Bug 469997 - Review Request: ratproxy - A passive web application security assessment tool
Review Request: ratproxy - A passive web application security assessment tool
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Mamoru TASAKA
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-05 01:36 EST by Rakesh Pandit
Modified: 2009-01-19 07:50 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-19 07:50:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mtasaka: fedora‑review+
kevin: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Rakesh Pandit 2008-11-05 01:36:19 EST
Description:

SPEC: http://rakesh.fedorapeople.org/spec/ratproxy.spec
SRPM: http://rakesh.fedorapeople.org/srpm/ratproxy-1.51-1.fc10.src.rpm

A semi-automated, largely passive web application security audit tool,
optimized for an accurate and sensitive detection, and automatic
annotation, of potential problems and security-relevant design
patterns based on the observation of existing, user-initiated traffic
in complex web 2.0 environments.
             Detects and prioritizes broad classes of security
problems, such as dynamic cross-site trust model considerations,
script inclusion issues, content serving problems, insufficient XSRF
and XSS defenses, and much more.
Comment 1 Till Maas 2008-11-07 07:33:05 EST
Instead of the sed command, you better run 

make CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE"

You can add -Wno-pointer-sign like upstream does if you do not want to see tons of  pointer signedness warnings, but it would probably better to fix this in the code. :-)

Something not so nice is, that the tarball contains a non free precompiled binary in flare-dist/flare, i.e. add a rm -rf flare-dist/ flare in %prep. In the future there may be checks may prevent the rpm from beeing built if there are precompiled binaries present.
Comment 2 Rakesh Pandit 2008-11-08 10:51:28 EST
I have reported about all these issues upstream. Number of lines required for fixing warnings are enormous. Warnings are around 1000+ lines. So, I am using flag to suppress these warnings. Regarding some fwrite warnings (not handling return values) I have also reported them.

I think these are not blockers.
Thanks - Updated

http://rakesh.fedorapeople.org/spec/ratproxy.spec
http://rakesh.fedorapeople.org/srpm/ratproxy-1.51-2.fc9.src.rpm
Comment 3 Lucian Langa 2008-11-22 14:27:27 EST
This is not a blocker but...

as this is a network application (binds specific port, logs data to specific dir) will you consider providing sysvinit script, default logdir, logrotation, etc...?
Comment 4 Rakesh Pandit 2008-12-06 08:43:03 EST
Would it be okay without them? I wouldn't like to .. may be later on in case administrators bug me. I selected it from security spin wish list. What you suggest ?
Comment 5 Lucian Langa 2009-01-07 12:54:13 EST
(In reply to comment #4)
> Would it be okay without them? I wouldn't like to .. may be later on in case
> administrators bug me. I selected it from security spin wish list. What you
> suggest ?
I guess you can add scripts later. Anyway a sysvinit script would be nice.


-This package contains flare binary that is not free and cannot be shipped in Fedora.  You need to remove this before packaging, see:
https://fedoraproject.org/wiki/PackagingDrafts/SourceUrl#When_Upstream_uses_Prohibited_Code
Comment 6 Till Maas 2009-01-07 13:05:02 EST
(In reply to comment #5)

> -This package contains flare binary that is not free and cannot be shipped in
> Fedora.  You need to remove this before packaging, see:
> https://fedoraproject.org/wiki/PackagingDrafts/SourceUrl#When_Upstream_uses_Prohibited_Code

The URL does not cover binaries:

| Some upstream packages include patents or trademarks that we are not allowed to 
| ship even as source code.
Comment 7 Lucian Langa 2009-01-07 13:38:33 EST
I do not think think this binary can be shipped with fedora and has to be treated as prohibited source, but we can always ask legal.
Comment 8 Mamoru TASAKA 2009-01-07 13:52:14 EST
No matter whether flare-dist/flare is binary or not, as
flare-dist/LICENSE.TXT says this part is definitely NON-FREE
(Redistribution is solely for non-commercial purposes), this
part cannot be shipped (even if in srpm form) in Fedora.
Comment 9 Rakesh Pandit 2009-01-07 14:00:48 EST
NON-FREE stuff. Cannot be shipped in.
Comment 10 Mamoru TASAKA 2009-01-07 14:09:29 EST
Ah.. is flare-dist/ part really needed for this package?
I tried to rebuild your latest srpm, however for me this part
does not seem to be used.

If not needed, you can
- remove flare-dist part
- repackage tarball
- and use the repackaged tarball as Fedora source tarball
(as Lucian said in comment 5)
Comment 11 Rakesh Pandit 2009-01-07 14:17:24 EST
I took this package from security spin wish list and don't have much interest (on a personal note) because I don't use it.

Anyway I will have a re-look. Thanks all for pointing put issues. I will bump with changes soon.
Comment 13 Mamoru TASAKA 2009-01-17 12:38:20 EST
Well, for 1.51-3:

- I guess Solaris.README is not needed.

Other things are okay.
----------------------------------------------------------
   This package (ratproxy) is APPROVED by mtasaka
----------------------------------------------------------
Comment 14 Rakesh Pandit 2009-01-18 07:08:59 EST
Thanks, I will remove that file before importing.

New Package CVS Request
=======================
Package Name: ratproxy
Short Description: A passive web application security assessment tool
Owners: rakesh
Branches: F-9 F-10
InitialCC:
Cvsextras Commits: yes
Comment 15 Kevin Fenzi 2009-01-18 17:30:23 EST
cvs done.
Comment 16 Fedora Update System 2009-01-19 07:43:07 EST
ratproxy-1.51-4.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/ratproxy-1.51-4.fc9
Comment 17 Fedora Update System 2009-01-19 07:43:10 EST
ratproxy-1.51-4.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ratproxy-1.51-4.fc10

Note You need to log in before you can comment on or make changes to this bug.