This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 566412 - (wapiti) Review Request: wapiti - A web application vulnerability scanner
Review Request: wapiti - A web application vulnerability scanner
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Nobody's working on this, feel free to take it
Fedora Extras Quality Assurance
https://sourceforge.net/tracker/?func...
:
Depends On: 566409
Blocks: FE-DEADREVIEW
  Show dependency treegraph
 
Reported: 2010-02-18 07:28 EST by Mykola Ulianytskyi
Modified: 2010-12-17 12:51 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-17 12:51:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Mykola Ulianytskyi 2010-02-18 07:28:06 EST
Spec URL: http://repo.lystor.org.ua/fedora/12/SPECS/wapiti.spec
SRPM URL: http://repo.lystor.org.ua/fedora/12/SRPMS/wapiti-2.2.1-1.fc12.src.rpm

Description: 
Wapiti allows you to audit the security of your web applications.
It performs "black-box" scans, i.e. it does not study the source code of the
application but will scans the webpages of the deployed webapp, looking for
scripts and forms where it can inject data.
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see
if a script is vulnerable.

Wapiti can detect the following vulnerabilities:
    * File Handling Errors (Local and remote include/require, fopen...)
    * Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
    * XSS (Cross Site Scripting) Injection
    * LDAP Injection
    * Command Execution detection (eval(), system(), passtru()...)
    * CRLF Injection (HTTP Response Splitting, session fixation...)

Wapiti is able to differentiate ponctual and permanent XSS vulnerabilities.
Wapiti does not rely on a vulnerability database like Nikto do. Wapiti aims
to discover unknown vulnerabilities in web applications.

$ rpmlint {i386,x86_64,SRPMS}/wapiti*
wapiti.noarch: E: explicit-lib-dependency python-httplib2
wapiti.noarch: E: explicit-lib-dependency python-httplib2
3 packages and 0 specfiles checked; 2 errors, 0 warnings.

The python-httplib2 is added to requires manually because it does not find 
by rpm dependency generator automatically.

This package builds successfully by mock on i686/x86_64 architectures.

This is one from my first packages and I'm looking for a sponsor.
Comment 1 Mykola Ulianytskyi 2010-02-19 04:42:05 EST
Builds successfully in mock on Fedora 11 with i386/x86_64 architectures.
Comment 2 Mykola Ulianytskyi 2010-02-19 07:53:14 EST
Builds successfully in mock on Fedora 13 with i386/x86_64 architectures.
Comment 3 Mamoru TASAKA 2010-03-08 14:29:32 EST
Before reviewing this:
* Well, from ./doc/wapiti.1 this software seems to be licensed under
  GPLv2 (strict). 

  However ./src/report_template/includes/js/excanvas.js is licensed under
  ASL 2.0, which is also included in rebuilt binary rpm and unfortunately
  GPLv2 and ASL 2.0 is incompatible:
  https://fedoraproject.org/wiki/Licensing

  Would you ask the upstream about this?

* Would you move GNU message catalogs (.mo files) to the normal directory
  for these files (i.e. /usr/share/locale/<lang>/LC_MESSAGES)? (patch may be
  needed, I have not checked this, though)
Comment 4 Mykola Ulianytskyi 2010-03-11 05:15:30 EST
Hi
Thank you for starting the review.

Spec URL: http://repo.lystor.org.ua/fedora/12/SPECS/wapiti.spec
SRPM URL: http://repo.lystor.org.ua/fedora/12/SRPMS/wapiti-2.2.1-2.fc12.src.rpm

================================================================================
> Would you move GNU message catalogs (.mo files) to the normal directory

Yes.
wapiti-2.2.1-std_lib_paths.patch and wapiti-setup.py have been changed.

