Bug 562469 - Review Request: openvas-scanner - Open Vulnerability Assessment (OpenVAS) Scanner
Summary: Review Request: openvas-scanner - Open Vulnerability Assessment (OpenVAS) Sca...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 538297 538298 (view as bug list)
Depends On: 562467
Blocks: FE-SECLAB
TreeView+ depends on / blocked
 
Reported: 2010-02-06 21:07 UTC by Stjepan Gros
Modified: 2019-10-20 17:25 UTC (History)
6 users (show)

Fixed In Version: openvas-scanner-3.0.2-4.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-04-27 05:51:17 UTC
Type: ---
Embargoed:
xavier: fedora-review+
gwync: fedora-cvs+


Attachments (Terms of Use)
patched spec file (5.08 KB, application/octet-stream)
2010-03-25 13:12 UTC, Michal Ambroz
no flags Details
patched openvassd.con file (2.87 KB, application/octet-stream)
2010-03-25 13:17 UTC, Michal Ambroz
no flags Details

Description Stjepan Gros 2010-02-06 21:07:59 UTC
Spec URL: http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-scanner.spec
SRPM URL: http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-scanner-3.0.1-1.fc12.src.rpm
Description:
Scanner module for the Open Vulnerability Assessment System (OpenVAS).

Comment 1 Stjepan Gros 2010-02-06 21:14:45 UTC
*** Bug 538298 has been marked as a duplicate of this bug. ***

Comment 2 Stjepan Gros 2010-02-06 21:15:22 UTC
*** Bug 538297 has been marked as a duplicate of this bug. ***

Comment 3 Xavier Bachelot 2010-02-18 23:59:54 UTC
Few comments :
- -b 0 in %setup is useless
- $RPM_BUILD_ROOT/%{_sysconfdir}/openvas is created twice
- you can save some lines by using "install -Dp ..." rather than "mkdir ...; install -p ..."
- some file are packaged twice due to %{_sysconfdir}/openvas in %file. Should be %dir %{_sysconfdir}/openvas.
- the logrotate file should be marked as %config(noreplace)
- manfiles should end with .* rather than .gz in case the compression format ever changes.

Adding Huzaifa to the CC list.

Comment 4 Stjepan Gros 2010-02-26 10:30:58 UTC
Updated spec and SRPM files:

Spec URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-scanner.spec
SRPM URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-scanner-3.0.1-2.fc12.src.rpm

BTW, I tried to compile this on CentOS 5.4 but it didn't succeeded because of older cmake verion.

Comment 5 Xavier Bachelot 2010-03-02 21:36:35 UTC
* Missing BuildRequires: on glib2-devel, libpcap-devel, gnutls-devel, gpgme-devel.

* After fixing the BR:s, rpmlint is not silent :
openvas-scanner.i686: E: non-standard-executable-perm /usr/lib/openvas/plugins/openvas_tcp_scanner.nes 0555
openvas-scanner.i686: E: non-standard-executable-perm /usr/lib/openvas/plugins/find_service.nes 0555
openvas-scanner.i686: E: non-standard-executable-perm /usr/lib/openvas/plugins/synscan.nes 0555
openvas-scanner.i686: E: non-standard-executable-perm /usr/lib/openvas/plugins/ssl_ciphers.nes 0555
--> Fix the perms on the plugins (0644).

openvas-scanner.i686: E: non-readable /etc/openvas/openvassd.conf 0600
--> Why does the perms need to be so tight ?

openvas-scanner.i686: W: no-reload-entry /etc/rc.d/init.d/openvassd
--> either add a reload entry or map it to restart if not possible.

openvas-scanner.i686: E: incoherent-logrotate-file /etc/logrotate.d/openvassd
openvas-scanner.i686: W: incoherent-init-script-name openvassd ('openvas-scanner', 'openvas-scannerd')
--> Replace openvassd in the initscript and logrotate filenames with openvas-scanner.

- Maybe replace OpenVAS Server by OpenVAS Scanner in the initscript comments ?
- Search for vuurmuur in the initscript and logrotate file. What is this ?

Comment 6 Stjepan Gros 2010-03-03 08:45:03 UTC
Ok, I fixed everything but changing init.d script name gives rpmlint error this time:

openvas-scanner.x86_64: E: incoherent-subsys /etc/rc.d/init.d/openvas-scanner openvassd

So, should I ignore the warning you reported?

