Permalink
Browse files

Version 3.4.0 (2012-05-22)

 * include setup.py, shuffle files around a bit for this
 * update and add a few make targets
 * provide regularly updated vlists on netmeister.org; use those
 * unroll loops in Makefile so this works with gmake
 * default to rh5 and netbsd vlists
 * use relative path to 'yvc' in yvc.php
 * exit '2' if vulnerabilities were found
  • Loading branch information...
1 parent 4349195 commit 75a48301eb6486c62d8dcff00f3463c9d4106202 @jschauma committed May 22, 2012
Showing with 131 additions and 51 deletions.
  1. +9 −0 CHANGES
  2. +2 −0 MANIFEST.in
  3. +41 −34 Makefile
  4. +0 −1 TODO
  5. +8 −6 bin/{fetch-vlist.sh → fetch-vlist}
  6. +18 −0 bin/yvc
  7. +1 −1 conf/yvc.conf
  8. +9 −4 doc/man/fetch-vlist.1
  9. +14 −3 doc/man/yvc.1
  10. +1 −1 misc/yvc.php
  11. +18 −0 setup.py
  12. +1 −1 test/test.py
  13. 0 yahoo/__init__.py
  14. +9 −0 {lib → yahoo}/yvc.py
View
@@ -1,5 +1,14 @@
Changelog:
+Version 3.4.0 (2012-05-22)
+ * include setup.py, shuffle files around a bit for this
+ * update and add a few make targets
+ * provide regularly updated vlists on netmeister.org; use those
+ * unroll loops in Makefile so this works with gmake
+ * default to rh5 and netbsd vlists
+ * use relative path to 'yvc' in yvc.php
+ * exit '2' if vulnerabilities were found
+
Version 3.3.0 (2011-12-07)
* update redhat-oval->yvc converter to handle input as a stream
* update sample Makefile to include RH6 lists
View
@@ -0,0 +1,2 @@
+recursive-include doc man/*gz
+recursive-include conf *.conf
View
@@ -3,8 +3,7 @@
# This example Makefile can be used to maintain vulnerability list.
# See 'make help' for more information.
-# Location to which to upload the vlists.
-LOCATION="<hostname>:~/public_html/yvc/"
+PREFIX=/usr/local
RHEL_URL=http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml.bz2
RHEL_XML=com.redhat.rhsa-all.xml.bz2
@@ -13,55 +12,63 @@ FBVLIST=fbvlist
RH4VLIST=rh4vlist
RH5VLIST=rh5vlist
RH6VLIST=rh6vlist
-YVLIST=yvlist
-LISTS= ${YVLIST} ${RH6VLIST} ${RH5VLIST} ${RH4VLIST} ${FBVLIST}
+LISTS= ${RH6VLIST} ${RH5VLIST} ${RH4VLIST} ${FBVLIST}
+MANPAGES=fetch-vlist.1 yvc.1 yvc.conf.5
GONERS= ${RH6VLIST}.in ${RH5VLIST}.in ${RH4VLIST}.in ${FBVLIST}.in \
- ${RHEL_XML}
+ ${RHEL_XML} MANIFEST
date!=date
-all: fetch sign upload
+all: fetch sign
help:
@echo "The following targets are available:"
- @echo "all sign + upload"
- @echo "clean remove any interim files"
- @echo "help print this help"
- @echo "sign sign the vulnerability list"
- @echo "upload upload the vulnerability list"
+ @echo "clean remove any interim files"
+ @echo "fetch retrieve the different vulnerability lists"
+ @echo "help print this help"
+ @echo "install install yvc and fetch-vlist"
+ @echo "rpm build an RPM"
+ @echo "sign sign the vulnerability list"
+ @echo "uninstall uninstall yvc and fetch-vlist"
+
+install: man-compress
+ python setup.py install
+
+uninstall:
+ @echo "Sorry, setup.py apparently can't do that."
