Add several new command line options so audit-packages can be used as part of

the improved ALLOW_VULNERABILITIES support.  This now has the ability to:
  -p : Only check a single package
  -i : Provide a list of vulnerabilities to ignore
  -K : Specify an alternate pkg dbdir.
Bump the version to 0.40.

3 files changed, 135 insertions, 19 deletions

diff --git a/security/audit-packages/Makefile b/security/audit-packages/Makefile
index 01195d5b7e3..1ddae3f1f3c 100644
--- a/security/audit-packages/Makefile
+++ b/security/audit-packages/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.61 2005/10/31 21:33:19 erh Exp $
+# $NetBSD: Makefile,v 1.62 2005/11/16 20:47:55 erh Exp $
 
-DISTNAME=	audit-packages-1.39
+DISTNAME=	audit-packages-1.40
 CATEGORIES=	security pkgtools
 MASTER_SITES=	# empty
 DISTFILES=	# empty
@@ -20,6 +20,8 @@ NO_CHECKSUM=    yes
 OWN_DIRS=	${PKGVULNDIR}
 INSTALLATION_DIRS=	man/cat8 man/man8 sbin
 
+SKIP_AUDIT_PACKAGES=	yes
+
 .include "../../mk/bsd.prefs.mk"
 
 do-build:
diff --git a/security/audit-packages/files/audit-packages b/security/audit-packages/files/audit-packages
index d13c97f7766..c92fb98b4af 100755
--- a/security/audit-packages/files/audit-packages
+++ b/security/audit-packages/files/audit-packages
@@ -1,6 +1,6 @@
 #! @SH@
 #
-# $NetBSD: audit-packages,v 1.23 2005/10/20 10:26:54 agc Exp $
+# $NetBSD: audit-packages,v 1.24 2005/11/16 20:47:56 erh Exp $
 #
 # Copyright (c) 2000-2003 Alistair Crooks.  All rights reserved.
 #
@@ -41,8 +41,25 @@ ERR_PKGINSTALL="Please upgrade pkgtools/pkg_install to the newest version."
 
 FORMAT_MAJOR=1
 FORMAT_MINOR=0
+FORMAT_TEENY=1
 PKG_INSTALL_REQUIRED=20050530
 
+usage() {
+	argv0="${1##*/}"
+	cat <<EOF
+$2
+Usage: $argv0 [-vd] [-K <pkg_dbdir>] [-p <package>]
+               [-i [<vulnid>|pkgpat:<pkgpat> [...]]
+    -v : Verbose mode
+    -d : Run download-vulnerability-list before anything else.
+    -i : Ignore packages matching one of the specified vulnerabilities,
+          or matching one of the provided patterns.
+          Repeated -i options add to the ignore list.
+    -p : Check a specific package for vulnerabilities.
+EOF
+	exit 1
+}
+
 if [ -r @PKG_SYSCONFDIR@/audit-packages.conf ]; then
 	echo "Reading settings from @PKG_SYSCONFDIR@/audit-packages.conf"
 	. @PKG_SYSCONFDIR@/audit-packages.conf
@@ -52,14 +69,44 @@ vuls="${PKGVULNDIR}/pkg-vulnerabilities"
 
 download=no
 verbose=no
+ignore_list=
+pkg_patterns=
+vulnids=
+one_package=
 while [ $# -gt 0 ]; do
 	case "$1" in
 	-d)	download=yes ;;
 	-v)	verbose=yes ;;
+	-i)
+		ignore_list="$ignore_list $2"
+		shift
+		;;
+	-p)
+		one_package="$2"
+		shift
+		;;
+	-K)
+	 	export PKG_DBDIR="$2"
+		shift
+		;;
+	*)
+		usage "$0" "Unknown option $1"
 	esac
 	shift
 done
 
+for ign in $ignore_list ; do
+	case "$ign" in
+	pkgpat:*)
+		ign="${ign#*:}"
+		pkg_patterns="$pkg_patterns $ign"
+		;;
+	*)
+		vulnids="$vulnids $ign"
+		;;
+	esac
+done
+
 # try to download vulnerability list, as requested
 # the integrity of the list is checked below
 # so just issue a warning if there was a failure
@@ -96,14 +143,20 @@ esac
 
