On Tue, 23 Aug 2016, Roger Marquis wrote:
>> There should be a way to state that the sysadmin is aware of the
>> outdated port and prevent pkg audit from reporting it
>
> Agreed though I expect such a report would see little use.
I maintain a local patch to preserve this functionality which was in
portaudit but not in pkg audit. Perhaps not bullet proof, but simple
enough to be sure it does what I want it to do.
Just drop the attached file into /usr/ports/ports-mgmt/pkg/files/ and put
the VuXML ID's you want ignored into /usr/local/etc/portaudit.conf.
(easy enough to edit the patch if you prefer pkg.conf or other)
This allows the administrator to evaluate each vulnerability entry,
decide if it affects a system or not, and document that decision.
There are issues with this solution when VuXML entries are edited after
the fact to add new packages to the list, but it is better than nothing.
(I'd argue that any such edits should require a new VuXML ID to be used.)
Hope this helps,
- Tim
-------------- next part --------------
--- libpkg/pkg_audit.c.orig 2014-10-29 03:48:12.000000000 -0500
+++ libpkg/pkg_audit.c 2014-12-30 15:37:05.000000000 -0600
@@ -140,6 +140,8 @@
bool loaded;
void *map;
size_t len;
+ void *ignore;
+ size_t ignore_len;
};
@@ -802,6 +804,10 @@
if (fnmatch(e->pkgname, pkg->name, 0) != 0)
continue;
+ /* ignore by id in /usr/local/etc/portaudit.conf */
+ if (audit->ignore_len &&
strnstr(audit->ignore,e->id,audit->ignore_len))
+ continue;
+
if (pkg->version == NULL) {
/*
* Assume that all versions should be checked
@@ -872,6 +878,21 @@
audit->len = st.st_size;
audit->loaded = true;
+ audit->ignore = 0;
+ audit->ignore_len = 0;
+ if (stat("/usr/local/etc/portaudit.conf", &st) == -1)
+ return (EPKG_OK);
+ if ((fd = open("/usr/local/etc/portaudit.conf", O_RDONLY)) == -1)
+ return (EPKG_OK);
+ if ((mem = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0)) ==
MAP_FAILED) {
+ close(fd);
+ return (EPKG_OK);
+ }
+ close(fd);
+
+ audit->ignore = mem;
+ audit->ignore_len = st.st_size;
+
return (EPKG_OK);
}