Comment 7 Xavier Bachelot 2010-03-03 09:16:19 UTC
Or either you can also change the lockfile in the initscript to :
lockfile=/var/log/subsys/openvas-scanner

prog variable could also probably be changed to openvas-scanner for nicer startup messages.

About the reload entry, I would have changed "restart)" to "restart|reload)", rather than duplicating the restart entry. Also, can openvas-scanner reload its conf on SIGHUP ? This would be even better.

Btw, is there an upstream source for the Source[123] files, or did you wrote them yourself ?

Comment 8 Stjepan Gros 2010-03-04 09:19:47 UTC
Ok, using your tip I managed to get rid of that warning too. So, here are the new SPEC file and SRPM file:

Spec URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-scanner.spec
SRPM URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-scanner-3.0.1-3.fc12.src.rpm

I also unified reload and restart as you suggested. For the HUP signal I don't know how exactly openvas behaves because nothing is said in the manual about signals.

Source[123] I wrote, so there is no upstream.

Comment 9 Xavier Bachelot 2010-03-04 09:56:00 UTC
It does support SIGHUP : http://openvas.org/nvt-feeds.html
My understading is it will not reload its conf, but it will reload its plugins.
Also, on the plugins subject, I think it would be handy to provide a cronjob periodically running openvas-nvt-sync, disabled by default, but that can be enabled with a conf in /etc/sysconfig/openvas-scanner or something like that.

Comment 10 Stjepan Gros 2010-03-09 09:27:13 UTC
Ok, I added sysconfig file, daily cron script. I also added new option to init.d script, reloadplugins, that sends HUP signal to openvas scanner if it is running.

Spec URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-scanner.spec
SRPM URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-scanner-3.0.1-4.fc12.src.rpm

Comment 11 Xavier Bachelot 2010-03-11 01:01:40 UTC
the cron should be tagged as %config(noreplace). Also, it would be better to store it in /etc/cron.d/openvas-scanner, it'll then be easier to tweak the execution time.

The reload initscript target should be made a no op, as per the guidelines. Sorry about my previous misleading comment. See http://fedoraproject.org/wiki/Packaging:SysVInitScript#Required_Actions.
As already written above, prog variable could probably be changed to openvas-scanner (and then the initscript tweaked accordingly) for nicer startup messages.

I still find having the sysconfdir be owned by openvas-libraries strange. I'd rather have that owned by both -client and -server.

It's not good to strip the plugins manually, it's better to have them stripped by duringthe rpm build in order to have the symbols in the -debuginfo package. As the files need to be installed executable to be stripped, you can remove the exec bit in the %files section rather than in the %install section. It makes the %files section a bit longer, but something like that should do :
%dir %{_libdir}/openvas
%dir %{_libdir}/openvas/plugins
%attr(644,-,-) %{_libdir}/openvas/plugins/*.nes
then the following lines can be removed from the %install section:
# Fix permissions on included plugins and strip binaries
chmod 644 $RPM_BUILD_ROOT%{_libdir}/openvas/plugins/*
strip $RPM_BUILD_ROOT%{_libdir}/openvas/plugins/*

This package and the client package are getting in a good shape now. A quick comment (or more ;-)) from Huzaifa would be nice. I'll do the formal reviews soon.

Comment 12 Xavier Bachelot 2010-03-11 01:05:41 UTC
(In reply to comment #11)
> the cron should be tagged as %config(noreplace). Also, it would be better to
> store it in /etc/cron.d/openvas-scanner, it'll then be easier to tweak the
> execution time.
> 
oops, typo, I meant /etc/cron.d/openvas-sync-plugins.

Comment 13 Stjepan Gros 2010-03-12 08:25:40 UTC
Ok, new version is almost ready (I fixed everything, including ownership of /etc/openvas) but the problem is the init.d script.

If I set prog to openvas-scanner, then the function 'status' (and possibly others from /etc/init.d/functions) won't work because it will search for a binary named openvas-scanner while it is called openvassd.

If I try to introduce new variable just for purpose of displaying openvas-scanner while manipulating with openvassd, it will be even worse. Sometimes it will show openvass-scanner, sometimes openvassd.

Comment 14 Stjepan Gros 2010-03-12 08:27:10 UTC
I typed all the comment and when I pressed 'Save Changes' the session expired and everything gone!!!!!!!!!!! So this time I'm going to be very short!

Everything's done except from the name in init.d script. If I change prog into something else then status function doesn't work any more, i.e. it shows wrong name. It could be that the other functions from the /etc/init.d/functions have the same "problem".

