could RATS( Rough Auditing Tool for Security) be added to the gentoo portage tree. http://www.securesoftware.com/rats/ Reproducible: Always Steps to Reproduce: 1. 2. 3.
this something you guys are interested in?
Well Debian has a .deb for it, i would love to see it in Gentoo portage also.
Seems you/we must fill out an online form in order to download the RATS evaluation version. I don't know what legal ramifications it would have if we bypassed this step. Reporter please research what license RATS is released under and if file mirroring is allowed.
RATS is distributed under the GNU GENERAL PUBLIC LICENSE version 2. http://www.securesoftware.com/distributing.htm
So here is what I'm thinking about source scanning. We can take RATS, flawfiner, and perhaps splint and add support to portage for when these are installed and found in the FEATURES for example we have FEATURES="rats" set then we scan the src code in $S right before the src_compile is called from ebuild.sh example for flawfinder http://dev.gentoo.org/~solar/portage_misc/feature.flawfinder I'll add rats and see if I can do the same for it.
Created attachment 22661 [details] rats-2.1.ebuild Please test rats ebuild.
Created attachment 22662 [details] rats-2.1.ebuild This install cleaner. solar@simple rats $ epm -q -l rats /usr/bin/rats /usr/share/man/man1/rats.1.gz /usr/share/doc/rats-2.1/README.gz /usr/share/doc/rats-2.1/COPYING.gz /usr/share/doc/rats-2.1/README.win32.gz /usr/share/rats/rats-c.xml /usr/share/rats/rats-openssl.xml /usr/share/rats/rats-perl.xml /usr/share/rats/rats-php.xml /usr/share/rats/rats-python.xml
And matching ebuild.sh to have rats scan cource files. if [ "$PWD" = "${S}" -a "`has rats ${FEATURES}`" != "" -a -x /usr/bin/rats ]; then s_files="`find ${S} -name '*.c' -o -name '*.cpp' -o -name '*.php' -o -name '*.pl'`" flaws="" if [ -n "$s_files" ]; then s_count=`echo ${files} | tr ' ' '\n' | wc -l | awk '{print $1}'` einfo "Running rats on [$s_count] files" [ -z "${FEATURE_RATS_WARNLEVEL}" ] && export FEATURE_RATS_WARNLEVEL=3 flaws=$(/usr/bin/rats --quiet --resultsonly --warning ${FEATURE_RATS_WARNLEVEL} ${s_files}) if [ -n "$flaws" ]; then echo -ne "\a"; sleep 0,25 &>/dev/null; echo -ne "\a"; sleep 0,25 &>/dev/null echo -ne "\a"; sleep 0,25 &>/dev/null; echo -ne "\a"; sleep 0,25 &>/dev/null ewarn "rats report for ${PN}" echo "------------------------------------------------------------------------" echo -e "${flaws}" echo "------------------------------------------------------------------------" i=5 while [ $i != 0 ]; do echo -ne ".\a" sleep 0.25 i=$(($i - 1)) done has interactive ${FEATURES} && read -p "- Press Enter To Continue or CTRL+C to abort" fi fi fi
If you want to add this to portage please test it like this. edit your ebuild.sh look for a line like this. ------------------------------------------- #some packages use an alternative to $S to build in, cause #our libtool to create problematic .la files export PWORKDIR="$WORKDIR" src_compile ------------------------------------------- Right before the src_compile add a src_pre_compile then inside of src_pre_compile() { # add the above code or the flawfinder code or both } For example min looks like. src_pre_compile() { if [ "$PWD" = "${S}" -a "`has rats ${FEATURES}`" != "" -a -x /usr/bin/rats ]; then s_files="`find ${S} -name '*.c' -o -name '*.cpp' -o -name '*.php' -o -name '*.pl'`" flaws="" if [ -n "$s_files" ]; then s_count=`echo ${files} | tr ' ' '\n' | wc -l | awk '{print $1}'` einfo "Running rats on [$s_count] files" [ -z "${FEATURE_RATS_WARNLEVEL}" ] && export FEATURE_RATS_WARNLEVEL=3 flaws=$(/usr/bin/rats --quiet --resultsonly --warning ${FEATURE_RATS_WARNLEVEL} ${s_files}) if [ -n "$flaws" ]; then echo -ne "\a"; sleep 0,25 &>/dev/null; echo -ne "\a"; sleep 0,25 &>/dev/null echo -ne "\a"; sleep 0,25 &>/dev/null; echo -ne "\a"; sleep 0,25 &>/dev/null ewarn "rats report for ${PN}" echo "------------------------------------------------------------------------" echo -e "${flaws}" echo "------------------------------------------------------------------------" i=5 while [ $i != 0 ]; do echo -ne ".\a" sleep 0.25 i=$(($i - 1)) done has interactive ${FEATURES} && read -p "- Press Enter To Continue or CTRL+C to abort" fi fi fi if [ "$PWD" = "${S}" -a "`has flawfinder ${FEATURES}`" != "" -a -x /usr/bin/flawfinder ]; then c_files="`find ${S} -name '*.c' -o -name '*.cpp'`" flaws="" if [ -n "$c_files" ]; then c_count=`echo ${c_files} | tr ' ' '\n' | wc -l | awk '{print $1}'` einfo "Running flawfinder on [$c_count] files" [ -z "${FEATURE_FLAWFINDER_MINLEVEL}" ] && export FEATURE_FLAWFINDER_MINLEVEL=5 debug-print "flawfinder --quiet --dataonly --minlevel=${FEATURE_FLAWFINDER_MINLEVEL} ${c_files}" flaws=$(flawfinder --quiet --dataonly --minlevel=${FEATURE_FLAWFINDER_MINLEVEL} ${c_files}) if [ -n "$flaws" ]; then echo -ne "\a"; sleep 0,25 &>/dev/null; echo -ne "\a"; sleep 0,25 &>/dev/null echo -ne "\a"; sleep 0,25 &>/dev/null; echo -ne "\a"; sleep 0,25 &>/dev/null ewarn "flawfinder report for ${PN}" echo "------------------------------------------------------------------------" echo -e "${flaws}" echo "------------------------------------------------------------------------" i=5 while [ $i != 0 ]; do echo -ne ".\a" sleep 0.25 i=$(($i - 1)) done has interactive ${FEATURES} && read -p "- Press Enter To Continue or CTRL+C to abort" fi fi fi }
No feedback so "rats" must not be all that usefull to anybody. Perparing to close bug or bounce to another herd.
changing resolution to LATER
