From: "Joonas Niilola" <juippis@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: net-analyzer/openvas-scanner/, net-analyzer/openvas-scanner/files/
Date: Mon, 28 Oct 2019 04:05:33 +0000 (UTC) [thread overview]
Message-ID: <1572235316.0a333bcfaacbad0dad5757cb0de488b952d694cc.juippis@gentoo> (raw)
commit: 0a333bcfaacbad0dad5757cb0de488b952d694cc
Author: Hasan ÇALIŞIR <hasan.calisir <AT> psauxit <DOT> com>
AuthorDate: Mon Aug 12 15:01:24 2019 +0000
Commit: Joonas Niilola <juippis <AT> gentoo <DOT> org>
CommitDate: Mon Oct 28 04:01:56 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a333bcf
net-analyzer/openvas-scanner: bump to 6.0.1 & update metadata.
Bump to 6.0.1. Update metadata.
This also fixes bug 684220 and
introduces the new USE flag 'cron'.
Closes: https://bugs.gentoo.org/684220
Reported-by: aleck <rickrick <AT> stachelkaktus.net>
Package-Manager: Portage-2.3.69, Repoman-2.3.16
Signed-off-by: Hasan ÇALIŞIR <hasan.calisir <AT> psauxit.com>
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>
net-analyzer/openvas-scanner/Manifest | 1 +
.../openvas-scanner/files/gvm-feed-sync.cron | 1 +
.../openvas-scanner/files/gvm-feed-sync.sh | 45 +++++++
.../files/openvas-scanner-6.0.1-sbin.patch | 21 ++++
.../openvas-scanner/files/openvassd-daemon.conf | 17 +++
.../openvas-scanner/files/openvassd.gvm.conf | 124 ++++++++++++++++++
net-analyzer/openvas-scanner/files/openvassd.init | 14 +++
.../openvas-scanner/files/openvassd.logrotate | 13 ++
.../openvas-scanner/files/openvassd.service | 16 +++
net-analyzer/openvas-scanner/metadata.xml | 9 ++
.../openvas-scanner/openvas-scanner-6.0.1.ebuild | 138 +++++++++++++++++++++
11 files changed, 399 insertions(+)
diff --git a/net-analyzer/openvas-scanner/Manifest b/net-analyzer/openvas-scanner/Manifest
index 12763409b46..7d55d149a97 100644
--- a/net-analyzer/openvas-scanner/Manifest
+++ b/net-analyzer/openvas-scanner/Manifest
@@ -1 +1,2 @@
DIST openvas-scanner-5.1.3.tar.gz 254159 BLAKE2B d90fa15e143ead53abce66f933a3a4cac327176cca0f23bd88fe771ed7726b1891784ae980644c8335e560d348753115e43cfae83af9704e2d1d02827163563f SHA512 5712ab275058877cfd656e268ed09c81db6617ae247c17092f1fcd037f692f2018daf21b09b82401f99a7361bb485f0e0f7d63f8ff2387839cfdd5a3aaf8424e
+DIST openvas-scanner-6.0.1.tar.gz 522100 BLAKE2B af82b41736329bd90ba1ea73a0ace36d4115375f81a7aaff5d3bd50f21cfa3195cdf4012aa952da52c4103a31475de5c5790ef3e2e36180aa06737371fa0e5a0 SHA512 db4087fffe1d50e232fa1e51325cf7f142237e2bd3cc5dcaa1e7058a4871300f352f2c0e700eae72ea9412c347b072e9d1f2eca508b27cb30f36c6895ec95147
diff --git a/net-analyzer/openvas-scanner/files/gvm-feed-sync.cron b/net-analyzer/openvas-scanner/files/gvm-feed-sync.cron
new file mode 100644
index 00000000000..5563b92929b
--- /dev/null
+++ b/net-analyzer/openvas-scanner/files/gvm-feed-sync.cron
@@ -0,0 +1 @@
+0 2 * * * gvm [ -x /etc/gvm/gvm-feed-sync.sh ] && /bin/bash /etc/gvm/gvm-feed-sync.sh > /dev/null
diff --git a/net-analyzer/openvas-scanner/files/gvm-feed-sync.sh b/net-analyzer/openvas-scanner/files/gvm-feed-sync.sh
new file mode 100644
index 00000000000..ba21632a4d6
--- /dev/null
+++ b/net-analyzer/openvas-scanner/files/gvm-feed-sync.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+# GVM cron script that updates feed.
