Spec URL: http://repo.lystor.org.ua/fedora/12/SPECS/wapiti.spec SRPM URL: http://repo.lystor.org.ua/fedora/12/SRPMS/wapiti-2.2.1-1.fc12.src.rpm Description: Wapiti allows you to audit the security of your web applications. It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable. Wapiti can detect the following vulnerabilities: * File Handling Errors (Local and remote include/require, fopen...) * Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections) * XSS (Cross Site Scripting) Injection * LDAP Injection * Command Execution detection (eval(), system(), passtru()...) * CRLF Injection (HTTP Response Splitting, session fixation...) Wapiti is able to differentiate ponctual and permanent XSS vulnerabilities. Wapiti does not rely on a vulnerability database like Nikto do. Wapiti aims to discover unknown vulnerabilities in web applications. $ rpmlint {i386,x86_64,SRPMS}/wapiti* wapiti.noarch: E: explicit-lib-dependency python-httplib2 wapiti.noarch: E: explicit-lib-dependency python-httplib2 3 packages and 0 specfiles checked; 2 errors, 0 warnings. The python-httplib2 is added to requires manually because it does not find by rpm dependency generator automatically. This package builds successfully by mock on i686/x86_64 architectures. This is one from my first packages and I'm looking for a sponsor.
Builds successfully in mock on Fedora 11 with i386/x86_64 architectures.
Builds successfully in mock on Fedora 13 with i386/x86_64 architectures.
Before reviewing this: * Well, from ./doc/wapiti.1 this software seems to be licensed under GPLv2 (strict). However ./src/report_template/includes/js/excanvas.js is licensed under ASL 2.0, which is also included in rebuilt binary rpm and unfortunately GPLv2 and ASL 2.0 is incompatible: https://fedoraproject.org/wiki/Licensing Would you ask the upstream about this? * Would you move GNU message catalogs (.mo files) to the normal directory for these files (i.e. /usr/share/locale/<lang>/LC_MESSAGES)? (patch may be needed, I have not checked this, though)
Hi Thank you for starting the review. Spec URL: http://repo.lystor.org.ua/fedora/12/SPECS/wapiti.spec SRPM URL: http://repo.lystor.org.ua/fedora/12/SRPMS/wapiti-2.2.1-2.fc12.src.rpm ================================================================================ > Would you move GNU message catalogs (.mo files) to the normal directory Yes. wapiti-2.2.1-std_lib_paths.patch and wapiti-setup.py have been changed. Spec diff: --- wapiti.spec.orig 2010-02-18 12:58:53.000000000 +0200 +++ wapiti.spec 2010-03-11 11:52:09.231822854 +0200 @@ -1,11 +1,10 @@ %if ! (0%{?fedora} > 12 || 0%{?rhel} > 5) %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} -%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} %endif Name: wapiti Version: 2.2.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A web application vulnerability scanner Group: Applications/Internet @@ -16,7 +15,8 @@ Source1: wapiti-setup.py # Split wapiti sources between site-packages/wapiti/* and /usr/bin/wapiti, # move working dirs (generated_report, scans) from site-packages/wapiti/ to ~/.wapiti/, -# move config dir site-packages/wapiti/config/attacks to /etc/wapiti/attacks +# move config dir site-packages/wapiti/config/attacks to /etc/wapiti/attacks, +# move gettext MO files from site-packages/wapiti/config/language to /usr/share/locale # https://sourceforge.net/tracker/?func=detail&aid=2954112&group_id=168625&atid=847490 Patch0: wapiti-2.2.1-std_lib_paths.patch # Use system libraries BeautifulSoup, httplib2, SocksiPy @@ -63,6 +63,7 @@ # Change files encoding to utf8 for f in ChangeLog_lswww; do iconv -f iso-8859-1 -t utf-8 $f > $f.tmp + touch -r $f $f.tmp %{__mv} $f.tmp $f done @@ -82,12 +83,14 @@ find %{buildroot}%{python_sitelib} -type f -iname "*py" -exec \ %{__sed} -i 's/#!