Comment 15 Stjepan Gros 2010-03-13 16:39:49 UTC
Ok, by looking into the source of /etc/init.d/functions and bit of experimenting I managed to change the name of init.d script into openvas-scanner. Here are the new source and spec files:

Spec URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-scanner.spec
SRPM URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-scanner-3.0.1-5.fc12.src.rpm

Comment 16 Michal Ambroz 2010-03-25 13:11:07 UTC
Hello Stjepan,
1) I have tried your package and have found that the openvassd.conf is referencing the lib64 directory.
In my case all the plugins are in /usr/lib/openvas. 
The openvassd.conf should be modified during the build accordingly.

2) during a build rpmbuild has got problem to strip the plugins because of the permissions on files - are 555 and strip needs them to be 755

3) in the specfile build scripts there are on the same line used macros like %{var} and shell variables like  $RPM_BUILD_ROOT. It would be more consistent to use just one notation.

I will attach proposed changes to SPEC file and the configuration file.
Best regards
Michal Ambroz

Comment 17 Michal Ambroz 2010-03-25 13:12:27 UTC
Created attachment 402537 [details]
patched spec file

- config file
- permissions for plugins
- macros

Comment 18 Michal Ambroz 2010-03-25 13:17:26 UTC
Created attachment 402538 [details]
patched openvassd.con file

- include @@ placeholders for the configuration
- it would be probably better to do proper patch and submit it to upstream so these things would be filled directly by the configure

Comment 19 Michal Ambroz 2010-03-29 13:25:05 UTC
If you preffer for review, here are the proposed changes to the package

SPEC URL: http://rebus.webz.cz/d/openvas-scanner.spec
SRPM URL: http://rebus.webz.cz/d/openvas-scanner-3.0.1-6.fc12.src.rpm

Best regards
Michal Ambroz

Comment 20 Stjepan Gros 2010-03-31 09:56:37 UTC
I agree with your additions/changes to scanner. But for now I'm waiting response from the others. It is, IMHO, time to push this package (and client) to rawhide.

Comment 21 Stjepan Gros 2010-03-31 09:58:17 UTC
I agree with your additions/changes to scanner. But for now I'm waiting response from the others. It is, IMHO, time to push this package (and client) to rawhide.

BTW, your site is inaccessible at this moment.

Comment 23 Michal Ambroz 2010-04-13 12:40:01 UTC
Hello Stjepan,
Man you are fast :) - thank you for update.

I have tried to test it and found these issues:

1) It seems there is a typo in the Source link
Link says:
http://wald.intevation.org/frs/download.php/467/%{name}-%{version}.tar.gz

And it should be:
http://wald.intevation.org/frs/download.php/724/%{name}-%{version}.tar.gz

It seems the number identifies the download from their pages and
name is there just for information (ehh?!) .

2) Library paths
Thank you for including the sed for paths in the spec.file for configuring the paths.

Please could you include the modified conf file as well?
Otherwise the lib64 is not changed to lib on different platforms.

Thank you
Michal Ambroz

Comment 24 Xavier Bachelot 2010-04-13 23:07:37 UTC
+ : OK
- : Not OK
= : non applicable
? : not tested