+
+# Start to update FEED & First NVT.
+try=0
+until [ $try -ge 5 ]; do
+ greenbone-nvt-sync --curl &>/dev/null && break
+ try=$[$try+1]
+ sleep 30
+done
+
+# Check status
+if [ $? -eq 0 ]; then
+ # Avoid your IP temporary banned because of multiple connection
+ sleep 5
+ # Try to update scapdata.
+ try=0
+ until [ $try -ge 5 ]; do
+ greenbone-scapdata-sync &>/dev/null && break
+ try=$[$try+1]
+ sleep 30
+ done
+
+ # Check status
+ if [ $? -eq 0 ]; then
+ # Avoid your IP temporary banned because of multiple connection
+ sleep 5
+ # Try to update certdata
+ try=0
+ until [ $try -ge 5 ]; do
+ greenbone-certdata-sync &>/dev/null && break
+ try=$[$try+1]
+ sleep 30
+ done
+
+ # Check status
+ if [ $? -eq 0 ]; then
+ exit 0
+ else
+ exit 1
+ fi
+ fi
+fi
diff --git a/net-analyzer/openvas-scanner/files/openvas-scanner-6.0.1-sbin.patch b/net-analyzer/openvas-scanner/files/openvas-scanner-6.0.1-sbin.patch
new file mode 100644
index 00000000000..d5b8a2a6b62
--- /dev/null
+++ b/net-analyzer/openvas-scanner/files/openvas-scanner-6.0.1-sbin.patch
@@ -0,0 +1,21 @@
+--- a/src/CMakeLists.txt 2019-07-21 23:16:18.608251465 +0300
++++ b/src/CMakeLists.txt 2019-07-21 23:17:08.434210058 +0300
+@@ -175,7 +175,7 @@
+ ## Install
+
+ install (TARGETS openvassd
+- RUNTIME DESTINATION ${SBINDIR}
++ RUNTIME DESTINATION ${BINDIR}
+ PERMISSIONS OWNER_EXECUTE OWNER_READ OWNER_WRITE
+ GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+
+@@ -183,7 +183,7 @@
+ DESTINATION ${OPENVAS_SYSCONF_DIR})
+
+ install (FILES ${CMAKE_BINARY_DIR}/tools/greenbone-nvt-sync
+- DESTINATION ${SBINDIR}
++ DESTINATION ${BINDIR}
+ PERMISSIONS OWNER_EXECUTE OWNER_READ OWNER_WRITE
+ GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+
+
diff --git a/net-analyzer/openvas-scanner/files/openvassd-daemon.conf b/net-analyzer/openvas-scanner/files/openvassd-daemon.conf
new file mode 100644
index 00000000000..6bb70d16535
--- /dev/null
+++ b/net-analyzer/openvas-scanner/files/openvassd-daemon.conf
@@ -0,0 +1,17 @@
+# OpenVAS Scanner command args
+
+# e.g --foreground
+OPENVAS_SCANNER_OPTIONS=""
+
+# Scanner listen socket
+OPENVAS_SCANNER_LISTEN_SOCKET="--unix-socket=/var/run/openvassd.sock"
+
+# Scanner listen owner
+OPENVAS_SCANNER_LISTEN_OWNER="--listen-owner=gvm"
+
+# Scanner listen group
+OPENVAS_SCANNER_LISTEN_GROUP="--listen-group=gvm"
+
+# Scanner listen mode
+OPENVAS_SCANNER_LISTEN_MODE="--listen-mode=755"
+
diff --git a/net-analyzer/openvas-scanner/files/openvassd.gvm.conf b/net-analyzer/openvas-scanner/files/openvassd.gvm.conf
new file mode 100644
index 00000000000..5dfb8b52745
--- /dev/null
+++ b/net-analyzer/openvas-scanner/files/openvassd.gvm.conf
@@ -0,0 +1,124 @@
+# You can get detailed informations from https://linux.die.net/man/8/openvassd
+# Configuration file of the OpenVAS Security Scanner
+# Every line starting with a '#' is a comment
+
+[Misc]
+
+# Path to the security checks folder:
+plugins_folder = /var/lib/openvas/plugins
+
+# Path to OpenVAS caching folder:
+cache_folder = /var/cache/openvas
+
+# Path to OpenVAS include directories:
+# (multiple entries are separated with colon ':')
+include_folders = /var/lib/openvas/plugins
+
+# Config File
+config_file = /etc/openvas/openvassd.conf
+
+# Maximum number of simultaneous hosts tested :
+max_hosts = 30
+
+# Maximum number of simultaneous checks against each host tested :
+max_checks = 10
+
+# Niceness. If set to 'yes', openvassd will renice itself to 10.
