Bug 186497 - ports-mgmt/pkg: local overrides for pkg audit
Summary: ports-mgmt/pkg: local overrides for pkg audit
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Baptiste Daroussin
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-05 21:10 UTC by Garrett Wollman
Modified: 2018-01-14 20:24 UTC (History)
3 users (show)

See Also:


Attachments
Patch to allow sysadmin to list vuxml entries to ignore (1.04 KB, patch)
2016-08-25 15:19 UTC, Tim Zingelman
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Garrett Wollman freebsd_committer 2014-02-05 21:10:00 UTC
pkg audit reports many vulnerabilities which are
configuration-dependent.  It would be nice to have a local override
file to silence warnings about vulnerabilities that the administrator
has determined to be inapplicable or has applied a workaround for.

Fix: 

Probably add a new data file to read with a list of vuln IDs to
acknowledge, and an option flag to pkg audit to show all vulns
including those that were silenced.
How-To-Repeat: 
Run pkg audit on a 9.x system with openssh-portable-6.2.p2_5,1
installed.  The vulnerability only applies when AES-GCM is in use,
which the OpenSSL on 9.x does not support.
Comment 1 Ruslan Makhmatkhanov freebsd_committer 2014-02-09 15:49:24 UTC
Responsible Changed
From-To: freebsd-ports-bugs->portmgr

Over to maintainer.
Comment 2 Baptiste Daroussin freebsd_committer 2016-04-20 08:59:52 UTC
Sorry for delay. I do like this idea, and if someone contributes it I'll be happy, unfortunatly for now I have no time to work on it
Comment 3 Tim Zingelman 2016-08-25 15:19:52 UTC
Created attachment 174064 [details]
Patch to allow sysadmin to list vuxml entries to ignore

Attached is a simple patch to add back this functionality.
Comment 4 Baptiste Daroussin freebsd_committer 2016-08-25 16:04:48 UTC
Thanks I will look into it as soon as I find enough free time.

I would prefer not to use the old portaudit.conf configuration file, but have this within pkg config file throught something like:

audit_ignore: [
    { name: "ruby" }, # ignore all ruby vuln
    { name: "ruby", version: "1.2.4_7" } ignore ruby 1.2.4_7 like
]

That would allow to get some magical override like:
.include(glob=true) "/usr/local/etc/audit/*.conf"
where each ignore can be a single file (very helpful to populate via automation tools
Comment 5 Garrett Wollman freebsd_committer 2016-08-26 01:10:41 UTC
(In reply to Baptiste Daroussin from comment #4)
However, it's really necessary to be able to ignore specific vulnids, not just all vulns for a package.  If I've examined a disclosure and determined it doesn't present an issue (e.g., the current set of zone-transfer "vulns" issued against all authoritative nameserver implementations but which only affect the tiny fraction of operators who provide slave service for untrusted zones), I still need to find out about *other* vulns against the same package.
Comment 6 Baptiste Daroussin freebsd_committer 2016-08-26 09:38:10 UTC
yup I forgot to mention we could
audit_ignore : [
   { uuid: XXXXX }
]

The same way
Comment 7 w.schwarzenfeld freebsd_triage 2018-01-13 22:00:31 UTC
Is this still relevant?
Comment 8 Tim Zingelman 2018-01-14 20:24:27 UTC
Yes, it is still relevant.