Add new poudriere audit command to check repositories for vulnerable …

…packages

Makefile.am

@@ -62,6 +62,7 @@ dist_hook_DATA=	src/etc/poudriere.d/hooks/bulk.sh.sample \
 
 dist_pkgdata_DATA=	\
 			src/share/poudriere/api.sh \
+			src/share/poudriere/audit.sh \
 			src/share/poudriere/bulk.sh \
 			src/share/poudriere/common.sh \
 			src/share/poudriere/daemon.sh \

Makefile.in

@@ -722,6 +722,7 @@ dist_hook_DATA = src/etc/poudriere.d/hooks/bulk.sh.sample \
 
 dist_pkgdata_DATA = \
 			src/share/poudriere/api.sh \
+			src/share/poudriere/audit.sh \
 			src/share/poudriere/bulk.sh \
 			src/share/poudriere/common.sh \
 			src/share/poudriere/daemon.sh \

src/bin/poudriere.in

@@ -58,6 +58,7 @@ Options:
     -v          -- Be verbose; show more information. Use twice to enable
                    debug output
 Commands:
+    audit       -- Audit the packages in the repository
     bulk        -- Generate packages for given ports
     distclean   -- Remove old distfiles
     daemon      -- Launch the poudriere daemon
@@ -124,7 +125,7 @@ shift
 
 # Valid command list.
 case "${CMD}" in
-api|bulk|distclean|daemon|image|jail|foreachport|logclean|ports|options|pkgclean|queue|status|testport)
+api|audit|bulk|distclean|daemon|image|jail|foreachport|logclean|ports|options|pkgclean|queue|status|testport)
 	;;
 jails)
 	CMD="jail"

src/share/poudriere/audit.sh

@@ -0,0 +1,83 @@
+#!/bin/sh
+#
+# Copyright (c) 2023 Brad Davis <[email protected]>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+. ${SCRIPTPREFIX}/common.sh
+
+usage() {
+	cat <<EOF
+poudriere audit [-z <set>] [-p <ports tree>] -j <jail>
+
+Options:
+    -j name     -- Run on the given jail
+    -p tree     -- Specify which ports tree to use for comparing to distfiles.
+                   Can be specified multiple times. (Defaults to the 'default'
+                   tree)
+    -z set      -- Specify which SET to use
+EOF
+	exit ${EX_USAGE}
+}
+
+[ $# -eq 0 ] && usage
+
+: ${PTNAME:=default}
+SETNAME=""
+
+
+while getopts "j:p:z:" FLAG; do
+	case "${FLAG}" in
+		j)
+			jail_exists ${OPTARG} || err 1 "No such jail: ${OPTARG}"
+			JAILNAME=${OPTARG}
+			;;
+		p)
+			porttree_exists ${OPTARG} || \
+				err 1 "No such ports tree: ${OPTARG}"
+			PTNAME="${OPTARG}"
+			;;
+		z)
+			[ -n "${OPTARG}" ] || err 1 "Empty set name"
+			SETNAME="${OPTARG}"
+			;;
+		*)
+			usage
+			;;
+	esac
+done
+
+[ -z "${JAILNAME}" ] && \
+	err 1 "Don't know on which jail to run please specify -j"
+
+MASTERNAME=${JAILNAME}-${PTNAME}${SETNAME:+-${SETNAME}}
+PACKAGES="${POUDRIERE_DATA:?}/packages/${MASTERNAME}"
+_mastermnt MASTERMNT
+
+PKG_EXT='*' package_dir_exists_and_has_packages || \
+	err 0 "No packages exist for ${MASTERNAME}"
+
+msg "Auditing for jail '${JAILNAME}'"
+if ! ${PKG_BIN} audit -d "${PACKAGES}"; then
+	exit 1
+fi