Spec diff:
--- wapiti.spec.orig	2010-02-18 12:58:53.000000000 +0200
+++ wapiti.spec	2010-03-11 11:52:09.231822854 +0200
@@ -1,11 +1,10 @@
 %if ! (0%{?fedora} > 12 || 0%{?rhel} > 5)
 %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
-%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 %endif
 
 Name:           wapiti
 Version:        2.2.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A web application vulnerability scanner
 
 Group:          Applications/Internet
@@ -16,7 +15,8 @@
 Source1:        wapiti-setup.py
 # Split wapiti sources between site-packages/wapiti/* and /usr/bin/wapiti,
 # move working dirs (generated_report, scans) from site-packages/wapiti/ to ~/.wapiti/,
-# move config dir site-packages/wapiti/config/attacks to /etc/wapiti/attacks
+# move config dir site-packages/wapiti/config/attacks to /etc/wapiti/attacks,
+# move gettext MO files from site-packages/wapiti/config/language to /usr/share/locale
 # https://sourceforge.net/tracker/?func=detail&aid=2954112&group_id=168625&atid=847490
 Patch0:         wapiti-2.2.1-std_lib_paths.patch
 # Use system libraries BeautifulSoup, httplib2, SocksiPy
@@ -63,6 +63,7 @@
 # Change files encoding to utf8
 for f in ChangeLog_lswww; do
     iconv -f iso-8859-1 -t utf-8 $f > $f.tmp
+    touch -r $f $f.tmp
     %{__mv} $f.tmp $f
 done
 
@@ -82,12 +83,14 @@
 find %{buildroot}%{python_sitelib} -type f -iname "*py" -exec \
     %{__sed} -i 's/#!\/usr\/bin\/env python//' {} \;
 
+%find_lang %{name}
+
 
 %clean
 %{__rm} -rf %{buildroot}
 
 
-%files
+%files -f %{name}.lang
 %defattr(-,root,root,-)
 %doc AUTHORS ChangeLog_Wapiti ChangeLog_lswww README TODO example.txt
 %dir %{_sysconfdir}/%{name}
@@ -98,12 +101,6 @@
 %dir %{python_sitelib}/%{name}/
 %{python_sitelib}/%{name}/attack/
 %dir %{python_sitelib}/%{name}/config/
-%dir %{python_sitelib}/%{name}/config/language/
-%dir %{python_sitelib}/%{name}/config/language/*
-%dir %{python_sitelib}/%{name}/config/language/*/LC_MESSAGES
-%lang(en) %{python_sitelib}/%{name}/config/language/en/LC_MESSAGES/%{name}*
-%lang(es) %{python_sitelib}/%{name}/config/language/es/LC_MESSAGES/%{name}*
-%lang(fr) %{python_sitelib}/%{name}/config/language/fr/LC_MESSAGES/%{name}*
 %{python_sitelib}/%{name}/config/vulnerabilities/
 %{python_sitelib}/%{name}/file/
 %{python_sitelib}/%{name}/language/
@@ -115,6 +112,10 @@
 
 
 %changelog
+* Thu Mar 11 2010 Nikolay Ulyanitsky <lystor AT lystor.org.ua> - 2.2.1-2
+- Move gettext MO files to /usr/share/locale
+- Preserve timestamps on documentation files
 
================================================================================
$ rpmlint wapiti-2.2.1-2.fc12.noarch.rpm 
wapiti.noarch: E: explicit-lib-dependency python-httplib2
wapiti.noarch: W: spelling-error %description -l en_US webpages -> web pages, web-pages, equipages
wapiti.noarch: W: spelling-error %description -l en_US webapp -> web app, web-app, Webern
wapiti.noarch: W: spelling-error %description -l en_US fuzzer -> fuzzier, fuzzes, fuzzed
wapiti.noarch: W: spelling-error %description -l en_US fopen -> open, f open, fop en
wapiti.noarch: W: spelling-error %description -l en_US XPath -> X Path, Path, Expat
wapiti.noarch: W: spelling-error %description -l en_US eval -> veal, vela, val
wapiti.noarch: W: spelling-error %description -l en_US passtru -> passport, passerby, passer
wapiti.noarch: W: spelling-error %description -l en_US ponctual -> punctual, nonfactual, punctuate
wapiti.noarch: W: spelling-error %description -l en_US Nikto -> Nikon, Nikita, Nikolai
1 packages and 0 specfiles checked; 1 errors, 9 warnings.

python-httplib2 is required but rpm dependency generator can not find it

================================================================================

> * Well, from ./doc/wapiti.1 this software seems to be licensed under
>  GPLv2 (strict). 
>
>  However ./src/report_template/includes/js/excanvas.js is licensed under
>  ASL 2.0, which is also included in rebuilt binary rpm and unfortunately
>  GPLv2 and ASL 2.0 is incompatible:
>  https://fedoraproject.org/wiki/Licensing

Also there are many files with MIT license in ./src/report_template/includes/js 
(canvaschartpainter.src.js, chart.src.js, iecanvas.htc, etc).

