Skip to content

aur-scanner 2.0.0

Latest
Latest

Choose a tag to compare

View all tags
@HxHippy HxHippy released this 18 Jun 00:36
v2.0.0
This tag was signed with the committer’s verified signature.
HxHippy HxHippy
GPG key ID: 1132BF893C33FB51
Verified
Learn about vigilant mode.
07893f5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Major release: optional, opt-in threat-intelligence lookups (VirusTotal +
URLhaus), an active verdict cache, broader AUR-helper coverage (cache discovery

  • shell wrappers + a Nushell integration), and a global --no-color flag. The
    default scan is unchanged — fully offline and static; threat intelligence stays
    off until you enable it and supply your own keys.

Added — opt-in threat intelligence

  • VirusTotal & URLhaus lookups, wired in for real. The previously inert
    provider stubs are now working: with enable_threat_intel set and a key
    supplied (config or VT_API_KEY/VIRUSTOTAL_API_KEY/URLHAUS_AUTH_KEY), a new
    networked analyzer checks each declared sha256sums against VirusTotal and each
    source= URL against abuse.ch/URLhaus, emitting TI-VT-001 / TI-URLHAUS-001
    on a malicious verdict. Off by default — a default scan stays fully
    offline/static. Only data already public in the PKGBUILD (hashes, source URLs)
    is ever transmitted; every lookup fails open so a provider outage never blocks a
    scan. All third-party network code is isolated in a single auditable file
    (threat_intel/remote.rs). URLhaus requires the now-mandatory abuse.ch
    Auth-Key.

    The VirusTotal-by-hash approach is credited to @SuitablyMysterious, whose
    vt_lookup in PR #9
    was the reference implementation.

  • Verdict caching is now active. The hardened, MAC-authenticated DiskCache
    (owner-only dir, per-user keyed integrity) — previously built but unwired — now
    caches threat-intel verdicts, so repeat lookups respect VirusTotal's 4-req/min
    public quota. Gated by CacheConfig; lookups are also capped per scan.

Added — broader AUR helper coverage

  • system audit and the pacman hook now cover every maintained AUR helper.
    Cache discovery spans yay, paru, pikaur, aura, pakku, trizen, aurutils, rua, and
    pat-aur — at each helper's real PKGBUILD location (e.g. pikaur's
    ~/.local/share/pikaur/aur_repos, rua's ~/.config/rua/pkg, trizen's
    ~/.cache/trizen/sources), with XDG *_HOME overrides honored.
  • Shell integration wraps more helpers (#6; diagnosis from @nikoraasu in #12).
    pikaur, trizen, and pakku join paru/yay as pre-build gates (they share
    pacman's -S/-Syu grammar); helpers with a different model (aura -A, and the
    subcommand tools aurutils/rua/pat-aur) are covered by the pacman hook instead.
  • Nushell integration (install/integration.nu, #5) — routes
    helper installs through the aur-scan-wrap gate; honors AUR_SCAN_ENABLED=0 and
    provides <helper>-unsafe bypasses. Verified on nushell 0.113.
  • pacman hook now sets NeedsTargets, so the transaction's package names reach
    the hook (it reads targets from stdin to locate each PKGBUILD).

Changed

  • Added a global --no-color flag; colored output also honors the NO_COLOR
    environment variable and auto-disables when not writing to a terminal.

Install

# stable
git clone https://aur.archlinux.org/aur-scanner.git && cd aur-scanner && makepkg -si

Docs: https://aur-scanner.kief.studio · the source tag is GPG-signed (key 25631EAE3F43999050B7D7021132BF893C33FB51).

Contributors

SuitablyMysterious
Assets 2
Loading