+    * MUST: rpmlint must be run on every package. The output should be posted in the review.
3 packages and 0 specfiles checked; 0 errors, 0 warnings.
+    * MUST: The package must be named according to the Package Naming Guidelines.
+    * MUST: The spec file name must match the base package %{name}, in the format %{name}.spec unless your package has an exemption.
+    * MUST: The package must meet the Packaging Guidelines.
+    * MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines .
-    * MUST: The License field in the package spec file must match the actual license.
License is GPLv2 not GPLv2+
+    * MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc.
+    * MUST: The spec file must be written in American English.
+    * MUST: The spec file for the package MUST be legible.
-    * MUST: The sources used to build the package must match the upstream source, as provided in the spec URL.
Source0 URL is wrong, as noted by Michal in comment 23. Tarball matches upstream though : 0fbadc838d4f21c43f1ce6c8180287e6
+    * MUST: The package MUST successfully compile and build into binary rpms on at least one primary architecture.
=    * MUST: If the package does not successfully compile, build or work on an architecture, then those architectures should be listed in the spec in ExcludeArch.
+    * MUST: All build dependencies must be listed in BuildRequires, except for any that are listed in the exceptions section of the Packaging Guidelines.
=    * MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro. Using %{_datadir}/locale/* is strictly forbidden.
=    * MUST: Every binary RPM package (or subpackage) which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in %post and %postun.
+    * MUST: Packages must NOT bundle copies of system libraries.
=    * MUST: If the package is designed to be relocatable, the packager must state this fact in the request for review, along with the rationalization for relocation of that specific package.
+    * MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory.
+    * MUST: A Fedora package must not list a file more than once in the spec file's %files listings.
-    * MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example. Every %files section must include a %defattr(...) line.
Plugins should be 644, not 755.
+    * MUST: Each package must consistently use macros.
+    * MUST: The package must contain code, or permissable content.
=    * MUST: Large documentation files must go in a -doc subpackage. (The definition of large is left up to the packager's best judgement, but is not restricted to size. Large can refer to either size or quantity).
+    * MUST: If a package includes something as %doc, it must not affect the runtime of the application. To summarize: If it is in %doc, the program must run properly if it is not present.
=    * MUST: Header files must be in a -devel package.
=    * MUST: Static libraries must be in a -static package.
=    * MUST: If a package contains library files with a suffix (e.g. libfoo.so.1.1), then library files that end in .so (without suffix) must go in a -devel package.
=    * MUST: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency: Requires: %{name} = %{version}-%{release}
+    * MUST: Packages must NOT contain any .la libtool archives, these must be removed in the spec if they are built.
=    * MUST: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section.
+    * MUST: Packages must not own files or directories already owned by other packages. The rule of thumb here is that the first package to be installed should own the files or directories that other packages may rely upon.
+    * MUST: At the beginning of %install, each package MUST run rm -rf %{buildroot} (or $RPM_BUILD_ROOT).
+    * MUST: All filenames in rpm packages must be valid UTF-8.

=    * SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it.
-    * SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available.
+    * SHOULD: The reviewer should test that the package builds in mock.
?    * SHOULD: The package should compile and build into binary rpms on all supported architectures.
-    * SHOULD: The reviewer should test that the package functions as described. A package should not segfault instead of running, for example.
Config file contains spurious /usr/lib64 on i386, as noted by Michal in comment 23.
+    * SHOULD: If scriptlets are used, those scriptlets must be sane. This is vague, and left up to the reviewers judgement to determine sanity.
=    * SHOULD: Usually, subpackages other than devel should require the base package using a fully versioned dependency.
=    * SHOULD: The placement of pkgconfig(.pc) files depends on their usecase, and this is usually for development purposes, so should be placed in a -devel pkg. A reasonable exception is that the main pkg itself is a devel tool not installed in a user runtime, e.g. gcc or gdb.
=    * SHOULD: If the package has file dependencies outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin consider requiring the package which provides the file instead of the file itself.
+    * SHOULD: your package should contain man pages for binaries/scripts. If it doesn't, work with upstream to add them where they make sense.


Please fix the failed must items :
- License
- Source0 URL
- plugins perms

Comment 25 Stjepan Gros 2010-04-14 06:16:26 UTC
Just one quick question before I submit new version. The plugins are actually shared libraries, even though they have extension .nes, that's the reason they have 755 attribute. So, do you still think that perms have to be 644?

Comment 26 Xavier Bachelot 2010-04-14 06:33:42 UTC
You're right, perms should be 755. Fix the 2 remaining issues before importing and then this package is APPROVED.

Comment 27 Stjepan Gros 2010-04-14 12:11:12 UTC
OK, here are the new package and spec file:

Spec URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-scanner.spec
SRPM URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-scanner-3.0.2-2.fc12.src.rpm

I changed license and source URL and also included missed conf file from Michal.

Comment 28 Michal Ambroz 2010-04-14 17:11:06 UTC
Hello,
I have tried with ( the current) perrmissions 644 and it works.
I was testing openvas_
Libraries are apparently explicitly loaded and not linked to executable - so they do not need executable bit. 

In my opinion permissions can stay as they are.

Cosmetics:
What I see bit unfortunate is that everything (nasl, nes, inc) is mixed in one directory. 

