Check installed packages for vulnerabilities recorded in the CVE database.

Approved by:	antoine (mentor)

6 files changed, 132 insertions, 0 deletions

diff --git a/security/cvechecker/Makefile b/security/cvechecker/Makefile
new file mode 100644
index 000000000000..aa6a924d76cf
--- /dev/null
+++ b/security/cvechecker/Makefile
@@ -0,0 +1,47 @@
+# Created by: Stefan Esser <se@FreeBSD.org>
+# $FreeBSD$
+
+PORTNAME=	cvechecker
+PORTVERSION=	3.8
+CATEGORIES=	security
+
+MAINTAINER=	se@FreeBSD.org
+COMMENT=	Check CVE database for vulnerabilities affecting installed packages
+
+LICENSE=	GPLv3
+
+LIB_DEPENDS=	libargp.so:devel/argp-standalone \
+		libconfig.so:devel/libconfig
+RUN_DEPENDS=	bash:shells/bash
+
+MAKE_ENV+=	LDADD=-largp
+
+USES=		autoreconf pkgconfig shebangfix
+
+SHEBANG_FILES=	scripts/cverules scripts/cvegenversdat
+
+GNU_CONFIGURE=	yes
+CONFIGURE_ARGS=	--localstatedir=/var/db
+
+bash_OLD_CMD+=	/bin/sh
+
+OPTIONS_MULTI=			DB
+OPTIONS_MULTI_DB=		MYSQL SQLITE
+OPTIONS_DEFAULT=		SQLITE
+DB_DESC=			CVE Database
+
+MYSQL_USES=			mysql ssl
+MYSQL_CONFIGURE_ENABLE=		mysql
+
+SQLITE_USES=			sqlite
+SQLITE_CONFIGURE_ENABLE=	sqlite3
+
+USE_GITHUB=	yes
+GH_ACCOUNT=	sjvermeu
+GH_PROJECT=	cvechecker
+GH_TAGNAME=	v${PORTVERSION}
+
+post-stage:
+		${MV} ${STAGEDIR}${PREFIX}/etc/cvechecker.conf ${STAGEDIR}${PREFIX}/etc/cvechecker.conf.sample
+
+.include <bsd.port.mk>
diff --git a/security/cvechecker/distinfo b/security/cvechecker/distinfo
new file mode 100644
index 000000000000..e3e57d1cf02c
--- /dev/null
+++ b/security/cvechecker/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1507628153
+SHA256 (sjvermeu-cvechecker-3.8-v3.8_GH0.tar.gz) = 53a2f0edab34ea75d3d33b8c840f27c60464f0433c2b82bc8b02298306c53268
+SIZE (sjvermeu-cvechecker-3.8-v3.8_GH0.tar.gz) = 3329220
diff --git a/security/cvechecker/files/patch-scripts_cverules b/security/cvechecker/files/patch-scripts_cverules
new file mode 100644
index 000000000000..d5fb28415300
--- /dev/null
+++ b/security/cvechecker/files/patch-scripts_cverules
@@ -0,0 +1,37 @@
+--- scripts/cverules.orig	2017-10-11 10:44:44 UTC
++++ scripts/cverules
+@@ -19,26 +19,11 @@ then
+ fi
+ 
+ 
+-if [ -f /etc/gentoo-release ];
+-then
+-	cd /var/db/pkg;
+-	for CAT in *;
+-	do
+-		cd ${CAT};
+-		for PKG in *;
+-		do
+-			echo "!!!! Checking ${PKG}";
+-			typeset PKGNAME=$(echo ${PKG} | sed -e 's:\(.*\)-[0-9][0-9]*.*:\1:g');
+-			typeset PKGVERSION=$(echo ${PKG} | sed -e 's:.*-\([0-9][0-9]*.*\):\1:g' | sed -e 's:-r[0-9]*$::g' | sed -e 's:\.:\\.:g');
+-			export IGNORESTRINGS="tmp/portage";
+-			qlist ${PKG} | egrep '(bin/|\.so)' | cvegenversdat ${PKGNAME} ${PKGVERSION} ${CONFFILE} breakon;
+-		done
+-		cd ..
+-	done
+-else
+-	echo "Could not deduce if this system is a supported distribution or platform.";
+-	echo "Currently supported platforms are: Gentoo."
+-	echo "If you wish to help expand the supported distributions or platforms, please";
+-	echo "do not hesitate to contact the author at sven.vermeulen@siphos.be.";
+-	exit 1;
+-fi
++for PKG in $(pkg info -q)
++do
++	echo "!!!! Checking ${PKG}"
++	set -- $(echo ${PKG} | sed -e 's:,[0-9][0-9]*$::; s:_[0-9][0-9]*$::; s:\(.*\)-r\{0,1\}\([0-9][0-9]*.*\):\1 \2:; s:\.:\\.:g')
++	PKGNAME=$1
++	PKGVERSION=$2
++	pkg list ${PKG} | egrep '(/bin/|/sbin/|/libexec/|\.so\.|\.so$)' | cvegenversdat ${PKGNAME} ${PKGVERSION} ${CONFFILE} breakon
++done
diff --git a/security/cvechecker/pkg-deinstall b/security/cvechecker/pkg-deinstall
new file mode 100644
index 000000000000..030fa9b88d3c
--- /dev/null
+++ b/security/cvechecker/pkg-deinstall
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+[ "$2" = DEINSTALL ] && cat <<***EOM
+------------------------------------------------------------------------------
+
+If you are no longer using the $1 port, then manually delete
+the following directory:
+
+	/var/db/cvechecker
+
+------------------------------------------------------------------------------
+***EOM
+exit 0
diff --git a/security/cvechecker/pkg-descr b/security/cvechecker/pkg-descr
new file mode 100644
index 000000000000..1b5d083d87d8
--- /dev/null
+++ b/security/cvechecker/pkg-descr
@@ -0,0 +1,11 @@
+------------------------------------------------------------------------------
+The goal of cvechecker is to report about possible vulnerabilities on your
+system, by scanning a list of installed software and matching results with
+the CVE database.
+
+This is not a bullet-proof method and you may have many false positives (ie:
+vulnerability is fixed with a revision-release, but the tool isn't able to
+detect the revision itself), yet it is still better than nothing, especially
+if you are running a distribution with little security coverage.
+
+WWW: https://github.com/sjvermeu/cvechecker/wiki
diff --git a/security/cvechecker/pkg-plist b/security/cvechecker/pkg-plist
new file mode 100644
index 000000000000..019778f5eb22
--- /dev/null
+++ b/security/cvechecker/pkg-plist
@@ -0,0 +1,21 @@
+bin/cvechecker
+bin/cvegenversdat
+bin/cvereport
+bin/cverules
+bin/pullcves
+@sample %%ETCDIR%%.conf.sample
+man/man1/cvechecker.1.gz
+man/man1/cvegenversdat.1.gz
+man/man1/cvereport.1.gz
+man/man1/cverules.1.gz
+man/man1/pullcves.1.gz
+%%DATADIR%%/csv2xml.awk
+%%DATADIR%%/cvereport.xsl
+%%DATADIR%%/mysql_cvechecker.sql
+%%DATADIR%%/nvdcve2simple.xsl
+%%DATADIR%%/report.css
+%%PORTDOCS%%%%DOCSDIR%%/acknowledgements.xml
+%%PORTDOCS%%%%DOCSDIR%%/userguide.xml
+@dir /var/db/cvechecker/cache
+@dir /var/db/cvechecker/local
+@dir /var/db/cvechecker