summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjoerg <joerg>2008-04-18 14:26:36 +0000
committerjoerg <joerg>2008-04-18 14:26:36 +0000
commitb78fba2fe96f02d1ce49c97de4f390a3c2c77078 (patch)
tree45173f7247afdbad40928c6389756c3703e7ca05
parentb239c5bd76affd6fd574c3b123768ffdd980823d (diff)
downloadpkgsrc-b78fba2fe96f02d1ce49c97de4f390a3c2c77078.tar.gz
Change the code generation README.html to use the new
"pkg_admin audit-history" command to print the full list of vulnerabilities and use further pkg_admin pmatch logic to mark them as fixed or still open. For pkg_install versions before 20080415, skip the vulnerability processing. Discussed with: dmcmahill
-rw-r--r--mk/bsd.pkg.readme.mk32
-rwxr-xr-xmk/scripts/genreadme.awk82
-rwxr-xr-xmk/scripts/mkreadme36
3 files changed, 47 insertions, 103 deletions
diff --git a/mk/bsd.pkg.readme.mk b/mk/bsd.pkg.readme.mk
index 1a56ccfddc1..25b0e038473 100644
--- a/mk/bsd.pkg.readme.mk
+++ b/mk/bsd.pkg.readme.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.pkg.readme.mk,v 1.19 2008/03/15 16:27:42 joerg Exp $
+# $NetBSD: bsd.pkg.readme.mk,v 1.20 2008/04/18 14:26:36 joerg Exp $
#
# This Makefile fragment is included by bsd.pkg.mk and encapsulates the
# code to produce README.html files in each package directory.
@@ -230,21 +230,6 @@ SED_HOMEPAGE_EXPR= -e 's|%%HOMEPAGE%%|<p>This package has a home page at <a HREF
SED_HOMEPAGE_EXPR= -e 's|%%HOMEPAGE%%||'
.endif
-.PHONY: show-vulnerabilities-html
-show-vulnerabilities-html:
- ${RUN} \
- _PKGVULNDIR=`${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR`; \
- if [ -f $$_PKGVULNDIR/pkg-vulnerabilities ]; then \
- ${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -n ${PKGNAME} 2>&1| ${AWK} \
- '{ printurl = $$8; \
- gsub("\<", "\\&lt;", $$2); \
- gsub("\>", "\\&gt;", $$2); \
- gsub("\<", "\\&lt;", printurl); \
- gsub("\>", "\\&gt;", printurl); \
- gsub("\&", "\\&amp;", printurl); \
- printf("<LI><STRONG>%s has a %s exploit (see <a href=\"%s\">%s</a> for more details)</STRONG></LI>\n", $$2, $$5, $$8, printurl) }'; \