+be_nice = no
+
+# Log file (or 'syslog') :
+logfile = /var/log/gvm/openvassd.log
+
+# Shall we log every details of the attack ? (disk intensive)
+log_whole_attack = no
+
+# Log the name of the plugins that are loaded by the server ?
+log_plugins_name_at_load = no
+
+# Dump file for debugging output, use `-' for stdout
+dumpfile = /var/log/gvm/openvassd.dump
+
+# Rules file :
+rules = /etc/openvas/openvassd.rules
+
+# CGI paths to check for (cgi-bin:/cgi-aws:/ can do)
+cgi_path = /cgi-bin:/scripts
+
+# Range of the ports the port scanners will scan :
+# 'default' means that OpenVAS will scan ports found in its
+# services file.
+port_range = default
+
+# Optimize the test (recommended) :
+# Turn off for push hard but increase false positive and slow down scans
+optimize_test = yes
+
+# Optimization :
+# Read timeout for the sockets of the tests :
+checks_read_timeout = 5
+
+# Ports against which two plugins should not be run simultaneously :
+# non_simult_ports = Services/www, 139, Services/finger
+non_simult_ports = 139, 445
+
+# Maximum lifetime of a plugin (in seconds) :
+plugins_timeout = 320
+
+# Safe checks rely on banner grabbing & If enabled push harder to target:
+safe_checks = yes
+
+# Automatically activate the plugins that are depended on
+auto_enable_dependencies = yes
+
+# Do not echo data from plugins which have been automatically enabled
+silent_dependencies = no
+
+# Designate hosts by MAC address, not IP address (useful for DHCP networks)
+use_mac_addr = no
+
+
+#--- Knowledge base saving (can be configured by the client) :
+# Save the knowledge base on disk :
+save_knowledge_base = no
+
+# Restore the KB for each test :
+kb_restore = no
+
+# Only test hosts whose KB we do not have :
+only_test_hosts_whose_kb_we_dont_have = no
+
+# Only test hosts whose KB we already have :
+only_test_hosts_whose_kb_we_have = no
+
+# KB test replay :
+kb_dont_replay_scanners = no
+kb_dont_replay_info_gathering = no
+kb_dont_replay_attacks = no
+kb_dont_replay_denials = no
+kb_max_age = 864000
+#--- end of the KB section
+
+# Redis socket default setting
+db_address = /tmp/redis.sock
+
+# If this option is set, OpenVAS will not scan a network incrementally
+# (10.0.0.1, then 10.0.0.2, 10.0.0.3 and so on..) but will attempt to
+# slice the workload throughout the whole network (ie: it will scan
+# 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128 and so on...
+slice_network_addresses = no
+
+# Should consider all the NASL scripts as being signed ? (unsafe if set to 'yes')
+nasl_no_signature_check = yes
+
+#Certificates
+cert_file=/var/lib/gvm/CA/servercert.pem
+key_file=/var/lib/gvm/private/CA/serverkey.pem
+ca_file=/var/lib/gvm/CA/cacert.pem
+
+# If you decide to protect your private key with a password,
+# uncomment and change next line
+# pem_password=password
+# If you want to force the use of a client certificate, uncomment next line
+# force_pubkey_auth = yes
+
+#end.
diff --git a/net-analyzer/openvas-scanner/files/openvassd.init b/net-analyzer/openvas-scanner/files/openvassd.init
new file mode 100644
index 00000000000..9bd7332134f
--- /dev/null
+++ b/net-analyzer/openvas-scanner/files/openvassd.init
@@ -0,0 +1,14 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+name="Open Vulnerability Assessment Scanner"
+command="/usr/bin/openvassd"
+command_args="${OPENVAS_SCANNER_OPTIONS} ${OPENVAS_SCANNER_LISTEN_SOCKET} ${OPENVAS_SCANNER_LISTEN_OWNER} ${OPENVAS_SCANNER_LISTEN_GROUP} ${OPENVAS_SCANNER_LISTEN_MODE}"
+pidfile="/run/openvassd.pid"
+command_background="true"
+
+depend() {
+ after bootmisc
+ need localmount net redis
+}
diff --git a/net-analyzer/openvas-scanner/files/openvassd.logrotate b/net-analyzer/openvas-scanner/files/openvassd.logrotate
new file mode 100644
index 00000000000..9cf47d54763
--- /dev/null
+++ b/net-analyzer/openvas-scanner/files/openvassd.logrotate
@@ -0,0 +1,13 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+# Daemon ignore HUP so we use 'copytruncate' instead of 'create'
+# with safe file size to prevent losing log entries.
