Page MenuHomeFreeBSD

New port: security/vuls VULnerability Scanner
ClosedPublic

Authored by ultima on Jul 27 2017, 1:03 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, May 22, 1:58 AM
Unknown Object (File)
Wed, May 22, 12:29 AM
Unknown Object (File)
Mon, May 20, 5:51 PM
Unknown Object (File)
Mon, May 20, 7:28 AM
Unknown Object (File)
Mon, May 20, 7:11 AM
Unknown Object (File)
Mon, May 20, 5:40 AM
Unknown Object (File)
Sun, May 5, 12:47 PM
Unknown Object (File)
Sun, May 5, 12:47 PM

Details

Summary

Vuls is an agentless vulnerability scanner written in golang.
It can scan localhost or remote hosts via SSH. Vuls has a Terminal-Based User
Interface(TUI) to display the scan results.

Vuls' features include:

  • scan for vulnerabilitie in Ubuntu, Debian, CentOS, Amazon Linux, RHEL, Oracle Linux, FreeBSD and Raspbian;
  • scan middleware that are not included in OS package management;
  • nondestructive testing;
  • email and slack notification.

WWW: https://github.com/future-architect/vuls

PR\: 220328
Sumitted by\: Alexandru Ciobanu <iscandr@gmail.com> (maintainer)
Reviewed by\: lifanov (mentor), matthew (mentor)
Approved by\: lifanov (mentor), matthew (mentor)
Differential Revision\: https://reviews.freebsd.org/DXXXXX

Test Plan

portlint:
WARN: Makefile: possible use of absolute pathname "/var/db/vuls".
WARN: Makefile: no port directory /usr/ports/security/go-cve-dictionary found, even though it is listed in RUN_DEPENDS.
0 fatal errors and 2 warnings found.

#2 is due to go-cve-dictionary being a new port and not committed yet. Will wait for this to be committed first.

poudriere:
103i386
103amd64
110i386
110amd64
12i386
12amd64

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

security/vuls/Makefile
19 ↗(On Diff #31238)

This is not the v0.3.0 tag, so this port should not have this version.

$ git describe --tags 7ecd09f
v0.3.0-19-g7ecd09f

You should probably remove the GH_TAGNAME and change the top block to:

DISTVERSIONPREFIX= v
DISTVERSION= 0.3.0-19
DISTVERSIONSUFFIX= -g7ecd09f
118 ↗(On Diff #31238)

Remove quotes.

Also, what does it do exactly ? The port defines a do-build and a do-install target, so the software's makefile is never used.

122 ↗(On Diff #31238)

I do not know how go works, but wouldn't it be easier to put the modules in the directories that are expected instead of putting them in another and patching everything to point at the right place ?

security/vuls/Makefile
122 ↗(On Diff #31238)

Build dependencies don't use the same package name for imports. E.g. gopkg.in/cheggaaa/pb.v2/pb.go uses "gopkg.in/mattn/go-isatty.v0" while github.com/fatih/color/color.go uses "github.com/mattn/go-isatty". The patching is required to ensure uniform package names in imports across all dependencies.

security/vuls/Makefile
122 ↗(On Diff #31238)

Mmmm, I did not know go was such a mess :-)

security/vuls/pkg-plist
1–2 ↗(On Diff #31238)

This could probably be using PLIST_FILES.

security/vuls/pkg-plist
1–2 ↗(On Diff #31238)

Done.

  • Updated with suggestions
security/vuls/Makefile
4–6 ↗(On Diff #31265)

This is wrong, it should be:

DISTVERSIONPREFIX= v
DISTVERSION= 0.3.0-19
DISTVERSIONSUFFIX= -g7ecd09f
119 ↗(On Diff #31265)

You forgot the @sample bit that you had in the plist.

security/vuls/pkg-message
3 ↗(On Diff #31265)

As there is a RUN_DEPENDS, I am not sure this is relevent.

Removed PORTVERSION, added DISTVERSION

I did consider the pkg-message on this port. I think it is best to be insistent on the database provided by go-cve-dictionary as the port is more or less useless if the user doesn't create the database provided by go-cve-dictionary. It should encourage a new user installing the port to check the message provided by the depend.

security/vuls/Makefile
118 ↗(On Diff #31238)

The quotes or escape is needed for the @sample, without them the plist will generate the space between @sample and the file as a new line.

security/vuls/Makefile
118 ↗(On Diff #31238)

This was with an older version of the Makefile where you were defining MAKEFILE, not this one. :-)

This revision is now accepted and ready to land.Jul 28 2017, 4:37 PM
This revision was automatically updated to reflect the committed changes.