- fi
-
# If PACKAGES is set to the default (../../packages), the current
# ${MACHINE_ARCH} and "release" (uname -r) will be used. Otherwise a directory
# structure of ...pkgsrc/packages/`uname -r`/${MACHINE_ARCH} is assumed.
@@ -265,22 +250,31 @@ README.html: .PRECIOUS
esac; \
cd ${.CURDIR} ; \
fi; \
- _PVDIR=`${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR`; \
+ if [ `${PKG_ADMIN} -V` -lt 20080415 ]; then \
+ SCAN_VULNERABILITIES=0; \
+ else \
+ _PVDIR=`${PKG_ADMIN} config-var PKGVULNDIR`; \
+ if [ -e "$${_PVDIR}"/pkg-vulnerabilities ]; then \
+ SCAN_VULNERABILITIES=2; \
+ else \
+ SCAN_VULNERABILITIES=1; \
+ fi; \
+ fi; \
${AWK} -f ../../mk/scripts/genreadme.awk \
builddependsfile=/dev/null \
dependsfile=/dev/null \
- AUDIT_PACKAGES=${AUDIT_PACKAGES:Q} \
AWK=${AWK:Q} \
CMP=${CMP:Q} \
DISTDIR=${DISTDIR:Q} \
GREP=${GREP:Q} \
PACKAGES=${PACKAGES:Q} \
+ PKG_ADMIN=${PKG_ADMIN:Q} \
PKG_INFO=${PKG_INFO:Q} \
PKG_SUFX=${PKG_SUFX:Q} \
PKG_URL=${PKG_URL:Q} \
PKGSRCDIR=${.CURDIR:C|/[^/]*/[^/]*$||:Q} \
- PVDIR=$$_PVDIR \
PKGTOOLS_VERSION=${PKGTOOLS_VERSION} \
+ SCAN_VULNERABILITIES=$${SCAN_VULNERABILITIES} \
SED=${SED:Q} \
SETENV=${SETENV:Q} \
SORT=${SORT:Q} \
diff --git a/mk/scripts/genreadme.awk b/mk/scripts/genreadme.awk
index ce70a884fc7..02c02339c98 100755
--- a/mk/scripts/genreadme.awk
+++ b/mk/scripts/genreadme.awk
@@ -1,5 +1,5 @@
#!/usr/bin/awk -f
-# $NetBSD: genreadme.awk,v 1.31 2008/03/15 16:27:43 joerg Exp $
+# $NetBSD: genreadme.awk,v 1.32 2008/04/18 14:26:37 joerg Exp $
#
# Copyright (c) 2002, 2003, 2005, 2006 The NetBSD Foundation, Inc.
# All rights reserved.
@@ -255,55 +255,11 @@ END {
}
close(builddependsfile);
- vfile = PVDIR "/pkg-vulnerabilities";
-
# extract date for vulnerabilities file
- cmd = "ls -l " vfile;
- if ((cmd | getline) > 0) {
- vuldate = sprintf("at %s %s %s\n",$6,$7,$8);
-# read the vulnerabilities file
- printf("Reading vulnerability file \"%s\"\n which was updated %s\n",
- vfile, vuldate);
- i = 1;
- vul_major = 0;
- vul_minor = 0;
- vul_teeny = 0;
- while((getline < vfile) > 0) {
- if( $0 ~ /#FORMAT/ ) {
- split($2, vul_format, ".");
- vul_major = vul_format[1];
- vul_minor = vul_format[2];
- vul_teeny = vul_format[3];
- }
- if ( $0 ~ /^-----BEGIN PGP SIGNATURE-----.*/ ) {
- break;
- }
- if ( ( $0 !~ /^\#/ ) &&
- ( $0 !~ /^Hash:.*/ ) &&
- ( $0 !~ /^-----BEGIN PGP SIGNED.*/ ) &&
- ( $0 != "" ) ) {
- vulpkg[i] = $1;
- vultype[i] = $2;
- vulref[i] = $3;
- i = i + 1;
- }
- }
- if( (vul_major > 1) ||
- (vul_minor > 1) ||
- (vul_teeny > 0) ) {
- printf("Version %d.%d.%d of the vulnerability file is out of sync with",
- vul_major, vul_minor, vul_teeny);
- printf("the genreadme.awk script\n");
- }
- printf(" Loaded %d vulnerabilities\n", i - 1);
- close(vfile);
- have_vfile = 1;
- } else {
+ if (SCAN_VULNERABILITIES == 0)
+ vuldate="<TR><TD><I>(no vulnerabilities list, update pkg_install)</I>";
+ else if (SCAN_VULNERABILITIES == 1)
vuldate="<TR><TD><I>(no vulnerabilities list available)</I>";
- printf("No vulnerability file found (%s).\n", vfile);
- have_vfile = 0;
- }
- close(cmd);
if (SINGLEPKG != "" ) {
printf("Only creating README for %s\n",SINGLEPKG);
@@ -372,28 +328,28 @@ END {
if (debug) printf("wrote = %d entries to \"%s\"\n",
i-1, htmldeps_file);
-# XXX: Post pkg_install-20070714 only currently known vulnerabilities are
-# XXX: shown in the generated README.html files for packages.
