search

mrl5 / vulner

Discover CVEs for packages installed by the portage
Mozilla Public License 2.0
7 stars 1 forks source link

Add support to Funtoo Macaroni OS #64

Open geaaru opened 2 years ago

geaaru commented 2 years ago

When the subset portage is enable inside a macaroni installation it's possible use vulner with portage engine but instead if this subset is not enable a possibility could be use the output generated by the luet search --installed . command in the JSON format.

Hereinafter, an example of the output:

$ sudo luet s --installed  -o json  lshw | jq
{
  "stones": [
    {
      "name": "lshw",
      "category": "sys-apps",
      "version": "02.18b",
      "license": "GPL-2",
      "repository": "system",
      "annotations": {
        "subsets": {
          "rules": {
            "devel": [
              "^/usr/include/"
            ],
            "portage": [
              "^/var/db/pkg/"
            ]
          }
        }
      },
      "labels": {
        "DEPEND": "gtk? ( x11-libs/gtk+:2 ) sqlite? ( dev-db/sqlite:3 ) gtk? ( virtual/pkgconfig ) sqlite? ( virtual/pkgconfig )",
        "IUSE": "gtk sqlite static",
        "RDEPEND": "gtk? ( x11-libs/gtk+:2 ) sqlite? ( dev-db/sqlite:3 ) sys-apps/hwids",
        "emerge.packages": "sys-apps/lshw",
        "kit": "core-hw-kit",
        "original.package.name": "sys-apps/lshw",
        "original.package.slot": "0",
        "original.package.version": "02.18b-r1"
      }
    }
  ]
}

My suggestion is for now check if exists the labels original.package.name and original.package.version, and then exclude package without these labels. For the other packages we need to study a different solution but it's a minor number of packages in this condition.

Thanks in advance

geaaru commented 2 years ago

Add some more information. After that the repository is been downloaded is available a filesystem tree with YAML files of all packages that could be installed. So for the user case where the vulner tool analyze over all packages available in the repository you can just iterate over the directories under /var/cache/luet/repos/. So, just run:

$> luet repo update

And then parse every definition.yaml and/or metadata.yaml Hereinafter, an example:

$ cat /var/cache/luet/repos/macaroni-funtoo-testing/treefs/net-vpn/openvpn/2.5.7/definition.yaml 
annotations:
  subsets:
    rules:
      devel:
      - ^/usr/include/
      portage:
      - ^/var/db/pkg/
category: net-vpn
conflicts: null
description: Robust and highly flexible tunneling application compatible with many
  OSes
id: 0
labels:
  DEPEND: kernel_linux? ( iproute2? ( sys-apps/iproute2[-minimal] ) !iproute2? ( >=sys-apps/net-tools-1.60_p20160215155418
    ) ) pam? ( virtual/pam ) ssl? ( !mbedtls? ( !libressl? ( >=dev-libs/openssl-0.9.8:0=
    ) libressl? ( dev-libs/libressl:0= ) ) mbedtls? ( net-libs/mbedtls ) ) lz4? (
    app-arch/lz4 ) lzo? ( >=dev-libs/lzo-1.07 ) pkcs11? ( >=dev-libs/pkcs11-helper-1.11
    ) systemd? ( sys-apps/systemd ) >=app-portage/elt-patches-20170815 !<sys-devel/gettext-0.18.1.1-r3
    || ( >=sys-devel/automake-1.16.1:1.16 >=sys-devel/automake-1.15.1:1.15 ) >=sys-devel/autoconf-2.69
    >=sys-devel/libtool-2.4 virtual/pkgconfig
  IUSE: down-root examples inotify iproute2 libressl lz4 +lzo mbedtls pam pkcs11 +plugins
    selinux +ssl static systemd test userland_BSD kernel_linux
  RDEPEND: kernel_linux? ( iproute2? ( sys-apps/iproute2[-minimal] ) !iproute2? (
    >=sys-apps/net-tools-1.60_p20160215155418 ) ) pam? ( virtual/pam ) ssl? ( !mbedtls?
    ( !libressl? ( >=dev-libs/openssl-0.9.8:0= ) libressl? ( dev-libs/libressl:0=
    ) ) mbedtls? ( net-libs/mbedtls ) ) lz4? ( app-arch/lz4 ) lzo? ( >=dev-libs/lzo-1.07
    ) pkcs11? ( >=dev-libs/pkcs11-helper-1.11 ) systemd? ( sys-apps/systemd ) selinux?
    ( sec-policy/selinux-openvpn )
  emerge.packages: net-vpn/openvpn
  kit: net-kit
  original.package.name: net-vpn/openvpn
  original.package.slot: "0"
  original.package.version: 2.5.7
license: GPL-2
name: openvpn
path: /srv/mottainai/build/348654840/repo/packages/atoms/server/net-vpn/openvpn
requires:
- category: dev-libs-2
  conflicts: null
  id: 0
  name: lzo
  requires: null
  version: '>=0'
- category: dev-libs
  conflicts: null
  id: 0
  name: openssl
  requires: null
  version: '>=0'
- category: virtual
  conflicts: null
  id: 0
  name: pam
  requires: null
  version: '>=0'
- category: macaroni
  conflicts: null
  id: 0
  name: entities-catalog
  requires: null
  version: '>=0'
uri:
- https://openvpn.net/
use_flags:
- -iproute2
- -kernel_linux
- -libressl
- -lz4
- -mbedtls
- -pkcs11
- -selinux
- -systemd
- lzo
- pam
- ssl
version: 2.5.7
mrl5 commented 2 years ago

hello, @geaaru thanks for this feature request and other details that you provided when we chatted on discord few weeks ago.

I still have this task on my todo list but lacking time to focus more on vulner currently.

let me also do this self-note so that I can jump more easily to this when I'll find some time:

# cat /etc/os-release 
ID="macaroni"
NAME="MacaroniOS"
PRETTY_NAME="Funtoo Macaroni Linux"
ANSI_COLOR="0;34"
HOME_URL="https://www.macaroni.funtoo.org"
BUG_REPORT_URL="https://bugs.funtoo.org"
VERSION="22.09 (Phoenix)"
VERSION_ID=22.09
VERSION_CODENAME=eagle
minion / # cat /etc/lsb-release 
DISTRIB_ID="macaroni"
DISTRIB_DESCRIPTION="Funtoo Macaroni OS"
DISTRIB_RELEASE=22.09.01
DISTRIB_CODENAME=eagle
LSB_VERSION="funtoo-macaroni-22.09.01-amd64"