\/usr\/bin\/env python//' {} \; +%find_lang %{name} + %clean %{__rm} -rf %{buildroot} -%files +%files -f %{name}.lang %defattr(-,root,root,-) %doc AUTHORS ChangeLog_Wapiti ChangeLog_lswww README TODO example.txt %dir %{_sysconfdir}/%{name} @@ -98,12 +101,6 @@ %dir %{python_sitelib}/%{name}/ %{python_sitelib}/%{name}/attack/ %dir %{python_sitelib}/%{name}/config/ -%dir %{python_sitelib}/%{name}/config/language/ -%dir %{python_sitelib}/%{name}/config/language/* -%dir %{python_sitelib}/%{name}/config/language/*/LC_MESSAGES -%lang(en) %{python_sitelib}/%{name}/config/language/en/LC_MESSAGES/%{name}* -%lang(es) %{python_sitelib}/%{name}/config/language/es/LC_MESSAGES/%{name}* -%lang(fr) %{python_sitelib}/%{name}/config/language/fr/LC_MESSAGES/%{name}* %{python_sitelib}/%{name}/config/vulnerabilities/ %{python_sitelib}/%{name}/file/ %{python_sitelib}/%{name}/language/ @@ -115,6 +112,10 @@ %changelog +* Thu Mar 11 2010 Nikolay Ulyanitsky <lystor AT lystor.org.ua> - 2.2.1-2 +- Move gettext MO files to /usr/share/locale +- Preserve timestamps on documentation files ================================================================================ $ rpmlint wapiti-2.2.1-2.fc12.noarch.rpm wapiti.noarch: E: explicit-lib-dependency python-httplib2 wapiti.noarch: W: spelling-error %description -l en_US webpages -> web pages, web-pages, equipages wapiti.noarch: W: spelling-error %description -l en_US webapp -> web app, web-app, Webern wapiti.noarch: W: spelling-error %description -l en_US fuzzer -> fuzzier, fuzzes, fuzzed wapiti.noarch: W: spelling-error %description -l en_US fopen -> open, f open, fop en wapiti.noarch: W: spelling-error %description -l en_US XPath -> X Path, Path, Expat wapiti.noarch: W: spelling-error %description -l en_US eval -> veal, vela, val wapiti.noarch: W: spelling-error %description -l en_US passtru -> passport, passerby, passer wapiti.noarch: W: spelling-error %description -l en_US ponctual -> punctual, nonfactual, punctuate wapiti.noarch: W: spelling-error %description -l en_US Nikto -> Nikon, Nikita, Nikolai 1 packages and 0 specfiles checked; 1 errors, 9 warnings. python-httplib2 is required but rpm dependency generator can not find it ================================================================================ > * Well, from ./doc/wapiti.1 this software seems to be licensed under > GPLv2 (strict). > > However ./src/report_template/includes/js/excanvas.js is licensed under > ASL 2.0, which is also included in rebuilt binary rpm and unfortunately > GPLv2 and ASL 2.0 is incompatible: > https://fedoraproject.org/wiki/Licensing Also there are many files with MIT license in ./src/report_template/includes/js (canvaschartpainter.src.js, chart.src.js, iecanvas.htc, etc). > Would you ask the upstream about this? Can you give me a full text of the letter which I resend the upstream?
For now license issue only - MIT is no problem because MIT is compatible with GPLv2. I rechecked the whole code again and it seems that only ./src/report_template/includes/js/excanvas.js (ASL 2.0) is problematic.
> For now license issue only We can change the license to GPLv2 and MIT and ASL 2.0. Examples: * maven-plugin-cobertura: ASL 2.0 and GPLv2 and GPLv2+ * jrefactory: BSD and ASL 1.1 and GPL+ * zikula-module-menutree: GPL+ and ASL 2.0 Spec.diff: @@ -4,11 +4,11 @@ Name: wapiti Version: 2.2.1 -Release: 2%{?dist} -Summary: A web application vulnerability scanner +Release: 3%{?dist} +Summary: Web application vulnerability scanner Group: Applications/Internet -License: GPLv2 +License: GPLv2 and MIT and ASL 2.0 URL: http://wapiti.sourceforge.net/ Source0: http://downloads.sourceforge.net/project/wapiti/wapiti/wapiti-%{version}/wapiti-%{version}.tar.bz2 # https://sourceforge.net/tracker/?func=detail&aid=2954112&group_id=168625&atid=847490 @@ -58,17 +58,17 @@ %patch1 -p1 # Copy setup.py -%{__cp} %{SOURCE1} setup.py +cp %{SOURCE1} setup.py -# Change files encoding to utf8 +# Change an encoding of files to UTF-8 for f in ChangeLog_lswww; do iconv -f iso-8859-1 -t utf-8 $f > $f.tmp touch -r $f $f.tmp - %{__mv} $f.tmp $f + mv $f.tmp $f done # Use system libraries BeautifulSoup, httplib2, SocksiPy -%{__rm} -rf src/net/BeautifulSoup.py src/net/httplib2/ +rm -rf src/net/BeautifulSoup.py src/net/httplib2/ %build @@ -76,42 +76,47 @@ %install -%{__rm} -rf %{buildroot} +rm -rf %{buildroot} %{__python} setup.py install -O1 --skip-build --root %{buildroot} # Remove the interpreter from site-packages find %{buildroot}%{python_sitelib} -type f -iname "*py" -exec \ - %{__sed} -i 's/#!