search

ZOSOpenTools / meta

Meta repository to tie together the various underlying z/OS Open Source tools repositories here
https://zosopentools.github.io/meta/
Apache License 2.0
37 stars 25 forks source link

Add zopen audit command to check installed packages for vulnerabilities #770

Closed KeplerBoyce closed 4 weeks ago

KeplerBoyce commented 1 month ago

Adds a zopen audit command that gets the commit hashes of all installed packages and looks in the zopen_vulnerability.json file generated by #765 for vulnerabilities associated with those releases.

Sample of what the command output looks like:

$ zopen audit
MEDIUM severity found for gitdummy:
CVE-2022-33068
An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

HIGH severity found for gitdummy:
CVE-2023-25193
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.

CVE Summary:
2 vulnerabilities (0 low, 1 moderate, 1 high, 0 critical)

In the future, this command could also show if newer versions of any packages are available that resolve any vulnerabilities, and another option could be added to upgrade all such packages.

IgorTodorovskiIBM commented 1 month ago

You may want to add a blurb here on how to use it: https://github.com/ZOSOpenTools/meta/blob/main/docs/Guides/ThePackageManager.md