+ @echo "Your best bet is to run 'python setup.py install --record /tmp/f'"
+ @echo "followed by 'xargs rm -f </tmp/f'"
+
+rpm: man-compress
+ python setup.py bdist_rpm
+
+man-compress:
+ @for f in ${MANPAGES}; do \
+ gzip -9 doc/man/$${f} -c > doc/man/$${f}.gz; \
+ done;
+
fetch: ${RHEL_XML}
${RHEL_XML}:
wget -q ${RHEL_URL}
-sign: ${LISTS}
+lists: fetch ${LISTS}
-${YVLIST}: ${YVLIST}.in
- gpg -o ${YVLIST} --clearsign ${YVLIST}.in
- chmod a+r ${YVLIST}
+${FBVLIST}:
+ echo "# Generated on ${date}" > ${FBVLIST}
+ perl ./misc/harvest_freebsd_yvc.pl >> ${FBVLIST}
-${FBVLIST}: ${FBVLIST}.in
- gpg -o ${FBVLIST} --clearsign ${FBVLIST}.in
- chmod a+r ${FBVLIST}
+rh4vlist:
+ python ./misc/redhat_oval_to_yvc.py 4 | sort -u > rh4vlist
-${FBVLIST}.in:
- echo "# Generated on ${date}" > ${FBVLIST}.in
- perl ./misc/harvest_freebsd_yvc.pl >> ${FBVLIST}.in
+rh5vlist:
+ python ./misc/redhat_oval_to_yvc.py 5 | sort -u > rh5vlist
-.for n in ${RH_VERSIONS}
-
-rh${n}vlist.in:
- python ./misc/redhat_oval_to_yvc.py ${n} | sort -u > rh${n}vlist.in
-
-rh${n}vlist: rh${n}vlist.in
- gpg -o $@ --clearsign $>
- chmod a+r $>
-.endfor
-
-upload: sign
- scp ${LISTS} ${LOCATION}
+rh6vlist:
+ python ./misc/redhat_oval_to_yvc.py 6 | sort -u > rh6vlist
clean:
- rm -f ${LISTS} ${GONERS}
+ rm -f ${LISTS} ${GONERS} doc/man/*gz
+ rm -fr build dist
View
@@ -4,6 +4,5 @@ package for public:
- write configure script to handle fetch-vlist:
- determine appropriate vlists to use
- provide option for place to upload/download
- - write python magic to install correctly
review helper scripts to ensure they work (efficiently) on all platforms
@@ -28,15 +28,17 @@ TMPFILES=""
##
## Modify this section to specify where to fetch your vlists from.
##
-NLISTS=4
+NLISTS=5
VLIST1="http://ftp.netbsd.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities"
-VLIST1_LOCATION="/usr/local/var/var/yvc/nbvlist"
-VLIST2="http://<somewhere>/yvc/fbvlist"
+VLIST1_LOCATION="/usr/local/var/yvc/nbvlist"
+VLIST2="http://www.netmeister.org/apps/yvc/fbvlist"
VLIST2_LOCATION="/usr/local/var/yvc/fbvlist"
-VLIST3="http://<somewhere>/yvc/rh4vlist"
+VLIST3="http://www.netmeister.org/apps/yvc/rh4vlist"
VLIST3_LOCATION="/usr/local/var/yvc/rh4vlist"
-VLIST4="http://<somewhere>/yvc/rh5vlist"
+VLIST4="http://www.netmeister.org/apps/yvc/rh5vlist"
VLIST4_LOCATION="/usr/local/var/yvc/rh5vlist"
+VLIST5="http://www.netmeister.org/apps/yvc/rh6vlist"
+VLIST5_LOCATION="/usr/local/var/yvc/rh6vlist"
WGET="wget"
WGET_FLAGS="-t 1 -T 10 -q"
@@ -134,7 +136,7 @@ installFile() {
local final=${2}
${DONT} cmp -s ${tmpfile} ${final} || {
- ${DONT} mv ${tmpfile} ${final} && \
+ ${DONT} mv -f ${tmpfile} ${final} && \
${DONT} chmod 444 ${final}
}
}
View
@@ -0,0 +1,18 @@
+#! /usr/local/bin/python
+#
+# Copyright (c) 2008,2010 Yahoo! Inc.
+#
+# Originally written by Jan Schaumann <jschauma@yahoo-inc.com> in July 2008.
+#
+# The entire functionality of the yvc(1) tool is found in the
+# yahoo.yvc.Checker class. This script just invokes the 'main' function
+# provided by yahoo.yvc.
+
+###
+### Main
+###
+
+if __name__ == "__main__":
+ import sys
+ from yahoo.yvc import main
+ main(sys.argv[1:])
View
@@ -13,7 +13,7 @@
# IGNORE_URLS = http://online.securityfocus.com/archive/1/272180
# The files in which the list of vulnerabilities are found.
-VLISTS = /usr/local/var/yvc/fbvlist
+VLISTS = /usr/local/var/yvc/rh5vlist /usr/local/var/yvc/nbvlist
# Level of verbosity.
#VERBOSITY = 1
View
@@ -1,6 +1,6 @@
.\" Copyright (c) 2008,2009,2010 Yahoo! Inc.
.\"
-.Dd September 30, 2010
+.Dd May 15, 2012
.Dt FETCH-VLIST 1
.Os
.Sh NAME
@@ -43,7 +43,7 @@ The following lists may be downloaded and installed by
.It fbvlist
A list of vulnerabilities known in the FreeBSD ports collection, derived
from http://www.freebsd.org/ports/portaudit/ and fetched from
-http://<hostname>/yvc/fbvlist.
+http://www.netmeister.org/apps/yvc/fbvlist.
.It nbvlist
A list of vulnerabilities provided by the NetBSD Project.
See http://www.netbsd.org/support/security/#check-pkgsrc for details.
@@ -53,12 +53,17 @@ http://ftp.netbsd.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities.