+
+/var/log/gvm/openvassd.log {
+ compress
+ missingok
+ notifempty
+ sharedscripts
+ copytruncate
+ maxsize 10M
+}
diff --git a/net-analyzer/openvas-scanner/files/openvassd.service b/net-analyzer/openvas-scanner/files/openvassd.service
new file mode 100644
index 00000000000..b7d7df8bbab
--- /dev/null
+++ b/net-analyzer/openvas-scanner/files/openvassd.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Open Vulnerability Assessment Scanner
+After=network.target
+After=redis.service
+Before=gvmd.service
+Requires=redis.service
+
+[Service]
+Type=forking
+EnvironmentFile=-/etc/openvas/sysconfig/openvassd-daemon.conf
+ExecStart=/usr/bin/openvassd $OPENVAS_SCANNER_OPTIONS $OPENVAS_SCANNER_LISTEN_SOCKET $OPENVAS_SCANNER_LISTEN_OWNER $OPENVAS_SCANNER_LISTEN_GROUP $OPENVAS_SCANNER_LISTEN_MODE
+Restart=on-failure
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-analyzer/openvas-scanner/metadata.xml b/net-analyzer/openvas-scanner/metadata.xml
index fa26aa942e1..50c99b9436c 100644
--- a/net-analyzer/openvas-scanner/metadata.xml
+++ b/net-analyzer/openvas-scanner/metadata.xml
@@ -10,6 +10,15 @@
<name>Proxy Maintainers</name>
</maintainer>
<use>
+ <flag name="cron">Install a cron job to update GVM's feed daily.</flag>
<flag name="extras">Html docs support</flag>
</use>
+ <longdescription lang="en">
+ Open Vulnerability Assessment System (OpenVAS) Scanner is the Greenbone Vulnerability Management (GVM) Solution.
+ It is used for the Greenbone Security Manager appliances and is a full-featured scan engine that executes a continuously
+ updated and extended feed of Network Vulnerability Tests (NVTs).
+ </longdescription>
+ <upstream>
+ <remote-id type="github">greenbone/openvas-scanner</remote-id>
+ </upstream>
</pkgmetadata>
diff --git a/net-analyzer/openvas-scanner/openvas-scanner-6.0.1.ebuild b/net-analyzer/openvas-scanner/openvas-scanner-6.0.1.ebuild
new file mode 100644
index 00000000000..1700d942181
--- /dev/null
+++ b/net-analyzer/openvas-scanner/openvas-scanner-6.0.1.ebuild
@@ -0,0 +1,138 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+CMAKE_MAKEFILE_GENERATOR="emake"
+inherit cmake-utils flag-o-matic systemd toolchain-funcs
+
+MY_PN="openvas"
+MY_DN="openvassd"
+
+DESCRIPTION="Open Vulnerability Assessment Scanner"
+HOMEPAGE="https://www.greenbone.net/en/"
+SRC_URI="https://github.com/greenbone/openvas-scanner/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+SLOT="0"
+LICENSE="GPL-2 GPL-2+"
+KEYWORDS="~amd64 ~x86"
+IUSE="cron extras"
+
+DEPEND="
+ app-crypt/gpgme:=
+ dev-db/redis
+ dev-libs/libgcrypt:=
+ dev-libs/libksba
+ >=net-analyzer/gvm-libs-10.0.1
+ net-analyzer/net-snmp
+ net-libs/gnutls:=
+ net-libs/libpcap
+ net-libs/libssh:=
+"
+
+RDEPEND="
+ ${DEPEND}
+ !~net-analyzer/openvas-scanner-5.1.3
+ !net-analyzer/openvas-tools"
+
+BDEPEND="
+ sys-devel/bison
+ sys-devel/flex
+ virtual/pkgconfig
+ extras? ( app-doc/doxygen[dot]
+ app-doc/xmltoman
+ app-text/htmldoc
+ dev-perl/CGI
+ dev-perl/SQL-Translator
+ )"
+
+BUILD_DIR="${WORKDIR}/${MY_PN}-${PV}_build"
+S="${WORKDIR}/${MY_PN}-${PV}"
+
