Bug 245992 - security/openvas9-libraries not up to date
Summary: security/openvas9-libraries not up to date
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jose Alonso Cardenas Marquez
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-28 07:09 UTC by Jørgen Asmussen
Modified: 2021-01-26 01:20 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (acm)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jørgen Asmussen 2020-04-28 07:09:13 UTC
security/openvas9-libraries is 9.0.1, newest release is 9.0.3 according to Greenbone/OpenVAS site and https://github.com/greenbone/gvm-libs/releases/tag/v9.0.3

Since it's not updated, the OpenVAS scanner will report a Severity Level of 10 on every scan with NVT and not do much more.

Regards.
Comment 1 Erik Inge Bolsø 2020-06-10 14:14:11 UTC
Patch to update OpenVAS versions to latest 8.x and 9.x:

https://reviews.freebsd.org/D25209
Comment 2 Jose Alonso Cardenas Marquez freebsd_committer 2020-12-15 07:12:15 UTC
- openvas8 and openvas9 are EoL. I'll try port latest version of openvas to FreeBSD port tree. I leave this PR open until I have news
Comment 3 Erik Inge Bolsø 2020-12-16 13:48:35 UTC
Do you need some manpower to help? We have a support agreement with Klara Systems we can draw on.

For us, the port of the head node / gui is most important, we currently run the scanner nodes on linux. But running the scanners on freebsd also would be Nice(tm).
Comment 4 Jose Alonso Cardenas Marquez freebsd_committer 2021-01-06 09:32:04 UTC
(In reply to Erik Inge Bolsø from comment #3)

Hi, finally I added new version of gvm ports to FreBSD ports tree

security/gvm (metaport)
security/gvm-libs
security/gvmd
security/openvas
security/py-ospd-openvas
security/greenbone-security-assistant
security/py-python-gvm
security/py-gvm-tools

I did some basic tests and it seems is working fine using sockets. Maybe you could do some advanced testing and report if you found problems with these ports or if it works without problems

I didn't add openvas-smb because it needs mingw tools and I decided not lose time in this port. Maybe I could try import this port in another time

Enjoy it

btw openvas ports were marked like DEPRECATED because EoL
Comment 5 Eirik Oeverby 2021-01-06 12:17:06 UTC
(In reply to Jose Alonso Cardenas Marquez from comment #4)

Brilliant, thanks a lot! It's been added to our poudriere builds now, so we'll be testing it shortly.

/Eirik
Comment 6 Eirik Oeverby 2021-01-06 16:15:45 UTC
(In reply to Jose Alonso Cardenas Marquez from comment #4)
===> Fetching all distfiles required by gvmd-20.8.0 for building
===>  Extracting for gvmd-20.8.0
=> SHA256 Checksum OK for greenbone-gvmd-v20.8.0_GH0.tar.gz.
unzip: Unrecognized archive format
===>  Failed to extract "/portdistfiles//greenbone-gvmd-v20.8.0_GH0.tar.gz".
*** Error code 1
Comment 7 Jose Alonso Cardenas Marquez freebsd_committer 2021-01-06 16:18:41 UTC
(In reply to Eirik Oeverby from comment #6)

Try removing zip from USES
Comment 8 Eirik Oeverby 2021-01-06 16:31:07 UTC
(In reply to Eirik Oeverby from comment #6)
Looks like 'zip' needs to be removed from USED in the Makefile.(In reply to Jose 

Alonso Cardenas Marquez from comment #7)
Yeah, I was about to comment that ;)
Comment 9 Eirik Oeverby 2021-01-06 16:32:02 UTC
(In reply to Eirik Oeverby from comment #8)
Okay that was messy.
To confirm - yes, removing zip allows it to build. Now rebuilding my net-snmp with ipv6 support, hoping that fixes security/openvas build too...
Comment 10 Eirik Oeverby 2021-01-06 16:39:46 UTC
New issue:

===>  Staging for py37-ospd-openvas-20.8.0
** Missing /usr/ports/security/py-ospd-openvas/files/pkg-message.in for py37-ospd-openvas-20.8.0.
*** Error code 1

Stop.
make: stopped in /usr/ports/security/py-ospd-openvas


I'll touch that file to continue here...
Comment 11 Jose Alonso Cardenas Marquez freebsd_committer 2021-01-06 16:48:47 UTC
(In reply to Eirik Oeverby from comment #10)
Remove this line from Makefile

SUB_FILES=      pkg-message
Comment 12 commit-hook freebsd_committer 2021-01-06 16:53:22 UTC
A commit references this bug:

Author: acm
Date: Wed Jan  6 16:52:35 UTC 2021
New revision: 560542
URL: https://svnweb.freebsd.org/changeset/ports/560542

Log:
  - Fix build

  PR:		245992
  Reported by:	ltning-freebsd at anduin.net

Changes:
  head/security/py-ospd-openvas/Makefile
Comment 13 commit-hook freebsd_committer 2021-01-06 16:54:24 UTC
A commit references this bug:

Author: acm
Date: Wed Jan  6 16:54:18 UTC 2021
New revision: 560543
URL: https://svnweb.freebsd.org/changeset/ports/560543

Log:
  - Fix build

  PR:		245992
  Reported by:	ltning-freebsd at anduin.net

Changes:
  head/security/gvmd/Makefile
Comment 14 Eirik Oeverby 2021-01-06 19:26:39 UTC
gvm-related errors during/after install:
- /var/run/gvm has wrong owner (root), causing
md manage:WARNING:2021-01-06 17h37.26 utc :3129: Failed to open lock file '/var/run/gvm/gvm-checking': Permission denied
md   main:CRITICAL:2021-01-06 17h37.26 utc :3129: gvmd: Error trying to get checking lock

- pkg_resources.DistributionNotFound: The 'defusedxml<0.7.0,>=0.6.0' distribution was not found and is required by ospd
Looks like the installed defusedxml is too old.
# pkg search defused
py37-defusedxml-0.5.0          XML bomb protection for Python stdlib modules

Confirmed, as manually updating the defusedxml port to 0.6.0 and upgrading fixes this.

- "Create certificates" step should use -a, not -s, as option to gvm-manage-certs

- gsad returns "URL not found" - have not found a solution to this

- missing semicolon after some postgresql statements in post-installation messages

- suggestion: mention that redis needs unix socket enabled and permissions changed in its config before openvas will start

- suggestion: place 'sysrc' in front of rc.conf changes listed (gvm_enable, redis_enable, etc.)
Comment 15 Eirik Oeverby 2021-01-06 19:35:08 UTC
(In reply to Eirik Oeverby from comment #14)

Is it possible some HTML is not being installed as it should? I see HTML files in the port that don't seem to be installed..
Comment 16 Jose Alonso Cardenas Marquez freebsd_committer 2021-01-06 22:00:14 UTC
(In reply to Eirik Oeverby from comment #14)

1) About permissions problem, /var/run/gvm is created by gvmd (@dir(gvm,gvm,750) /var/run/gvm). Maybe it is being overwritten by gsad. I'll check very well where problem is

2) I forget sent a PR for update py-defusedxml (I updated it in my tree). I seems like a PR was posting here.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251825

I'll try committ it asap because that PR has a maintainer timeout

3) For me own configuration I used -s like I saw into manual page

https://github.com/greenbone/ospd/blob/master/doc/INSTALL-ospd-scanner.md

Creating certificates

4) gsad returns "URL not found" - have not found a solution to this (where? give me more info about this)

5 and 6) I will do
Comment 17 Jose Alonso Cardenas Marquez freebsd_committer 2021-01-06 22:02:43 UTC
(In reply to Eirik Oeverby from comment #15)

 security/gvmd right?
Comment 18 Eirik Oeverby 2021-01-06 22:52:23 UTC
(In reply to Jose Alonso Cardenas Marquez from comment #16)

3 - the -s parameter is from the gvm install message, and I see from the URL you provided that it's wrong even there. By using the -a option instead, it will automatically create all the requried certificates. -s seems to be a no-op, at least it is not documented anywhere. And gsad will not start with default options unless
  su -m gvm -c "gvm-manage-certs -a"
is run.

4 - When accessing http://<ip>:9492/ after starting gsad (the web interface).
Comment 19 Eirik Oeverby 2021-01-06 22:52:54 UTC
(In reply to Jose Alonso Cardenas Marquez from comment #17)
>  security/gvmd right?

Not sure what you are referring to / asking here?
Comment 20 Jose Alonso Cardenas Marquez freebsd_committer 2021-01-06 23:20:58 UTC
(In reply to Eirik Oeverby from comment #19)

> Is it possible some HTML is not being installed as it should? I see HTML files > in the port that don't seem to be installed..

security/gvmd right?
Comment 21 Eirik Oeverby 2021-01-06 23:28:48 UTC
(In reply to Jose Alonso Cardenas Marquez from comment #20)
No - security/greenbone-security-assistant
Comment 22 Jose Alonso Cardenas Marquez freebsd_committer 2021-01-06 23:37:46 UTC
(In reply to Eirik Oeverby from comment #18)

> 4 - When accessing http://<ip>:9492/ after starting gsad (the web interface).

What did you see into log files? gvmd and ospd-openvas are running without problems?
Comment 23 Jose Alonso Cardenas Marquez freebsd_committer 2021-01-07 00:17:37 UTC
I found the issues. I'll commit changes asap. Thanks!
Comment 24 commit-hook freebsd_committer 2021-01-07 03:29:35 UTC
A commit references this bug:

Author: acm
Date: Thu Jan  7 03:29:21 UTC 2021
New revision: 560676
URL: https://svnweb.freebsd.org/changeset/ports/560676

Log:
  - Fix installation issues. It BROKEN port in runtime
  - Clean up

  PR:		245992
  Reported by:	jorgen  at  larsendata.dk

Changes:
  head/security/greenbone-security-assistant/Makefile
Comment 25 Eirik Oeverby 2021-01-07 12:47:35 UTC
(In reply to commit-hook from comment #24)
Nice. Testing.

While I test, some nitpicking (sorry! :)
- pkg-message.in now says sysrc..., but still says "add to rc.conf". For newcomers this can be confusing.

- stuff gets installed/populated in /var/lib - this is not very FreeBSD-ish

On our standard installations we have very limited space in /var so downloading signatures simply doesn't work. Can this (somewhat easily) be moved to /usr/local somewhere?
Comment 26 Eirik Oeverby 2021-01-07 14:46:01 UTC
(In reply to commit-hook from comment #24)

Also, after the last updates I am unable to create certificates:
[root@freebsd /tmp]# su -m gvm -c "gvm-manage-certs -s"               
Generated private key in /tmp/tmp.WAKGKRbc/key.pem.
Jan  7 15:44:07 freebsd gvm-manage-certs[64611]: ERROR: Failed to create self signed certificate, see /tmp/tmp.WAKGKRbc/gvm-manage-certs.log for details. Aborting.
ERROR: Failed to create self signed certificate, see /tmp/tmp.WAKGKRbc/gvm-manage-certs.log for details. Aborting.

Content of log file below. I have no idea why this is broken now; I'm having trouble making out the differences in the port revisions, so I don't know what might have changed. It DID work on the first install. It does NOT work on a (completely) fresh installation today.

Generating a 3072 bit RSA private key...
Generating a self signed certificate...
X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 3e68bdbbb5c49058089abf90ce3b3a34cc84301e
        Validity:
                Not Before: Thu Jan 07 14:44:07 UTC 2021
                Not After: Sat Jan 07 14:44:07 UTC 2023
        Subject: C=DE,L=Osnabrueck,O=GVM Users,CN=localhost
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: High (3072 bits)
                Modulus (bits 3072):
                        00:db:c3:c7:e5:79:36:83:af:1d:4e:90:57:67:13:23
                        d6:35:25:60:4e:13:52:7e:85:77:fa:b9:45:e0:6d:7e
                        1c:cd:1a:39:71:08:24:03:85:6a:3d:18:fb:8a:bd:fb
                        69:e9:8d:2c:52:1e:7e:9c:e3:55:db:f0:18:53:dd:5e
                        85:5f:e2:e2:20:9a:fb:01:4f:69:48:12:14:26:bf:3c
                        0e:56:ee:31:37:74:fe:93:a7:07:53:d2:15:c5:ac:7f
                        6d:73:d8:d8:be:c7:45:02:56:db:f8:ce:ac:b6:ac:7c
                        29:a3:11:9c:e1:c5:8c:a1:83:8b:50:f5:b4:9d:76:ff
                        68:ad:ca:78:5b:56:61:58:a0:32:47:4e:09:63:61:98
                        e4:4e:d9:7d:e8:44:3f:2c:59:1a:17:ad:1f:79:d8:4f
                        71:6b:45:06:3c:4c:c1:de:c3:6b:3c:32:a3:47:54:fe
                        39:5c:79:e9:1b:df:26:fb:bb:6a:7f:c9:bf:07:60:89
                        26:39:d4:61:d5:5e:2f:b2:2a:03:2c:96:59:3b:e4:e8
                        75:ed:72:80:fb:d2:d3:48:74:e1:32:12:b9:74:33:38
                        fb:ef:0d:11:c3:46:11:a0:40:6d:62:52:48:3e:c1:23
                        0d:2c:4b:27:04:17:f8:47:21:b1:e4:1b:75:c9:f7:9e
                        c6:0c:a2:8c:e6:2d:2e:c6:fb:e2:29:ea:bc:f5:e8:17
                        eb:a0:12:31:26:89:7c:bb:b6:c2:1e:07:38:95:68:d7
                        be:c4:b4:67:e7:1e:aa:bb:fd:68:8c:08:e9:6f:b8:b9
                        75:2b:d6:3e:4e:fe:62:f2:b6:8c:7a:01:89:ab:1d:9e
                        1e:56:ff:20:29:2b:69:49:17:cb:d8:79:66:84:af:04
                        2a:c5:54:bb:6d:91:d4:4a:24:b5:0b:5a:02:ec:53:06
                        2a:35:cd:c3:5e:58:a4:ca:87:09:c4:22:e7:50:f7:4c
                        33:19:a3:b4:a7:08:3c:99:89:60:ae:5f:0e:c7:cb:d1
                        a5
                Exponent (bits 24):
                        01:00:01
        Extensions:
                Basic Constraints (critical):
                        Certificate Authority (CA): FALSE
                Subject Key Identifier (not critical):
                        bfd9656138142de52aeb1d1ff47070fe7cf76279
Other Information:
        Public Key ID:
                sha1:bfd9656138142de52aeb1d1ff47070fe7cf76279
                sha256:58fa89e41f6086214f3a1d80774fecfac4c85dafa1079a5c8ab52669ddaac83a
        Public Key PIN:
                pin-sha256:WPqJ5B9ghiFPOh2Ad0/s+sTIXa+hB5pcirUmad2qyDo=



