Merge pull request #1217 from Wicloz/patch-1 (improve debian/debsecan_ plugin)

Add suggest capabilities to the debian/debsecan_ plugin.
2025-07-21 18:41:03 +00:00 · 2021-07-15 23:18:43 +02:00 · 2021-07-15 23:18:43 +02:00 · 839a29e942
commit 839a29e942
parent e641c80284 5c048c989f
1 changed files with 112 additions and 101 deletions
--- a/plugins/debian/debsecan_
+++ b/plugins/debian/debsecan_
@ -36,6 +36,7 @@ Shell globbing patterns are allowed.

 * Nicolas BOUTHORS <nbouthors@nbi.fr> http://nbi.fr/, Inspiration of the moment 10/10/2007
 * Olivier Mehani <shtrom+munin@ssji.net>, 2016
+* Wilco de Boer <deboer.wilco@gmail.com>, 2021

 =head1 LICENSE

@ -43,13 +44,13 @@ Public Domain

 =head1 MAGIC MARKERS

-%# family=auto
-%# capabilities=autoconf
+#%# family=auto
+#%# capabilities=autoconf suggest

 =cut

 # Auto enable if we have debsecan only
-if [ "$1" = "autoconf" ] ; then
+if [ "$1" = "autoconf" ]; then
  if [ -x /usr/bin/debsecan ]; then
    echo yes
  else
@ -58,13 +59,25 @@ if [ "$1" = "autoconf" ] ; then
  exit 0
 fi

+# Suggest both modes when asked
+if [ "$1" = "suggest" ]; then
+  echo pkg
+  echo cve
+  exit 0
+fi
+
 # Fail if we don't have debsecan
 if [ ! -x /usr/bin/debsecan ]; then
  echo 'error: /usr/bin/debsecan not found' >&2
  exit 1
 fi

-SUITE=${suite:-sid}
+# Suite is taken from environment but defaults to `os-release` content
+SUITE=$(
+  . /etc/os-release
+  echo "${suite:-$VERSION_CODENAME}"
+)
+
 FIXEDWARN=${fixed_warning:-1}
 FIXEDCRIT=${fixed_critical:-1000}
 REMOTEWARN=${remote_warning:-1}
@ -72,119 +85,117 @@ REMOTECRIT=${remote_critical:-10}

 MODE=$(echo "$0" | sed 's/.*_//')
 case "${MODE}" in
-	'cve')
-		TITLE_ADD="unique "
-		FIELD=1
-		;;
-	'pkg' | *)
-		TITLE_ADD="package "
-		FIELD=2
-		;;
+  'cve')
+    TITLE_ADD="unique "
+    FIELD=1
+    ;;
+  'pkg' | *)
+    TITLE_ADD="package "
+    FIELD=2
+    ;;
 esac