Michal

Comment 29 Michal Ambroz 2010-04-14 17:11:46 UTC
I forgot so say ... thanks ... everything works as expected for me.
Michal

Comment 30 Xavier Bachelot 2010-04-14 18:50:21 UTC
(In reply to comment #28)
> Hello,
> I have tried with ( the current) perrmissions 644 and it works.
> I was testing openvas_
> Libraries are apparently explicitly loaded and not linked to executable - so
> they do not need executable bit. 
> 
> In my opinion permissions can stay as they are.
> 
The provides should probably be filtered out then : 

$ rpm -qp --provides openvas-scanner-3.0.2-1.fc14.i686.rpm
config(openvas-scanner) = 3.0.2-1.fc14
libfind_service.so.0  
libopenvas_tcp_scanner.so.0  
libssl_ciphers.so.0  
libsynscan.so.0  
openvas-scanner = 3.0.2-1.fc14
openvas-scanner(x86-32) = 3.0.2-1.fc14

Comment 31 Stjepan Gros 2010-04-16 06:25:45 UTC
I'll revert back permissions to 644. And those provides have to be removed because they are not in the package. The question is how to do it. One option is to remove those files after the installation stage, but is there some better method? When I remove those I'll submit new revision.

Comment 32 Xavier Bachelot 2010-04-16 07:36:02 UTC
Something like the following should do it :
%filter_provides_in %{_libdir}/openvas/plugins
%filter_setup

See https://fedoraproject.org/wiki/Packaging:AutoProvidesAndRequiresFiltering

Comment 34 Xavier Bachelot 2010-04-16 09:01:12 UTC
You did not update the spec and the srpm link is 404.

Comment 35 Stjepan Gros 2010-04-16 10:01:37 UTC
Ups, sorry. Now they are updated!

Comment 36 Xavier Bachelot 2010-04-16 10:18:26 UTC
Looks good. Please go ahead and request the creation of the cvs module.

Comment 37 Xavier Bachelot 2010-04-16 10:29:07 UTC
btw, I'd like to see this in EPEL too, could you please request a EL-5 branch ? Even if the cmake issue can't be fixed in EL-5, EL-6 will soon be branched and I believe if there is an EL-5 branch, the EL-6 will get automagically created. I can maintain or co-maintain the EL branches if you wish (my username is xavierb).

Comment 38 Stjepan Gros 2010-04-16 14:05:47 UTC
New Package CVS Request
=======================
Package Name: openvas-scanner
Short Description: Scanner module for the Open Vulnerability Assessment System (OpenVAS).
Owners: sgros huzaifa rebus xavierb
Branches: F-12 F-13 EL-5
InitialCC: sgros huzaifa rebus xavierb

Comment 39 Stjepan Gros 2010-04-16 14:07:27 UTC
New Package CVS Request
=======================
Package Name: openvas-scanner
Short Description: Scanner module for the Open Vulnerability Assessment System
(OpenVAS).
Owners: sgros huzaifas rebus xavierb
Branches: F-12 F-13 EL-5
InitialCC: sgros huzaifas rebus xavierb

Comment 40 Kevin Fenzi 2010-04-18 01:39:45 UTC
CVS done (by process-cvs-requests.py).

Xavier: Please remember to assign the review to yourself instead of leaving it as 
nobody. ;)

Comment 41 Fedora Update System 2010-04-25 02:04:36 UTC
openvas-scanner-3.0.2-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/openvas-scanner-3.0.2-4.fc12

Comment 42 Michal Ambroz 2010-04-25 11:23:17 UTC
Hello guys,
I have patched scripts for downloading the NVT feed to use separate nvt and gsf plugin directories to separate it from plugins we deliver with the package.

Update is in cvs of all branches now (F-12, F-13, devel, EL-5)

I have rebuild openvas-scanner for F12 and devel.
Submitted it to F12 updates via bodhi.

Rebuild for F13 was not possible, bacause openvas-libraries package is still in F13 update-testing and I am not able to find a way how to build against it.

Rebuild for EL-5 was not possible at this point as we do not have branch for openvas-libraties for EL-5.

Best regards
Michal Ambroz

Comment 43 Fedora Update System 2010-04-26 22:45:26 UTC
openvas-scanner-3.0.2-4.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/openvas-scanner-3.0.2-4.fc13

Comment 44 Fedora Update System 2010-04-27 02:22:01 UTC
openvas-scanner-3.0.2-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 45 Fedora Update System 2010-04-27 05:51:13 UTC
openvas-scanner-3.0.2-4.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 46 Michal Ambroz 2014-09-23 18:07:37 UTC
Package Change Request
======================
Package Name: openvas-scanner
New Branches: epel7
Owners: huzaifas sgros rebus xavierb fab

Hello SCM team,
plase can you add epel7 branch for the openvas-scanner package?
Thank you
Michal Ambroz

Comment 47 Gwyn Ciesla 2014-09-23 19:16:35 UTC
Git done (by process-git-requests).


Note You need to log in before you can comment on or make changes to this bug.