+PATCHES=(
+ # Install exec. to /usr/bin instead of /usr/sbin
+ "${FILESDIR}/${P}-sbin.patch"
+)
+
+src_prepare() {
+ cmake-utils_src_prepare
+ # QA-Fix | Correct FHS/Gentoo policy paths for 6.0.1
+ sed -i -e "s*/doc/openvas-scanner/*/doc/openvas-scanner-${PV}/*g" "$S"/src/CMakeLists.txt || die
+ # QA-Fix | Remove !CLANG doxygen warnings for 6.0.1
+ if use extras; then
+ if ! tc-is-clang; then
+ local f
+ for f in doc/*.in
+ do
+ sed -i \
+ -e "s*CLANG_ASSISTED_PARSING = NO*#CLANG_ASSISTED_PARSING = NO*g" \
+ -e "s*CLANG_OPTIONS*#CLANG_OPTIONS*g" \
+ "${f}" || die "couldn't disable CLANG parsing"
+ done
+ fi
+ fi
+}
+
+src_configure() {
+ local mycmakeargs=(
+ "-DCMAKE_INSTALL_PREFIX=${EPREFIX}/usr"
+ "-DLOCALSTATEDIR=${EPREFIX}/var"
+ "-DSYSCONFDIR=${EPREFIX}/etc"
+ )
+ # Add release hardening flags for 6.0.1
+ append-cflags -Wno-format-truncation -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -fstack-protector
+ append-ldflags -Wl,-z,relro -Wl,-z,now
+ cmake-utils_src_configure
+}
+
+src_compile() {
+ cmake-utils_src_compile
+ if use extras; then
+ cmake-utils_src_make -C "${BUILD_DIR}" doc
+ cmake-utils_src_make doc-full -C "${BUILD_DIR}" doc
+ HTML_DOCS=( "${BUILD_DIR}"/doc/generated/html/. )
+ fi
+ cmake-utils_src_make rebuild_cache
+}
+
+src_install() {
+ cmake-utils_src_install
+
+ dodir /etc/openvas
+ insinto /etc/openvas
+ newins "${FILESDIR}/${MY_DN}.gvm.conf" openvassd.conf
+
+ insinto /etc/openvas
+ doins "${FILESDIR}"/redis.conf.example
+
+ dodir /etc/openvas/sysconfig
+ insinto /etc/openvas/sysconfig
+ doins "${FILESDIR}/${MY_DN}-daemon.conf"
+
+ if use cron; then
+ # Install the cron job if they want it.
+ exeinto /etc/gvm
+ doexe "${FILESDIR}/gvm-feed-sync.sh"
+ fowners gvm:gvm /etc/gvm/gvm-feed-sync.sh
+
+ insinto /etc/cron.d
+ newins "${FILESDIR}"/gvm-feed-sync.cron gvm
+ fi
+
+ fowners -R gvm:gvm /etc/openvas
+
+ newinitd "${FILESDIR}/${MY_DN}.init" "${MY_DN}"
+ newconfd "${FILESDIR}/${MY_DN}-daemon.conf" "${MY_DN}"
+
+ dodir /etc/logrotate.d
+ insinto /etc/logrotate.d
+ newins "${FILESDIR}/${MY_DN}.logrotate" "${MY_DN}"
+
+ systemd_dounit "${FILESDIR}/${MY_DN}.service"
+
+ # Set proper permissions on required files/directories
+ keepdir /var/log/gvm
+ fowners gvm:gvm /var/log/gvm
+ keepdir /var/lib/openvas/{gnupg,plugins}
+ fowners -R gvm:gvm /var/lib/openvas
+}
next reply other threads:[~2019-10-28 4:05 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-28 4:05 Joonas Niilola [this message]
-- strict thread matches above, loose matches on Subject: below --
2019-12-21 15:06 [gentoo-commits] repo/gentoo:master commit in: net-analyzer/openvas-scanner/, net-analyzer/openvas-scanner/files/ Joonas Niilola
2021-03-22 13:36 Joonas Niilola
2021-03-22 13:36 Joonas Niilola
2021-03-22 17:25 Joonas Niilola
2021-03-31 6:31 Joonas Niilola
2023-07-03 8:15 Florian Schmaus
2024-05-21 8:58 Florian Schmaus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1572235316.0a333bcfaacbad0dad5757cb0de488b952d694cc.juippis@gentoo \
--to=juippis@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox