build/audit: run vulnerability check on ports
This commit is contained in:
parent
0dff1f7f29
commit
fbac38f495
4
Makefile
4
Makefile
|
@ -23,7 +23,7 @@
|
|||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
|
||||
STEPS= arm base boot chroot clean clone compress confirm core \
|
||||
STEPS= audit arm base boot chroot clean clone compress confirm core \
|
||||
distfiles download dvd fingerprint info kernel make.conf nano \
|
||||
packages plugins ports prefetch print rebase release \
|
||||
rename rewind serial sign skim test update upload verify \
|
||||
|
@ -107,7 +107,7 @@ EXTRABRANCH?= #master
|
|||
# A couple of meta-targets for easy use and ordering:
|
||||
|
||||
ports distfiles: base
|
||||
plugins: ports
|
||||
audit plugins: ports
|
||||
core: plugins
|
||||
packages test: core
|
||||
dvd nano serial vga vm: kernel core
|
||||
|
|
|
@ -189,8 +189,8 @@ Updating all or individual repositories can be done as follows:
|
|||
|
||||
Available update options are: core, plugins, ports, portsref, src, tools
|
||||
|
||||
Regression tests
|
||||
----------------
|
||||
Regression tests and ports audit
|
||||
--------------------------------
|
||||
|
||||
Before building images, you can run the regression tests
|
||||
to check the integrity of your core.git modifications plus
|
||||
|
@ -198,6 +198,11 @@ generate output for the style checker:
|
|||
|
||||
# make test
|
||||
|
||||
To check the binary packages from ports against the upstream
|
||||
vulnerability database run the following:
|
||||
|
||||
# make audit
|
||||
|
||||
Advanced package builds
|
||||
-----------------------
|
||||
|
||||
|
|
|
@ -0,0 +1,79 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 2021 Franco Fichtner <franco@opnsense.org>
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
#
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
|
||||
set -e
|
||||
|
||||
SELF=audit
|
||||
|
||||
. ./common.sh
|
||||
|
||||
PORTS_LIST=$(
|
||||
cat ${CONFIGDIR}/ports.conf | while read PORT_ORIGIN PORT_IGNORE; do
|
||||
eval PORT_ORIGIN=${PORT_ORIGIN}
|
||||
if [ "$(echo ${PORT_ORIGIN} | colrm 2)" = "#" ]; then
|
||||
continue
|
||||
fi
|
||||
echo ${PORT_ORIGIN}
|
||||
done
|
||||
)
|
||||
|
||||
setup_stage ${STAGEDIR}
|
||||
setup_base ${STAGEDIR}
|
||||
setup_chroot ${STAGEDIR}
|
||||
extract_packages ${STAGEDIR}
|
||||
install_packages ${STAGEDIR} pkg
|
||||
lock_packages ${STAGEDIR}
|
||||
|
||||
echo -n ">>> Running security audit..."
|
||||
|
||||
for PKG in $(cd ${STAGEDIR}; find .${PACKAGESDIR}/All -type f); do
|
||||
PKGORIGIN=$(pkg -c ${STAGEDIR} info -F ${PKG} | \
|
||||
grep ^Origin | awk '{ print $3; }')
|
||||
|
||||
for PORT in ${PORTS_LIST}; do
|
||||
if [ "${PORT}" = "${PKGORIGIN}" ]; then
|
||||
${ENV_FILTER} chroot ${STAGEDIR} /bin/sh -s << EOF
|
||||
pkg add -f ${PKG} > /dev/null
|
||||
AUDIT=\$(pkg audit -F | grep is.vulnerable | tr -d :)
|
||||
if [ -n "\${AUDIT}" ]; then
|
||||
echo ">>> \${AUDIT}" >> /report
|
||||
fi
|
||||
echo -n .
|
||||
pkg remove -qya > /dev/null
|
||||
EOF
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
echo "done"
|
||||
|
||||
if [ -f ${STAGEDIR}/report ]; then
|
||||
echo ">>> The following vulnerable pacckages exist:"
|
||||
sort -u ${STAGEDIR}/report
|
||||
else
|
||||
echo ">>> No vulnerable packages have been found."
|
||||
fi
|
Loading…
Reference in New Issue