\/usr\/bin\/env python//' {} \; + sed -i 's/#!\/usr\/bin\/env python//' {} \; %find_lang %{name} %clean -%{__rm} -rf %{buildroot} +rm -rf %{buildroot} %files -f %{name}.lang %defattr(-,root,root,-) %doc AUTHORS ChangeLog_Wapiti ChangeLog_lswww README TODO example.txt -%dir %{_sysconfdir}/%{name} -%dir %{_sysconfdir}/%{name}/attacks -%config(noreplace) %{_sysconfdir}/%{name}/attacks/* -%{_bindir}/%{name} -%{_mandir}/man1/%{name}* -%dir %{python_sitelib}/%{name}/ -%{python_sitelib}/%{name}/attack/ -%dir %{python_sitelib}/%{name}/config/ -%{python_sitelib}/%{name}/config/vulnerabilities/ -%{python_sitelib}/%{name}/file/ -%{python_sitelib}/%{name}/language/ -%{python_sitelib}/%{name}/net/ -%{python_sitelib}/%{name}/report/ -%{python_sitelib}/%{name}/report_template/ -%{python_sitelib}/%{name}/vulnerability.py* -%{python_sitelib}/%{name}-*.egg-info +%dir %{_sysconfdir}/wapiti +%dir %{_sysconfdir}/wapiti/attacks +%config(noreplace) %{_sysconfdir}/wapiti/attacks/* +%{_bindir}/wapiti +%{_mandir}/man1/wapiti* +%dir %{python_sitelib}/wapiti/ +%{python_sitelib}/wapiti/attack/ +%dir %{python_sitelib}/wapiti/config/ +%{python_sitelib}/wapiti/config/vulnerabilities/ +%{python_sitelib}/wapiti/file/ +%{python_sitelib}/wapiti/language/ +%{python_sitelib}/wapiti/net/ +%{python_sitelib}/wapiti/report/ +%{python_sitelib}/wapiti/report_template/ +%{python_sitelib}/wapiti/vulnerability.py* +%{python_sitelib}/wapiti-*.egg-info %changelog +* Sat Mar 13 2010 Nikolay Ulyanitsky <lystor AT lystor.org.ua> - 2.2.1-3 +- Fix the license +- Fix the summary +- Replace generally useful macros by regular commands + * Thu Mar 11 2010 Nikolay Ulyanitsky <lystor AT lystor.org.ua> - 2.2.1-2 - Move gettext MO files to /usr/share/locale - Preserve timestamps on documentation files Spec URL: http://repo.lystor.org.ua/fedora/12/SPECS/wapiti.spec SRPM URL: http://repo.lystor.org.ua/fedora/12/SRPMS/wapiti-2.2.1-3.fc12.src.rpm The srpm builds successfully by the mock on Fedora 11, 12, 13 with i386/x86_64 architectures.
Well, while I don't know well about maven-plugin-cobertura, again the problem is that - man page claims that wapiti is under GPLv2 (not GPLv2+ or GPL+) - and wapiti uses some file which is under ASL 2.0 - and GPLv2 and ASL 2.0 is legally incompatible so we cannot distribute wapiti, not the issue of correcting license tag or so. Note that GPLv3 and ASL 2.0 is compatible, so GPL+ (i.e. GPL with any version) and ASL 2.0, or GPLv2+ and ASL 2.0 is okay, however GPLv2 and ASL 2.0 are incompatible.
Well, actually maven-plugin-cobertura seems under ASL 2.0 and GPL+ and GPLv2+.
> Well, while I don't know well about maven-plugin-cobertura, again > the problem is that > - man page claims that wapiti is under GPLv2 (not GPLv2+ or GPL+) > - and wapiti uses some file which is under ASL 2.0 > - and GPLv2 and ASL 2.0 is legally incompatible > so we cannot distribute wapiti, not the issue of correcting license tag or so. Other examples from F-12 CVS: * 389-admin: GPLv2 and ASL 2.0 * xsd: GPLv2 with exceptions and ASL 2.0
... note that if you point out some potential legal issue on other packages, it does _NOT_ affect this review.
Note that - for xsd: this says "GPLv2 with exceptions" and ASL 2.0, and for this package actually the submitter (also the upstream), I and spot had some discussion - 389-admin: I don't know well.
- It seems that 389-admin license has some exception declaration which allows to combine GPL part and ASL part of this software explicitly.
Anyway license issue must need fixing.
> Anyway license issue must need fixing. Thank you for the package reviewing. The issue was added to an upstream bugzilla. Licensing issue: GPLv2 and ASL 2.0 are incompatible - ID: 2971259 https://sourceforge.net/tracker/?func=detail&aid=2971259&group_id=168625&atid=847490
Okay, thank you for followups.
Was the license issue ever fixed?
*** This bug has been marked as a duplicate of bug 1787225 ***