How to maintain and deploy a custom vulnerability database?

[Jim L.]

Just as a private CA needs to maintain a private CRL, it would seem prudent for a private package repository to publish a corresponding vulnerability database in a manner that is compatible with pkg-audit(8).

However, I don't see any indication in the stock /etc/pkg/FreeBSD.conf that this is a generalized parameter. Nor does modifying my own Repo.conf file have any effect when I:

# mkdir -p /usr/local/etc/pkg/repos
# echo 'Repo: { VULNXML_SITE = "https://pkg.example.edu/freebsd/vuln.xml.xz"; }' > /usr/local/etc/pkg/repos/Repo.conf

The only thing I have found that works is :

# pkg audit -Fq   # for standard packages
# VULNXML_SITE="https://pkg.example.edu/freebsd/vuln.xml.xz" pkg audit -Fq      # for Repo.conf packages

Is there a clean way to configure VULNXML_SITE on a per-repository basis directly from the pkg.conf config hierarchy instead of hard-coding the repo names and URLs into a shell script?

 

[dark.initr0]

Hi!
Try this command as example

pkg -d -o VULNXML_SITE="https://google.com" audit -F


where
-d, --debug
Show debug information.
-o ⟨option=value⟩, --option ⟨option=value⟩
Set configuration option for pkg from the command line. Options
that are set from the environment are redefined. It is permitted
to specify this option multiple times.

 

[SirDice]

You can set it in /usr/local/etc/pkg.conf, but it's going to apply to all repositories. Technically it doesn't apply to a specific repository but to your installed packages, regardless of where they come from.

 

[Jim L.]

Hi!
Try this command as example

pkg -d -o VULNXML_SITE="https://google.com" audit -F


where
-d, --debug
Show debug information.
-o ⟨option=value⟩, --option ⟨option=value⟩
Set configuration option for pkg from the command line. Options
that are set from the environment are redefined. It is permitted
to specify this option multiple times.

It looks like one can specify -o VULNXML_SITE="..." multiple times, but only the last (rightmost) one takes effect.

 

[Jim L.]

After reading the man page more closely, and finding both the -F and -f flags, this is the most expeditious workaround I've found:

$ rm /tmp/vuln-?.xml
override r--r--r-- jim/wheel uarch for /tmp/vuln-1.xml? y
override r--r--r-- jim/wheel uarch for /tmp/vuln-2.xml? y
$ VULNXML_SITE=https://pkg.example.edu/vuln-1.xml pkg audit -F -f /tmp/vuln-1.xml
Fetching vuln-1.xml: 100%    4 KiB   4.6kB/s    00:01
foobar-1.0.3 is vulnerable:
  test -- custom repo vulnerability file
  CVE: CVE-3006-29074
  WWW: https://vuxml.FreeBSD.org/freebsd/xxxx.html
 
1 problem(s) in 1 installed package(s) found.
$ VULNXML_SITE=https://pkg.example.edu/vuln-2.xml pkg audit -F -f /tmp/vuln-2.xml
Fetching vuln-2.xml: 100%    4 KiB   4.6kB/s    00:01
farkle-1.2.3 is vulnerable:
  test -- custom repo vulnerability file
  CVE: CVE-3006-29074
  WWW: https://vuxml.FreeBSD.org/freebsd/xxxx.html
 
1 problem(s) in 1 installed package(s) found.
$ VULNXML_SITE=https://pkg.example.edu/vuln-1.xml pkg audit -F -f /tmp/vuln-1.xml
vulnxml file up-to-date
foobar-1.0.3 is vulnerable:
  test -- custom repo vulnerability file
  CVE: CVE-3006-29074
  WWW: https://vuxml.FreeBSD.org/freebsd/xxxx.html
 
1 problem(s) in 1 installed package(s) found.
$ VULNXML_SITE=https://pkg.example.edu/vuln-2.xml pkg audit -F -f /tmp/vuln-2.xml
vulnxml file up-to-date
farkle-1.2.3 is vulnerable:
  test -- custom repo vulnerability file
  CVE: CVE-3006-29074
  WWW: https://vuxml.FreeBSD.org/freebsd/xxxx.html
 
1 problem(s) in 1 installed package(s) found.
$ sudo pkg audit -F
Fetching vuln.xml.xz: 100%    1 MiB   1.1MB/s    00:01
0 problem(s) in 0 installed package(s) found.

Or programmatically:

#!/usr/bin/env bash
 
VULN_URLS=(
    https://pkg.example.edu/vuln-1.xml
    https://pkg.example.edu/vuln-2.xml
)
 
for url in "${VULN_URLS[@]}"
do
    tmpfil="/tmp/pkg-audit-$$.xml"   # mktemp might be better
    VULNXML_SITE="$url" pkg audit -F -f "$tmpfil"
    rm -f "$tmpfil"
done

Granted this still doesn't provide a repo-specific vulnerability list, but it makes it convenient to check the set of all installed packages against multiple known vulnerability files.