|Summary:||Review Request: ratproxy - A passive web application security assessment tool|
|Product:||[Fedora] Fedora||Reporter:||Rakesh Pandit <rpandit>|
|Component:||Package Review||Assignee:||Mamoru TASAKA <mtasaka>|
|Status:||CLOSED NEXTRELEASE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||fedora-package-review, lucilanga, mtasaka, notting, opensource|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-01-19 12:50:15 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Rakesh Pandit 2008-11-05 06:36:19 UTC
Description: SPEC: http://rakesh.fedorapeople.org/spec/ratproxy.spec SRPM: http://rakesh.fedorapeople.org/srpm/ratproxy-1.51-1.fc10.src.rpm A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments. Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.
Comment 1 Till Maas 2008-11-07 12:33:05 UTC
Instead of the sed command, you better run make CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE" You can add -Wno-pointer-sign like upstream does if you do not want to see tons of pointer signedness warnings, but it would probably better to fix this in the code. :-) Something not so nice is, that the tarball contains a non free precompiled binary in flare-dist/flare, i.e. add a rm -rf flare-dist/ flare in %prep. In the future there may be checks may prevent the rpm from beeing built if there are precompiled binaries present.
Comment 2 Rakesh Pandit 2008-11-08 15:51:28 UTC
I have reported about all these issues upstream. Number of lines required for fixing warnings are enormous. Warnings are around 1000+ lines. So, I am using flag to suppress these warnings. Regarding some fwrite warnings (not handling return values) I have also reported them. I think these are not blockers. Thanks - Updated http://rakesh.fedorapeople.org/spec/ratproxy.spec http://rakesh.fedorapeople.org/srpm/ratproxy-1.51-2.fc9.src.rpm
Comment 3 Lucian Langa 2008-11-22 19:27:27 UTC
This is not a blocker but... as this is a network application (binds specific port, logs data to specific dir) will you consider providing sysvinit script, default logdir, logrotation, etc...?
Comment 4 Rakesh Pandit 2008-12-06 13:43:03 UTC
Would it be okay without them? I wouldn't like to .. may be later on in case administrators bug me. I selected it from security spin wish list. What you suggest ?
Comment 5 Lucian Langa 2009-01-07 17:54:13 UTC
(In reply to comment #4) > Would it be okay without them? I wouldn't like to .. may be later on in case > administrators bug me. I selected it from security spin wish list. What you > suggest ? I guess you can add scripts later. Anyway a sysvinit script would be nice. -This package contains flare binary that is not free and cannot be shipped in Fedora. You need to remove this before packaging, see: https://fedoraproject.org/wiki/PackagingDrafts/SourceUrl#When_Upstream_uses_Prohibited_Code
Comment 6 Till Maas 2009-01-07 18:05:02 UTC
(In reply to comment #5) > -This package contains flare binary that is not free and cannot be shipped in > Fedora. You need to remove this before packaging, see: > https://fedoraproject.org/wiki/PackagingDrafts/SourceUrl#When_Upstream_uses_Prohibited_Code The URL does not cover binaries: | Some upstream packages include patents or trademarks that we are not allowed to | ship even as source code.
Comment 7 Lucian Langa 2009-01-07 18:38:33 UTC
I do not think think this binary can be shipped with fedora and has to be treated as prohibited source, but we can always ask legal.
Comment 8 Mamoru TASAKA 2009-01-07 18:52:14 UTC
No matter whether flare-dist/flare is binary or not, as flare-dist/LICENSE.TXT says this part is definitely NON-FREE (Redistribution is solely for non-commercial purposes), this part cannot be shipped (even if in srpm form) in Fedora.
Comment 9 Rakesh Pandit 2009-01-07 19:00:48 UTC
NON-FREE stuff. Cannot be shipped in.
Comment 10 Mamoru TASAKA 2009-01-07 19:09:29 UTC
Ah.. is flare-dist/ part really needed for this package? I tried to rebuild your latest srpm, however for me this part does not seem to be used. If not needed, you can - remove flare-dist part - repackage tarball - and use the repackaged tarball as Fedora source tarball (as Lucian said in comment 5)
Comment 11 Rakesh Pandit 2009-01-07 19:17:24 UTC
I took this package from security spin wish list and don't have much interest (on a personal note) because I don't use it. Anyway I will have a re-look. Thanks all for pointing put issues. I will bump with changes soon.
Comment 12 Rakesh Pandit 2009-01-08 11:55:29 UTC
http://rakesh.fedorapeople.org/spec/ratproxy.spec http://rakesh.fedorapeople.org/srpm/ratproxy-1.51-3.fc10.src.rpm Somebody interested in review ?
Comment 13 Mamoru TASAKA 2009-01-17 17:38:20 UTC
Well, for 1.51-3: - I guess Solaris.README is not needed. Other things are okay. ---------------------------------------------------------- This package (ratproxy) is APPROVED by mtasaka ----------------------------------------------------------
Comment 14 Rakesh Pandit 2009-01-18 12:08:59 UTC
Thanks, I will remove that file before importing. New Package CVS Request ======================= Package Name: ratproxy Short Description: A passive web application security assessment tool Owners: rakesh Branches: F-9 F-10 InitialCC: Cvsextras Commits: yes
Comment 15 Kevin Fenzi 2009-01-18 22:30:23 UTC
Comment 16 Fedora Update System 2009-01-19 12:43:07 UTC
ratproxy-1.51-4.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/ratproxy-1.51-4.fc9
Comment 17 Fedora Update System 2009-01-19 12:43:10 UTC
ratproxy-1.51-4.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ratproxy-1.51-4.fc10