-
vul = "";
- if (have_vfile) {
- pkg = pkgdir2name[toppkg];
-
- if (debug) {
- printf("Checking for %s (%s) vulnerabilities\n",
- toppkg, pkg);
- }
-
- cmd = sprintf("%s -n %s", AUDIT_PACKAGES, pkg);
+ if (SCAN_VULNERABILITIES == 2) {
+ pkgbase = pkgdir2name[toppkg];
+ sub("-[^-]*$", "", pkgbase);
+ cmd = sprintf("%s audit-history %s", PKG_ADMIN, pkgbase);
while (cmd | getline vuln_entry) {
split(vuln_entry, entry, " ");
- vul = sprintf("%s<LI><STRONG>%s has a <a href=\"%s\">%s</a> vulnerability</STRONG></LI>\n",
- vul, pkg, entry[8], entry[5]);
+ status_cmd = sprintf("if %s pmatch '%s' %s; then echo open; else echo fixed; fi",
+ PKG_ADMIN, entry[1], pkgdir2name[toppkg]);
+ status_cmd | getline status
+ close(status_cmd)
+ if (status == "open")
+ status = "an <STRONG>OPEN</STRONG>";
+ else
+ status = "a " status;
+ vul = sprintf("%s<LI>%s <a href=\"%s\">%s</a> vulnerability</LI>\n",
+ vul, status, entry[3], entry[2]);
}
close(cmd);
- if ( vul == "" ){
+ if ( vul == "" ) {
vul="<I>(no vulnerabilities known)</I>";
}
}
diff --git a/mk/scripts/mkreadme b/mk/scripts/mkreadme
index 1f40258b56a..1728ee6881f 100755
--- a/mk/scripts/mkreadme
+++ b/mk/scripts/mkreadme
@@ -1,5 +1,5 @@
#!/bin/sh
-# $NetBSD: mkreadme,v 1.22 2008/03/15 16:27:43 joerg Exp $
+# $NetBSD: mkreadme,v 1.23 2008/04/18 14:26:37 joerg Exp $
#
# Script for README.html generation
#
@@ -63,7 +63,6 @@ usage(){
echo " [-P|--packages directory] [-r|--restart] "
echo " [-s|--summary]"
echo " [-S|--save-database]"
- echo " [-V|--pkg-vuln directory]"
echo " "
echo " $prog -h|--help"
echo " "
@@ -99,9 +98,6 @@ usage(){
echo " This is useful for debugging or re-running this script"
echo " with the -r option."
echo " "
- echo " -V|--pkg-vuln dir Specify the pkg-vulnerability directory."
- echo " Defaults to the value of the DISTDIR."
- echo " "
echo " -v|--version Displays the version of this script and exits."
echo " "
echo "Example: $prog -p /pub/NetBSD/packages/pkgsrc -P /pub/NetBSD/packages -f"
@@ -210,13 +206,6 @@ do
exit 0
;;
- # Specify pkg-vulnerability directory
- -V|--pkg-vuln)
- PVDIR=$2
- pv=custom
- shift 2
- ;;
-
-*) echo "$prog: ERROR: $1 is not a valid option"
usage
clean_and_exit
@@ -303,14 +292,19 @@ else
exit 1
fi
-# this needs to happen here as the variables referenced have not been
-# populated until this stage (see above)
-#
-if [ "$pv" = "default" ]; then
- PVDIR=`${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR`
+if [ `${PKG_ADMIN} -V` -lt 20080415 ]; then
+ SCAN_VULNERABILITIES=0
+ echo "----> NOT checking for vulnerabilities, pkg_install too old"
+else
+ _PVDIR=`${PKG_ADMIN} config-var PKGVULNDIR`;
+ if [ -e "${_PVDIR}"/pkg-vulnerabilities ]; then
+ SCAN_VULNERABILITIES=2
+ echo "----> Checking for vulnerabilities"
+ else
+ SCAN_VULNERABILITIES=1
+ echo "----> NOT checking for vulnerabilities"
+ fi
fi
-echo "----> PVDIR=\"${PVDIR}\""
-
######################################################################
#
@@ -432,7 +426,6 @@ ${AWK} -f ${PKGSRCDIR}/mk/scripts/genreadme.awk \
debug=$debug \
dependsfile=${TMPDIR}/pkgsrc.depends.debug \
summary=${summary} \
- AUDIT_PACKAGES=$AUDIT_PACKAGES \
AWK=$AWK \
CMP=$CMP \
DISTDIR=$DISTDIR \
@@ -440,12 +433,13 @@ ${AWK} -f ${PKGSRCDIR}/mk/scripts/genreadme.awk \
GREP=$GREP \
GZIP_CMD="$GZIP_CMD" \
PACKAGES=$PACKAGES \
+ PKG_ADMIN="$PKG_ADMIN" \
PKG_INFO="$PKG_INFO" \
PKG_SUFX=$PKG_SUFX \
PKG_URL=$PKG_URL \
PKGSRCDIR=$PKGSRCDIR \
PKGTOOLS_VERSION=$PKGTOOLS_VERSION \
- PVDIR=$PVDIR \
+ SCAN_VULNERABILITIES=${SCAN_VULNERABILITIES} \
SED=$SED \
SETENV=$SETENV \
SORT=$SORT \