diff options
author | joerg <joerg> | 2008-04-18 14:26:36 +0000 |
---|---|---|
committer | joerg <joerg> | 2008-04-18 14:26:36 +0000 |
commit | b78fba2fe96f02d1ce49c97de4f390a3c2c77078 (patch) | |
tree | 45173f7247afdbad40928c6389756c3703e7ca05 | |
parent | b239c5bd76affd6fd574c3b123768ffdd980823d (diff) | |
download | pkgsrc-b78fba2fe96f02d1ce49c97de4f390a3c2c77078.tar.gz |
Change the code generation README.html to use the new
"pkg_admin audit-history" command to print the full list of
vulnerabilities and use further pkg_admin pmatch logic to mark them as
fixed or still open. For pkg_install versions before 20080415, skip the
vulnerability processing.
Discussed with: dmcmahill
-rw-r--r-- | mk/bsd.pkg.readme.mk | 32 | ||||
-rwxr-xr-x | mk/scripts/genreadme.awk | 82 | ||||
-rwxr-xr-x | mk/scripts/mkreadme | 36 |
3 files changed, 47 insertions, 103 deletions
diff --git a/mk/bsd.pkg.readme.mk b/mk/bsd.pkg.readme.mk index 1a56ccfddc1..25b0e038473 100644 --- a/mk/bsd.pkg.readme.mk +++ b/mk/bsd.pkg.readme.mk @@ -1,4 +1,4 @@ -# $NetBSD: bsd.pkg.readme.mk,v 1.19 2008/03/15 16:27:42 joerg Exp $ +# $NetBSD: bsd.pkg.readme.mk,v 1.20 2008/04/18 14:26:36 joerg Exp $ # # This Makefile fragment is included by bsd.pkg.mk and encapsulates the # code to produce README.html files in each package directory. @@ -230,21 +230,6 @@ SED_HOMEPAGE_EXPR= -e 's|%%HOMEPAGE%%|<p>This package has a home page at <a HREF SED_HOMEPAGE_EXPR= -e 's|%%HOMEPAGE%%||' .endif -.PHONY: show-vulnerabilities-html -show-vulnerabilities-html: - ${RUN} \ - _PKGVULNDIR=`${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR`; \ - if [ -f $$_PKGVULNDIR/pkg-vulnerabilities ]; then \ - ${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -n ${PKGNAME} 2>&1| ${AWK} \ - '{ printurl = $$8; \ - gsub("\<", "\\<", $$2); \ - gsub("\>", "\\>", $$2); \ - gsub("\<", "\\<", printurl); \ - gsub("\>", "\\>", printurl); \ - gsub("\&", "\\&", printurl); \ - printf("<LI><STRONG>%s has a %s exploit (see <a href=\"%s\">%s</a> for more details)</STRONG></LI>\n", $$2, $$5, $$8, printurl) }'; \ - fi - # If PACKAGES is set to the default (../../packages), the current # ${MACHINE_ARCH} and "release" (uname -r) will be used. Otherwise a directory # structure of ...pkgsrc/packages/`uname -r`/${MACHINE_ARCH} is assumed. @@ -265,22 +250,31 @@ README.html: .PRECIOUS esac; \ cd ${.CURDIR} ; \ fi; \ - _PVDIR=`${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR`; \ + if [ `${PKG_ADMIN} -V` -lt 20080415 ]; then \ + SCAN_VULNERABILITIES=0; \ + else \ + _PVDIR=`${PKG_ADMIN} config-var PKGVULNDIR`; \ + if [ -e "$${_PVDIR}"/pkg-vulnerabilities ]; then \ + SCAN_VULNERABILITIES=2; \ + else \ + SCAN_VULNERABILITIES=1; \ + fi; \ + fi; \ ${AWK} -f ../../mk/scripts/genreadme.awk \ builddependsfile=/dev/null \ dependsfile=/dev/null \ - AUDIT_PACKAGES=${AUDIT_PACKAGES:Q} \ AWK=${AWK:Q} \ CMP=${CMP:Q} \ DISTDIR=${DISTDIR:Q} \ GREP=${GREP:Q} \ PACKAGES=${PACKAGES:Q} \ + PKG_ADMIN=${PKG_ADMIN:Q} \ PKG_INFO=${PKG_INFO:Q} \ PKG_SUFX=${PKG_SUFX:Q} \ PKG_URL=${PKG_URL:Q} \ PKGSRCDIR=${.CURDIR:C|/[^/]*/[^/]*$||:Q} \ - PVDIR=$$_PVDIR \ PKGTOOLS_VERSION=${PKGTOOLS_VERSION} \ + SCAN_VULNERABILITIES=$${SCAN_VULNERABILITIES} \ SED=${SED:Q} \ SETENV=${SETENV:Q} \ SORT=${SORT:Q} \ diff --git a/mk/scripts/genreadme.awk b/mk/scripts/genreadme.awk index ce70a884fc7..02c02339c98 100755 --- a/mk/scripts/genreadme.awk +++ b/mk/scripts/genreadme.awk @@ -1,5 +1,5 @@ #!