Red Hat Bugzilla – Bug 469997
Review Request: ratproxy - A passive web application security assessment tool
Last modified: 2009-01-19 07:50:15 EST
A semi-automated, largely passive web application security audit tool,
optimized for an accurate and sensitive detection, and automatic
annotation, of potential problems and security-relevant design
patterns based on the observation of existing, user-initiated traffic
in complex web 2.0 environments.
Detects and prioritizes broad classes of security
problems, such as dynamic cross-site trust model considerations,
script inclusion issues, content serving problems, insufficient XSRF
and XSS defenses, and much more.
Instead of the sed command, you better run
make CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE"
You can add -Wno-pointer-sign like upstream does if you do not want to see tons of pointer signedness warnings, but it would probably better to fix this in the code. :-)
Something not so nice is, that the tarball contains a non free precompiled binary in flare-dist/flare, i.e. add a rm -rf flare-dist/ flare in %prep. In the future there may be checks may prevent the rpm from beeing built if there are precompiled binaries present.
I have reported about all these issues upstream. Number of lines required for fixing warnings are enormous. Warnings are around 1000+ lines. So, I am using flag to suppress these warnings. Regarding some fwrite warnings (not handling return values) I have also reported them.
I think these are not blockers.
Thanks - Updated
This is not a blocker but...
as this is a network application (binds specific port, logs data to specific dir) will you consider providing sysvinit script, default logdir, logrotation, etc...?
Would it be okay without them? I wouldn't like to .. may be later on in case administrators bug me. I selected it from security spin wish list. What you suggest ?
(In reply to comment #4)
> Would it be okay without them? I wouldn't like to .. may be later on in case
> administrators bug me. I selected it from security spin wish list. What you
> suggest ?
I guess you can add scripts later. Anyway a sysvinit script would be nice.
-This package contains flare binary that is not free and cannot be shipped in Fedora. You need to remove this before packaging, see:
(In reply to comment #5)
> -This package contains flare binary that is not free and cannot be shipped in
> Fedora. You need to remove this before packaging, see:
The URL does not cover binaries:
| Some upstream packages include patents or trademarks that we are not allowed to
| ship even as source code.
I do not think think this binary can be shipped with fedora and has to be treated as prohibited source, but we can always ask legal.
No matter whether flare-dist/flare is binary or not, as
flare-dist/LICENSE.TXT says this part is definitely NON-FREE
(Redistribution is solely for non-commercial purposes), this
part cannot be shipped (even if in srpm form) in Fedora.
NON-FREE stuff. Cannot be shipped in.
Ah.. is flare-dist/ part really needed for this package?
I tried to rebuild your latest srpm, however for me this part
does not seem to be used.
If not needed, you can
- remove flare-dist part
- repackage tarball
- and use the repackaged tarball as Fedora source tarball
(as Lucian said in comment 5)
I took this package from security spin wish list and don't have much interest (on a personal note) because I don't use it.
Anyway I will have a re-look. Thanks all for pointing put issues. I will bump with changes soon.
Somebody interested in review ?
Well, for 1.51-3:
- I guess Solaris.README is not needed.
Other things are okay.
This package (ratproxy) is APPROVED by mtasaka
Thanks, I will remove that file before importing.
New Package CVS Request
Package Name: ratproxy
Short Description: A passive web application security assessment tool
Branches: F-9 F-10
Cvsextras Commits: yes
ratproxy-1.51-4.fc9 has been submitted as an update for Fedora 9.
ratproxy-1.51-4.fc10 has been submitted as an update for Fedora 10.