A list of vulnerabilities known in RHEL4, derived from
http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml.bz2 and
fetched from
-http://<hostname>/yvc/rh4vlist.
+http://www.netmeister.org/apps/yvc/rh4vlist.
.It rh5vlist
A list of vulnerabilities known in RHEL5, derived from
http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml.bz2 and
fetched from
-http://<hostname>/yvc/rh5vlist.
+http://www.netmeister.org/apps/yvc/rh5vlist.
+.It rh6vlist
+A list of vulnerabilities known in RHEL6, derived from
+http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml.bz2 and
+fetched from
+http://www.netmeister.org/apps/yvc/rh6vlist.
.El
.Sh EXIT STATUS
.Ex -std
View
@@ -1,6 +1,7 @@
.\" Copyright (c) 2008,2009,2010 Yahoo! Inc.
+.\" Copyright (c) 2011, 2012 Jan Schaumann <jschauma@netmeister.org>
.\"
-.Dd April 20, 2011
+.Dd May 22, 2012
.Dt YVC 1
.Os
.Sh NAME
@@ -175,9 +176,16 @@ To check all rpms on the host
ssh hostname.yahoo.com "rpm -qa" | yvc
.Ed
.Sh EXIT STATUS
-.Ex -std
+.Nm
+returns zero if no errors were encountered and no vulnerabilities were
+found.
+If any vulnerabilities were found,
+.Nm
+will return an exit status of '2'.
+.Pp
+An exit status of '1' indicates some sort of unexpected error.
.Sh FILES
-.Bl -tag -width _home_y_var_yvc_nbvlist_
+.Bl -tag -width _home_y_var_yvc_rh6vlist__
.It /usr/local/etc/yvc.conf
The
.Nm
@@ -194,6 +202,9 @@ http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml.bz2 .
.It /usr/local/var/yvc/rh5vlist
A list of vulnerabilities known in RHEL5, derived from
http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml.bz2 .
+.It /usr/local/var/yvc/rh6vlist
+A list of vulnerabilities known in RHEL6, derived from
+http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml.bz2 .
.El
.Sh SEE ALSO
.Xr fetch-vlist 1 ,
View
@@ -23,7 +23,7 @@
$cwd = '/tmp';
- $process = proc_open('/usr/local/bin/yvc', $dsc, $pipes, NULL, NULL);
+ $process = proc_open('yvc', $dsc, $pipes, NULL, NULL);
if (is_resource($process)) {
fwrite($pipes[0], $pkgs);
View
@@ -0,0 +1,18 @@
+#! /usr/bin/env python
+
+from distutils.core import setup
+
+setup(name = 'yvc',
+ version = '3.3.1',
+ description = 'a software package vulnerability check',
+ author = 'Jan Schaumann',
+ author_email = 'jschauma@netmeister.org',
+ license = 'BSD',
+ url = 'http://www.netmeister.org/apps/yvc/',
+ long_description = 'yvc compares the given package name against the list of known vulnerabilities and reports any security issues. This output contains the name and version of the package, the type of vulnerability, and a URL for further information for each vulnerable package.',
+ py_modules = [ 'yahoo.yvc' ],
+ scripts = [ 'bin/yvc', 'bin/fetch-vlist' ],
+ data_files = [ ('share/man/man1', [ 'doc/man/fetch-vlist.1.gz', 'doc/man/yvc.1.gz' ]),
+ ('share/man/man5', [ 'doc/man/yvc.conf.5.gz' ]),
+ ('etc', [ 'conf/yvc.conf' ]), ]
+ )
View
@@ -8,7 +8,7 @@
# A unittest for functionality in yvc.py.
import sys
-sys.path.append("../lib/")
+sys.path.append("../yahoo/")
from distutils.version import LooseVersion
import ConfigParser
View
No changes.
@@ -40,6 +40,7 @@ class Checker(object):
EXIT_ERROR = 1
EXIT_SUCCESS = 0
+ EXIT_VULNERABLE = 2
def __init__(self):
"""Construct a Checker object with default values."""
@@ -61,6 +62,8 @@ def __init__(self):
self.__vulns = []
+ self.vulnerable = False
+
def _setVerbosity(self, f):
"""set the verbosity based on the given factor"""
@@ -110,6 +113,7 @@ def checkPackage(self, package):
continue
logging.log(15, "Checking package '%s' against %s..." % (package, v.url))
if v.match(pkg):
+ self.vulnerable = True
sev = ""
if v.severity:
sev = " %s" % v.severity
@@ -571,6 +575,11 @@ def main(args):
else:
doStdin(checker)
+ if checker.vulnerable:
+ sys.exit(checker.EXIT_VULNERABLE)
+ else:
+ sys.exit(checker.EXIT_SUCCESS)
+
except KeyboardInterrupt:
# catch ^C, so we don't get a "confusing" python trace
sys.exit(checker.EXIT_ERROR)

0 comments on commit 75a4830

Please sign in to comment.