| 1 |
I would like to present you an example showing how silly source scanning can |
| 2 |
be if done without thought: |
| 3 |
|
| 4 |
qmail and exim |
| 5 |
|
| 6 |
flawfinder reports more flaws in qmail (10 or so) then in exim (only 1). |
| 7 |
If one would make a decision based on the flawfinder output only, one would |
| 8 |
install exim. |
| 9 |
|
| 10 |
Offcourse if one compares the number of actual security holes found in exim to |
| 11 |
those found in qmail, one would install qmail. |
| 12 |
|
| 13 |
So i understand source code analysis as the first step only to create |
| 14 |
something for developers and admins/users that is able to guide them in |
| 15 |
security questions. |
| 16 |
|
| 17 |
some of the next steps i can imagin are: |
| 18 |
- a ports security policy :) |
| 19 |
|
| 20 |
- suid scans |
| 21 |
|
| 22 |
- scans of binaries |
| 23 |
|
| 24 |
- complexity analysis (we got the code, we got the binaries - if there was |
| 25 |
createt only 1 biiig binary out of al the code we know that the potential |
| 26 |
security impact is higher (exim) then if there would have been created |
| 27 |
several small binaries (assuming modularity, like qmail), etc. |
| 28 |
|
| 29 |
- dynamic meta-information from external sources (CERT, GLSA Database) |
| 30 |
This would result in: |
| 31 |
# emerge -p somemta |
| 32 |
Calculating dependencies ...done! |
| 33 |
ebuild information | version | hardened | CERT | GLSA |
| 34 |
[ebuild N ] net-mail/exim-4.14 - 5 2 |
| 35 |
|
| 36 |
# emerge -p --secinfo somemta |
| 37 |
|
| 38 |
* net-mail/somemta |
| 39 |
Latest version available: 4.14 |
| 40 |
Latest version installed: [ Not Installed ] |
| 41 |
Size of downloaded files: 1,531 kB |
| 42 |
Homepage: http://www.somemta.org/ |
| 43 |
ebuild Maintainer: someone@×××××××××.org |
| 44 |
Description: A highly configurable, drop-in replacement for sendmail |
| 45 |
|
| 46 |
Package is part of gentoo hardened : no |
| 47 |
CERT Security Advisories for somemta found : 5 |
| 48 |
CERT affecting this version of somemta found : 1 |
| 49 |
GLSA for somemta found : 2 |
| 50 |
GLSA affecting this version of somemta found : 1 |
| 51 |
|
| 52 |
Warnig: This version is affected by several security advisories. |
| 53 |
It is recommended to not install this version! |
| 54 |
You may try emerge sync or search at bugs.gentoo.org to get a newer |
| 55 |
version or contact the ebuild maintainer |
| 56 |
|
| 57 |
and while you do |
| 58 |
# emerge somemta |
| 59 |
you get additional information: |
| 60 |
* source code analysis report: |
| 61 |
* 1 potential security flaw found |
| 62 |
.... |
| 63 |
|
| 64 |
* compexity analysis report: |
| 65 |
* package seems to fairly complex, possible security impact: medium |
| 66 |
|
| 67 |
* suid scan report: |
| 68 |
* the software would like to install the following suids |
| 69 |
* 1) /usr/sbin/exim suid root |
| 70 |
* 2) /usr/sbin/blalaber suid mail |
| 71 |
What would like to do? |
| 72 |
-3) install all as shown |
| 73 |
-1) install all without suid |
| 74 |
or choose number of binary: |
| 75 |
|
| 76 |
ofcourse, this all can be enhanced and so on, thats why i put it here :) |
| 77 |
|
| 78 |
Jan |
| 79 |
|
| 80 |
|
| 81 |
-- |
| 82 |
gentoo-hardened@g.o mailing list |
Archives