Radish alpha
H
HardenedBSD-pkg
rad:z3QDZAW2FAfuLvihrhiyDC9fAD8G9
HardenedBSD Package Manager
Radicle
Git
Commits b5e8079
audit: Allow to ignore some packages
Baptiste Daroussin committed 5 years ago
commit b5e8079b61f50414050612ff0b9ee45cf6d10a2d
parent 626427a
2 files changed +57 -1
modified libpkg/pkg_audit.c
@@ -37,6 +37,7 @@
#include <string.h>

#include <utlist.h>

#include <xstring.h>
+ 
#include <regex.h>



#include <yxml.h>
@@ -84,6 +85,8 @@ struct pkg_audit {
	struct pkg_audit_item *items;

	bool parsed;

	bool loaded;
+ 
	char **ignore_globs;
+ 
	char **ignore_regexp;

	void *map;

	size_t len;

};
@@ -730,6 +733,43 @@ pkg_audit_add_entry(struct pkg_audit_entry *e, struct pkg_audit_issues **ai)
}



bool
+ 
ignore_package(const char *name)
+ 
{
+ 
	const ucl_object_t *globs, *regexes, *cur;
+ 
	ucl_object_iter_t it;
+
+ 
	globs = pkg_config_get("AUDIT_IGNORE_GLOB");
+ 
	regexes = pkg_config_get("AUDIT_IGNORE_REGEX");
+
+ 
	if (globs == NULL && regexes == NULL)
+ 
		return (false);
+
+ 
	if (globs != NULL) {
+ 
		it = NULL;
+ 
		while ((cur = ucl_iterate_object(globs, &it, true))) {
+ 
			if (fnmatch(ucl_object_tostring(cur), name, 0) == 0)
+ 
				return (true);
+ 
		}
+ 
	}
+
+ 
	if (regexes != NULL) {
+ 
		it = NULL;
+ 
		while ((cur = ucl_iterate_object(regexes, &it, true))) {
+ 
			regex_t re;
+ 
			regcomp(&re, ucl_object_tostring(cur),
+ 
			   REG_EXTENDED|REG_NOSUB);
+ 
			if (regexec(&re, name, 0, NULL, 0) == 0) {
+ 
				regfree(&re);
+ 
				return (true);
+ 
			}
+ 
			regfree(&re);
+ 
		}
+ 
	}
+
+ 
	return (false);
+ 
}
+
+ 
bool

pkg_audit_is_vulnerable(struct pkg_audit *audit, struct pkg *pkg,

    struct pkg_audit_issues **ai, bool stop_quick)

{
@@ -741,6 +781,10 @@ pkg_audit_is_vulnerable(struct pkg_audit *audit, struct pkg *pkg,
	if (!audit->parsed)

		return false;
+ 
	/* check if we decided to ignore that package or not */
+ 
	if (ignore_package(pkg->name))
+ 
		return (false);
+ 


	a = audit->items;

	a += audit_entry_first_byte_idx[(size_t)pkg->name[0]];
modified libpkg/pkg_config.c
@@ -1,5 +1,5 @@
/*
- 
 * Copyright (c) 2011-2015 Baptiste Daroussin <bapt@FreeBSD.org>
+ 
 * Copyright (c) 2011-2020 Baptiste Daroussin <bapt@FreeBSD.org>

 * Copyright (c) 2011-2012 Julien Laffaye <jlaffaye@FreeBSD.org>

 * Copyright (c) 2014 Matthew Seaman <matthew@FreeBSD.org>

 * Copyright (c) 2016 Vsevolod Stakhov <vsevolod@FreeBSD.org>
@@ -459,6 +459,18 @@ static struct config_entry c[] = {
		"YES",

		"Disable triggers",

	},
+ 
	{
+ 
		PKG_ARRAY,
+ 
		"AUDIT_IGNORE_GLOB",
+ 
		NULL,
+ 
		"List of glob to ignore while autiditing for vulnerabilities",
+ 
	},
+ 
	{
+ 
		PKG_ARRAY,
+ 
		"AUDIT_IGNORE_REGEX",
+ 
		"NULL",
+ 
		"List of regex to ignore while autiditing for vulnerabilities",
+ 
	},

};



static bool parsed = false;