Re: Checking for vulnerable packages before installing

[Leonardo Taccari <leot%NetBSD.org@localhost>]

Hello Iain,

Iain Morgan writes:
> [...]
> What I would like is a way to have pkgsrc check for vulnerabilities for
> all packages (and their dependencies) without building them or halting,
> so that I can evaluate the vulnerabilities in one go and then run the
> build with less of a chance of it being interrupted. I'm not aware of
> any make target that would accomplish this, but is such an approach
> supported?
> [...]

AFAIK there is no target for that but this can be done via
pkg_admin(1).  I wrote a shell script that given one or more packages
as argument (installed or not) print corresponding entries in
pkg-vulnerabilities.  I will attach it on this email.

I think it be adopted and/or should give an idea how to possibly
handle that if you have a list of package.


(With sys_info(1) this can be used also to check vulnerabilities in the
base system too, e.g. on NetBSD:

 % ./vulnpkg.sh `sys_info -P /bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R7/bin`

)

#!/bin/sh

#
# Copyright (c) 2018 Leonardo Taccari
# All rights reserved.
# 
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
# 
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#


#
# Print usage information and exit.
#
usage()
{

	echo "usage: $0 pkgname ..."

	exit 1
}


#
# Given a PKGNAME print all relevant pkg-vulnerabilities entries for it.
#
auditpkg()
{
	pkgname="$1"
	pkgbase="${pkgname%-*}"

	pkg_admin audit-history "$pkgbase" | while read entry; do
		pkg=${entry%% *}
		pkg_admin pmatch "$pkg" "$pkgname" && echo $entry
	done
}


#
# Given a list of PKGNAMEs print for each of them the vulnerabilities entries.
#
main()
{

	if [ $# -eq 0 ]; then
		usage
	fi

	for p in "$@"; do
		auditpkg "$p"
	done

	exit 0
}


main "$@"