Signing certificate...
crt_sign: ASN1 parser: Value is not valid.
Comment 27 Eirik Oeverby 2021-01-08 12:25:36 UTC
(In reply to Eirik Oeverby from comment #26)
To clarify - I don't think your updates are necessarily the reason here. I've reproduced this on several systems, with and without gvm, and it's the same everywhere:

certtool --generate-privkey --outfile key.pem
echo "cn = localhost" > foo
certtool --generate-self-signed --load-privkey key.pem --template foo --outfile cert.pem -d 9999

This worked on Jan 6th. Yesterday it did not. I can't see any relevant changes in the gvm port (/usr/local/bin/gvm-manage-certs is a shell script, and I can't see any changes there). It's a mystery of epic proportions, this. Not that it breaks (it's gnutls after all), but that it has ever worked..

Can you offer any insights?
Comment 28 Jose Alonso Cardenas Marquez freebsd_committer 2021-01-13 04:34:11 UTC
(In reply to Eirik Oeverby from comment #27)
Hi Eirik, sorry for delay. I was trapped with my job. I tested gvm ports again and I didn't see errors when I tried create self signed certificate

[root@colosus]:/home/acm # su -m gvm -c "gvm-manage-certs -a"
Generated private key in /tmp/tmp.nNYndEwX/cakey.pem.
Generated self signed certificate in /tmp/tmp.nNYndEwX/cacert.pem.
Installed private key to /var/lib/gvm/private/CA/cakey.pem.
Installed certificate to /var/lib/gvm/CA/cacert.pem.
Generated private key in /tmp/tmp.nNYndEwX/serverkey.pem.
Generated certificate request in /tmp/tmp.nNYndEwX/serverrequest.pem.
Signed certificate request in /tmp/tmp.nNYndEwX/serverrequest.pem with CA certificate in /var/lib/gvm/CA/cacert.pem to generate certificate in /tmp/tmp.nNYndEwX/servercert.pem
Installed private key to /var/lib/gvm/private/CA/serverkey.pem.
Installed certificate to /var/lib/gvm/CA/servercert.pem.
Generated private key in /tmp/tmp.nNYndEwX/clientkey.pem.
Generated certificate request in /tmp/tmp.nNYndEwX/clientrequest.pem.
Signed certificate request in /tmp/tmp.nNYndEwX/clientrequest.pem with CA certificate in /var/lib/gvm/CA/cacert.pem to generate certificate in /tmp/tmp.nNYndEwX/clientcert.pem
Installed private key to /var/lib/gvm/private/CA/clientkey.pem.
Installed certificate to /var/lib/gvm/CA/clientcert.pem.
Removing temporary directory /tmp/tmp.nNYndEwX.

Maybe it could be a problem with gnutls. I have installed 3.6.15 with default options
Comment 29 Eirik Oeverby 2021-01-23 22:54:25 UTC
(In reply to Jose Alonso Cardenas Marquez from comment #28)
Hi,

no problem at all. Grateful for your hard work.

This was fixed in libtasn1 - there was a bug there causing it to malfunction when built with clang.
My next problem is that even on a clean install it does not seem to be able to load scan definitions after fetching the feed. gvmd logs repeated failures importing the definitions. I will try to locate the logs again.

 Do you have this issue?

/Eirik
Comment 30 Jose Alonso Cardenas Marquez freebsd_committer 2021-01-26 01:20:43 UTC
(In reply to Eirik Oeverby from comment #29)
Hi, I have updated pkg-message file. did you run greenbone-nvt-sync? Also I saw some files are loaded when you log in to gsad and surf into its options (targets, task, etc)