ -e "${_PVDIR}"/pkg-vulnerabilities ]; then
+		SCAN_VULNERABILITIES=2
+		echo "---->  Checking for vulnerabilities"
+	else
+		SCAN_VULNERABILITIES=1
+		echo "---->  NOT checking for vulnerabilities"
+	fi
 fi
-echo "---->  PVDIR=\"${PVDIR}\""
-
 
 ######################################################################
 #
@@ -432,7 +426,6 @@ ${AWK} -f ${PKGSRCDIR}/mk/scripts/genreadme.awk  \
     debug=$debug \
     dependsfile=${TMPDIR}/pkgsrc.depends.debug \
     summary=${summary} \
-    AUDIT_PACKAGES=$AUDIT_PACKAGES \
     AWK=$AWK \
     CMP=$CMP \
     DISTDIR=$DISTDIR \
@@ -440,12 +433,13 @@ ${AWK} -f ${PKGSRCDIR}/mk/scripts/genreadme.awk  \
     GREP=$GREP \
     GZIP_CMD="$GZIP_CMD" \
     PACKAGES=$PACKAGES \
+    PKG_ADMIN="$PKG_ADMIN" \
     PKG_INFO="$PKG_INFO" \
     PKG_SUFX=$PKG_SUFX \
     PKG_URL=$PKG_URL \
     PKGSRCDIR=$PKGSRCDIR \
     PKGTOOLS_VERSION=$PKGTOOLS_VERSION \
-    PVDIR=$PVDIR \
+    SCAN_VULNERABILITIES=${SCAN_VULNERABILITIES} \
     SED=$SED \
     SETENV=$SETENV \
     SORT=$SORT \