>  Would you ask the upstream about this?
Can you give me a full text of the letter which I resend the upstream?
Comment 5 Mamoru TASAKA 2010-03-11 06:05:20 EST
For now license issue only

- MIT is no problem because MIT is compatible with GPLv2.
  I rechecked the whole code again and it seems that
  only ./src/report_template/includes/js/excanvas.js (ASL 2.0) is
  problematic.
Comment 6 Mykola Ulianytskyi 2010-03-13 16:02:26 EST
> For now license issue only

We can change the license to GPLv2 and MIT and ASL 2.0.

Examples:
* maven-plugin-cobertura: ASL 2.0 and GPLv2 and GPLv2+
* jrefactory: BSD and ASL 1.1 and GPL+
* zikula-module-menutree: GPL+ and ASL 2.0


Spec.diff:
@@ -4,11 +4,11 @@

 Name:           wapiti
 Version:        2.2.1
-Release:        2%{?dist}
-Summary:        A web application vulnerability scanner
+Release:        3%{?dist}
+Summary:        Web application vulnerability scanner

 Group:          Applications/Internet
-License:        GPLv2
+License:        GPLv2 and MIT and ASL 2.0
 URL:            http://wapiti.sourceforge.net/
 Source0:        http://downloads.sourceforge.net/project/wapiti/wapiti/wapiti-%{version}/wapiti-%{version}.tar.bz2
 # https://sourceforge.net/tracker/?func=detail&aid=2954112&group_id=168625&atid=847490
@@ -58,17 +58,17 @@
 %patch1 -p1

 # Copy setup.py
-%{__cp} %{SOURCE1} setup.py
+cp %{SOURCE1} setup.py

-# Change files encoding to utf8
+# Change an encoding of files to UTF-8
 for f in ChangeLog_lswww; do
     iconv -f iso-8859-1 -t utf-8 $f > $f.tmp
     touch -r $f $f.tmp
-    %{__mv} $f.tmp $f
+    mv $f.tmp $f
 done

 # Use system libraries BeautifulSoup, httplib2, SocksiPy
-%{__rm} -rf src/net/BeautifulSoup.py src/net/httplib2/
+rm -rf src/net/BeautifulSoup.py src/net/httplib2/


 %build
@@ -76,42 +76,47 @@


 %install
-%{__rm} -rf %{buildroot}
+rm -rf %{buildroot}
 %{__python} setup.py install -O1 --skip-build --root %{buildroot}

 # Remove the interpreter from site-packages
 find %{buildroot}%{python_sitelib} -type f -iname "*py" -exec \
-    %{__sed} -i 's/#!\/usr\/bin\/env python//' {} \;
+    sed -i 's/#!\/usr\/bin\/env python//' {} \;

 %find_lang %{name}


 %clean
-%{__rm} -rf %{buildroot}
+rm -rf %{buildroot}


 %files -f %{name}.lang
 %defattr(-,root,root,-)
 %doc AUTHORS ChangeLog_Wapiti ChangeLog_lswww README TODO example.txt
-%dir %{_sysconfdir}/%{name}
-%dir %{_sysconfdir}/%{name}/attacks
-%config(noreplace) %{_sysconfdir}/%{name}/attacks/*
-%{_bindir}/%{name}
-%{_mandir}/man1/%{name}*
-%dir %{python_sitelib}/%{name}/
-%{python_sitelib}/%{name}/attack/
-%dir %{python_sitelib}/%{name}/config/
-%{python_sitelib}/%{name}/config/vulnerabilities/
-%{python_sitelib}/%{name}/file/
-%{python_sitelib}/%{name}/language/
-%{python_sitelib}/%{name}/net/
-%{python_sitelib}/%{name}/report/
-%{python_sitelib}/%{name}/report_template/
-%{python_sitelib}/%{name}/vulnerability.py*
-%{python_sitelib}/%{name}-*.egg-info
+%dir %{_sysconfdir}/wapiti
+%dir %{_sysconfdir}/wapiti/attacks
+%config(noreplace) %{_sysconfdir}/wapiti/attacks/*
+%{_bindir}/wapiti
+%{_mandir}/man1/wapiti*
+%dir %{python_sitelib}/wapiti/
+%{python_sitelib}/wapiti/attack/
+%dir %{python_sitelib}/wapiti/config/
+%{python_sitelib}/wapiti/config/vulnerabilities/
+%{python_sitelib}/wapiti/file/
+%{python_sitelib}/wapiti/language/
+%{python_sitelib}/wapiti/net/
+%{python_sitelib}/wapiti/report/
+%{python_sitelib}/wapiti/report_template/
+%{python_sitelib}/wapiti/vulnerability.py*
+%{python_sitelib}/wapiti-*.egg-info