/usr/bin/awk -f -# $NetBSD: genreadme.awk,v 1.31 2008/03/15 16:27:43 joerg Exp $ +# $NetBSD: genreadme.awk,v 1.32 2008/04/18 14:26:37 joerg Exp $ # # Copyright (c) 2002, 2003, 2005, 2006 The NetBSD Foundation, Inc. # All rights reserved. @@ -255,55 +255,11 @@ END { } close(builddependsfile); - vfile = PVDIR "/pkg-vulnerabilities"; - # extract date for vulnerabilities file - cmd = "ls -l " vfile; - if ((cmd | getline) > 0) { - vuldate = sprintf("at %s %s %s\n",$6,$7,$8); -# read the vulnerabilities file - printf("Reading vulnerability file \"%s\"\n which was updated %s\n", - vfile, vuldate); - i = 1; - vul_major = 0; - vul_minor = 0; - vul_teeny = 0; - while((getline < vfile) > 0) { - if( $0 ~ /#FORMAT/ ) { - split($2, vul_format, "."); - vul_major = vul_format[1]; - vul_minor = vul_format[2]; - vul_teeny = vul_format[3]; - } - if ( $0 ~ /^-----BEGIN PGP SIGNATURE-----.*/ ) { - break; - } - if ( ( $0 !~ /^\#/ ) && - ( $0 !~ /^Hash:.*/ ) && - ( $0 !~ /^-----BEGIN PGP SIGNED.*/ ) && - ( $0 != "" ) ) { - vulpkg[i] = $1; - vultype[i] = $2; - vulref[i] = $3; - i = i + 1; - } - } - if( (vul_major > 1) || - (vul_minor > 1) || - (vul_teeny > 0) ) { - printf("Version %d.%d.%d of the vulnerability file is out of sync with", - vul_major, vul_minor, vul_teeny); - printf("the genreadme.awk script\n"); - } - printf(" Loaded %d vulnerabilities\n", i - 1); - close(vfile); - have_vfile = 1; - } else { + if (SCAN_VULNERABILITIES == 0) + vuldate="<TR><TD><I>(no vulnerabilities list, update pkg_install)</I>"; + else if (SCAN_VULNERABILITIES == 1) vuldate="<TR><TD><I>(no vulnerabilities list available)</I>"; - printf("No vulnerability file found (%s).\n", vfile); - have_vfile = 0; - } - close(cmd); if (SINGLEPKG != "" ) { printf("Only creating README for %s\n",SINGLEPKG); @@ -372,28 +328,28 @@ END { if (debug) printf("wrote = %d entries to \"%s\"\n", i-1, htmldeps_file); -# XXX: Post pkg_install-20070714 only currently known vulnerabilities are -# XXX: shown in the generated README.html files for packages. - vul = ""; - if (have_vfile) { - pkg = pkgdir2name[toppkg]; - - if (debug) { - printf("Checking for %s (%s) vulnerabilities\n", - toppkg, pkg); - } - - cmd = sprintf("%s -n %s", AUDIT_PACKAGES, pkg); + if (SCAN_VULNERABILITIES == 2) { + pkgbase = pkgdir2name[toppkg]; + sub("-[^-]*$", "", pkgbase); + cmd = sprintf("%s audit-history %s", PKG_ADMIN, pkgbase); while (cmd | getline vuln_entry) { split(vuln_entry, entry, " "); - vul = sprintf("%s<LI><STRONG>%s has a <a href=\"%s\">%s</a> vulnerability</STRONG></LI>\n", - vul, pkg, entry[8], entry[5]); + status_cmd = sprintf("if %s pmatch '%s' %s; then echo open; else echo fixed; fi", + PKG_ADMIN, entry[1], pkgdir2name[toppkg]); + status_cmd | getline status + close(status_cmd) + if (status == "open") + status = "an <STRONG>OPEN</STRONG>"; + else + status = "a " status; + vul = sprintf("%s<LI>%s <a href=\"%s\">%s</a> vulnerability</LI>\n", + vul, status, entry[3], entry[2]); } close(cmd); - if ( vul == "" ){ + if ( vul == "" ) { vul="<I>(no vulnerabilities known)</I>"; } } diff --git a/mk/scripts/mkreadme b/mk/scripts/mkreadme index 1f40258b56a..1728ee6881f 100755 --- a/mk/scripts/mkreadme +++ b/mk/scripts/mkreadme @@ -1,5 +1,5 @@ #!/bin/sh -# $NetBSD: mkreadme,v 1.22 2008/03/15 16:27:43 joerg Exp $ +# $NetBSD: mkreadme,v 1.23 2008/04/18 14:26:37 joerg Exp $ # # Script for README.html generation # @@ -63,7 +63,6 @@ usage(){ echo " [-P|--packages directory] [-r|--restart] " echo " [-s|--summary]" echo " [-S|--save-database]" - echo " [-V|--pkg-vuln directory]" echo " " echo " $prog -h|--help" echo " " @@ -99,9 +98,6 @@ usage(){ echo " This is useful for debugging or re-running this script" echo " with the -r option." echo " " - echo " -V|--pkg-vuln dir Specify the pkg-vulnerability directory." - echo " Defaults to the value of the DISTDIR." - echo " " echo " -v|--version Displays the version of this script and exits." echo " " echo "Example: $prog -p /pub/NetBSD/packages/pkgsrc -P /pub/NetBSD/packages -f" @@ -210,13 +206,6 @@ do exit 0 ;; - # Specify pkg-vulnerability directory - -V|--pkg-vuln) - PVDIR=$2 - pv=custom - shift 2 - ;; - -*) echo "$prog: ERROR: $1 is not a valid option" usage clean_and_exit @@ -303,14 +292,19 @@ else exit 1 fi -# this needs to happen here as the variables referenced have not been -# populated until this stage (see above) -# -if [ "$pv" = "default" ]; then - PVDIR=`${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR` +if [ `${PKG_ADMIN} -V` -lt 20080415 ]; then + SCAN_VULNERABILITIES=0 + echo "----> NOT checking for vulnerabilities, pkg_install too old" +else + _PVDIR=`${PKG_ADMIN} config-var PKGVULNDIR`; + if [ -e "${_PVDIR}"/pkg-vulnerabilities ]; then + SCAN_VULNERABILITIES=2 + echo "----> Checking for vulnerabilities" + else + SCAN_VULNERABILITIES=1 + echo "----> NOT checking for vulnerabilities" + fi fi -echo "----> PVDIR=\"${PVDIR}\"" - ###################################################################### # @@ -432,7 +426,6 @@ ${AWK} -f ${PKGSRCDIR}/mk/scripts/genreadme.awk \ debug=$debug \ dependsfile=${TMPDIR}/pkgsrc.depends.debug \ summary=${summary} \ - AUDIT_PACKAGES=$AUDIT_PACKAGES \ AWK=$AWK \ CMP=$CMP \ DISTDIR=$DISTDIR \ @@ -440,12 +433,13 @@ ${AWK} -f ${PKGSRCDIR}/mk/scripts/genreadme.awk \ GREP=$GREP \ GZIP_CMD="$GZIP_CMD" \ PACKAGES=$PACKAGES \ + PKG_ADMIN="$PKG_ADMIN" \ PKG_INFO="$PKG_INFO" \ PKG_SUFX=$PKG_SUFX \ PKG_URL=$PKG_URL \ PKGSRCDIR=$PKGSRCDIR \ PKGTOOLS_VERSION=$PKGTOOLS_VERSION \ - PVDIR=$PVDIR \ + SCAN_VULNERABILITIES=${SCAN_VULNERABILITIES} \ SED=$SED \ SETENV=$SETENV \ SORT=$SORT \ |