 case "$errmsg" in
 "")	# check format version of vulnerabilities file
-	file_major=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[1] }' "$vuls"`
-	file_minor=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[2] }' "$vuls"`
+	file_major=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[1]; exit; }' "$vuls"`
+	file_minor=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[2]; exit; }' "$vuls"`
+	file_teeny=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[3]; exit; }' "$vuls"`
+	if [ -z "$file_teeny" ] ; then
+		file_teeny=0
+	fi
 	if [ "x$file_major" = "x" -o "x$file_minor" = "x" ]; then
 		errmsg="No file format version found in $vuls"
 		errsolution="$ERR_DOWNLOAD"
 	elif [ "$file_major" -ne "$FORMAT_MAJOR" -o "$file_minor" -gt "$FORMAT_MINOR" ]; then
-		errmsg="Unsupported file format version $file_major.$file_minor in $vuls (supported version: $FORMAT_MAJOR.$FORMAT_MINOR)."
-		if [ "$file_major" -le "$FORMAT_MAJOR" ]; then
+		errmsg="Unsupported file format version $file_major.$file_minor${file_teeny:+.${file_teeny}} in $vuls (supported version: $FORMAT_MAJOR.$FORMAT_MINOR.$FORMAT_TEENY)."
+		if [ "$file_major" -le "$FORMAT_MAJOR" -o
+		     \( "$file_major" -eq "$FORMAT_MAJOR" -a
+		        "$file_minor" -lt "$FORMAT_MINOR" \) ]; then
 			errsolution="$ERR_DOWNLOAD"
 		else
 			errsolution="$ERR_UPGRADE"
@@ -151,10 +204,45 @@ while read pat type url; do
 	\#*|'') continue;;
 	esac
 
-	if @PKG_TOOLS_BIN@/pkg_info -qe "$pat"; then
-		echo Package `@PKG_TOOLS_BIN@/pkg_info -e "$pat"` has a \
-			"$type" vulnerability, see "$url"
+	vulnid=unknown
+	if [ $file_teeny -gt 0 ] ; then
+		vulnid=${type%%,*}
+		type=${type#*,}
+
+		skipit=0
+		for ign in $vulnids; do
+			if [ "$ign" = "$vulnid" ] ; then
+				skipit=1
+			fi
+		done
+		if [ $skipit -eq 1 ] ; then
+			continue;
+		fi
 	fi
+
+	if [ -z "$one_package" ] ; then
+		vulnpkgs=`@PKG_TOOLS_BIN@/pkg_info -e "$pat"`
+	else
+		vulnpkgs=
+		if `@PKG_TOOLS_BIN@/pkg_admin pmatch "$pat" "$one_package"` ; then
+			vulnpkgs=$one_package
+		fi
+	fi
+	for pkg in $vulnpkgs ; do
+		skipit=0
+		for ign in $pkg_patterns; do
+			ign="${ign#*:}"
+			if @PKG_TOOLS_BIN@/pkg_admin pmatch "${ign}" "$pkg" ; then
+				skipit=1
+				break
+			fi
+		done
+		if [ $skipit -eq 1 ] ; then
+			continue
+		fi
+		echo "Package $pkg has a" \
+			"$type vulnerability (vulnid:$vulnid), see $url"
+	done
 done < "$vuls"
 
 exit 0
diff --git a/security/audit-packages/files/audit-packages.8 b/security/audit-packages/files/audit-packages.8
index 027ddbf4134..fbc31be588f 100644
--- a/security/audit-packages/files/audit-packages.8
+++ b/security/audit-packages/files/audit-packages.8
@@ -1,4 +1,4 @@
-.\" $NetBSD: audit-packages.8,v 1.15 2005/10/20 10:26:54 agc Exp $
+.\" $NetBSD: audit-packages.8,v 1.16 2005/11/16 20:47:56 erh Exp $
 .\"
 .\" Copyright (c) 2003 Jeremy C. Reed.  All rights reserved.
 .\"
@@ -40,6 +40,8 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl dv
+.Op Fl K Ar pkg_dbdir
+.Op Fl i Ar ignore-list
 .Nm download-vulnerability-list
 .Sh DESCRIPTION
 The
@@ -50,16 +52,30 @@ file and reports any known security issues to standard output.
 This output contains the name and version of the package, the
 type of vulnerability, and an URL for further information for each
 vulnerable package.
-If the
-.Fl v
-option is specified,
+.Pp
+The following flags are supported:
+.Bl -tag -width Ar
+.It Fl d
 .Nm
-will warn when the vulnerabilities file is more than a week old.
-The
-.Fl d
-option will attempt to download this vulnerabilities
+will attempt to download the vulnerabilities
 file before scanning
 the installed packages for vulnerabilities.
+.It Fl i
+Specify an list of vulnerabilities or packages to ignore.
+Packages can be specified using package wildcards (see
+.Xr pkg_info 1
+).
+Vulnerabilities can be specified with the form
+.Sm off
+.Cm vulnid:
+.Ar vulnid .
+.Sm on
+Vulnerability ids are only present in file format 1.0.1 or higher.
+.It Fl v
+Set verbose mode.
+.Nm
+will warn when the vulnerabilities file is more than a week old.
+.El
 .Pp
 The
 .Nm download-vulnerability-list
@@ -73,7 +89,17 @@ pkgsrc packages and is kept up-to-date by the
 packages team.
 .Pp
 Each line lists the package and vulnerable versions, the type of exploit,
-and an Internet address for further information.
+and an Internet address for further information:
+.Bl -item
+.It
+.Aq package pattern
+.Sm off
+.Aq vulnid ,
+.Aq type
+.Sm on
+.Aq url
+.El
+.Pp
 The type of exploit can be any text, although
 some common types of exploits listed are:
 .Bl -bullet -compact -offset indent