 %changelog
+* Sat Mar 13 2010 Nikolay Ulyanitsky <lystor AT lystor.org.ua> - 2.2.1-3
+- Fix the license
+- Fix the summary
+- Replace generally useful macros by regular commands
+
 * Thu Mar 11 2010 Nikolay Ulyanitsky <lystor AT lystor.org.ua> - 2.2.1-2
 - Move gettext MO files to /usr/share/locale
 - Preserve timestamps on documentation files


Spec URL: http://repo.lystor.org.ua/fedora/12/SPECS/wapiti.spec
SRPM URL: http://repo.lystor.org.ua/fedora/12/SRPMS/wapiti-2.2.1-3.fc12.src.rpm

The srpm builds successfully by the mock on Fedora 11, 12, 13 with i386/x86_64
architectures.
Comment 7 Mamoru TASAKA 2010-03-14 11:47:17 EDT
Well, while I don't know well about maven-plugin-cobertura, again
the problem is that 
- man page claims that wapiti is under GPLv2 (not GPLv2+ or GPL+)
- and wapiti uses some file which is under ASL 2.0
- and GPLv2 and ASL 2.0 is legally incompatible
so we cannot distribute wapiti, not the issue of correcting license tag or so.

Note that GPLv3 and ASL 2.0 is compatible, so GPL+ (i.e. GPL with any version)
and ASL 2.0, or GPLv2+ and ASL 2.0 is okay, however GPLv2 and ASL 2.0 are
incompatible.
Comment 8 Mamoru TASAKA 2010-03-14 11:53:20 EDT
Well, actually maven-plugin-cobertura seems under ASL 2.0 and GPL+ 
and GPLv2+.
Comment 9 Mykola Ulianytskyi 2010-03-14 12:07:01 EDT
> Well, while I don't know well about maven-plugin-cobertura, again
> the problem is that 
> - man page claims that wapiti is under GPLv2 (not GPLv2+ or GPL+)
> - and wapiti uses some file which is under ASL 2.0
> - and GPLv2 and ASL 2.0 is legally incompatible
> so we cannot distribute wapiti, not the issue of correcting license tag or so.

Other examples from F-12 CVS:
* 389-admin: GPLv2 and ASL 2.0
* xsd: GPLv2 with exceptions and ASL 2.0
Comment 10 Mamoru TASAKA 2010-03-14 12:14:39 EDT
... note that if you point out some potential legal issue on
    other packages, it does _NOT_ affect this review.
Comment 11 Mamoru TASAKA 2010-03-14 12:17:44 EDT
Note that
- for xsd: this says "GPLv2 with exceptions" and ASL 2.0, and
  for this package actually the submitter (also the upstream), 
  I and spot had some discussion
- 389-admin: I don't know well.
Comment 12 Mamoru TASAKA 2010-03-14 12:22:20 EDT
- It seems that 389-admin license has some exception declaration
  which allows to combine GPL part and ASL part of this software
  explicitly.
Comment 13 Mamoru TASAKA 2010-03-14 12:31:56 EDT
Anyway license issue must need fixing.
Comment 14 Mykola Ulianytskyi 2010-03-16 09:11:38 EDT
> Anyway license issue must need fixing.

Thank you for the package reviewing.
The issue was added to an upstream bugzilla.

Licensing issue: GPLv2 and ASL 2.0 are incompatible - ID: 2971259
https://sourceforge.net/tracker/?func=detail&aid=2971259&group_id=168625&atid=847490
Comment 15 Mamoru TASAKA 2010-03-17 02:43:34 EDT
Okay, thank you for followups.
Comment 16 Jason Tibbitts 2010-11-17 18:13:31 EST
Was the license issue ever fixed?

Note You need to log in before you can comment on or make changes to this bug.