-if [ "$1" = "config" ] ; then
-  cat <<EOF_
-graph_title DebSecan: ${TITLE_ADD}vulnerabilities
-graph_info ${TITLE_ADD}vulnerabilities for ${SUITE}
-graph_args -l 0 --base 1000
-graph_vlabel number of CVE
-graph_category system
-graph_period second
-graph_info This graph show the number of known ${TITLE_ADD}vulnerabilities present on your system. Use debsecan to see details.
-remote.label remote
-remote.colour FF0000
-remote.type GAUGE
-remote.draw AREASTACK
-remote.min 0
-remote.info The number of ${TITLE_ADD}remotely exploitable CVEs with any priority
-remote.warning ${REMOTEWARN}
-remote.critical ${REMOTECRIT}
-high.label high
-high.colour DD2200
-high.type GAUGE
-high.draw AREASTACK
-high.min 0
-high.info The number of ${TITLE_ADD}CVEs marked high priority
-medium.label medium
-medium.colour FFAA00
-medium.type GAUGE
-medium.draw AREASTACK
-medium.min 0
-medium.info The number of ${TITLE_ADD}CVEs marked medium priority
-low.label low
-low.colour 0000FF
-low.type GAUGE
-low.draw AREASTACK
-low.min 0
-low.info The number of ${TITLE_ADD}CVEs marked low priority
-other.label other
-other.colour 00AAFF
-other.type GAUGE
-other.draw AREASTACK
-other.min 0
-other.info The number of ${TITLE_ADD}CVEs with unspecified priority
-fixed.label fixed
-fixed.type GAUGE
-fixed.draw LINE2
-fixed.min 0
-fixed.info The number of ${TITLE_ADD}CVEs fixed by available updates
-fixed.warning ${FIXEDWARN}
-fixed.critical ${FIXEDCRIT}
-EOF_
+if [ "$1" = "config" ]; then
+  cat <<- EOF
+		graph_title DebSecan: ${TITLE_ADD}vulnerabilities
+		graph_info ${TITLE_ADD}vulnerabilities for ${SUITE}
+		graph_args -l 0 --base 1000
+		graph_vlabel number of CVE
+		graph_category system
+		graph_period second
+		graph_info This graph show the number of known ${TITLE_ADD}vulnerabilities present on your system. Use debsecan to see details.
+		remote.label remote
+		remote.colour FF0000
+		remote.type GAUGE
+		remote.draw AREASTACK
+		remote.min 0
+		remote.info The number of ${TITLE_ADD}remotely exploitable CVEs with any priority
+		remote.warning ${REMOTEWARN}
+		remote.critical ${REMOTECRIT}
+		high.label high
+		high.colour DD2200
+		high.type GAUGE
+		high.draw AREASTACK
+		high.min 0
+		high.info The number of ${TITLE_ADD}CVEs marked high priority
+		medium.label medium
+		medium.colour FFAA00
+		medium.type GAUGE
+		medium.draw AREASTACK
+		medium.min 0
+		medium.info The number of ${TITLE_ADD}CVEs marked medium priority
+		low.label low
+		low.colour 0000FF
+		low.type GAUGE
+		low.draw AREASTACK
+		low.min 0
+		low.info The number of ${TITLE_ADD}CVEs marked low priority
+		other.label other
+		other.colour 00AAFF
+		other.type GAUGE
+		other.draw AREASTACK
+		other.min 0
+		other.info The number of ${TITLE_ADD}CVEs with unspecified priority
+		fixed.label fixed
+		fixed.type GAUGE
+		fixed.draw LINE2
+		fixed.min 0
+		fixed.info The number of ${TITLE_ADD}CVEs fixed by available updates
+		fixed.warning ${FIXEDWARN}
+		fixed.critical ${FIXEDCRIT}
+	EOF
  exit 0
 fi

 ALL=$(debsecan --suite "${SUITE}" 2> /dev/null)
-REMOTE=$(echo "$ALL" | grep -w 'remotely')
-NONREMOTE=$(echo "$ALL" | grep -wv 'remotely')
+REMOTE=$(printf '%s' "$ALL" | grep -w 'remotely')
+NONREMOTE=$(printf '%s' "$ALL" | grep -wv 'remotely')

-HIGH=$(echo "${NONREMOTE}" | grep -w 'high urgency')
-MEDIUM=$(echo "${NONREMOTE}" | grep -w 'medium urgency')
-LOW=$(echo "${NONREMOTE}" | grep -w 'low urgency')
-OTHER=$(echo "${NONREMOTE}" | grep -wv 'urgency')
-FIXED=$(echo "${ALL}" | grep -w '(fixed')
+HIGH=$(printf '%s' "${NONREMOTE}" | grep -w 'high urgency')
+MEDIUM=$(printf '%s' "${NONREMOTE}" | grep -w 'medium urgency')
+LOW=$(printf '%s' "${NONREMOTE}" | grep -w 'low urgency')
+OTHER=$(printf '%s' "${NONREMOTE}" | grep -wv 'urgency')
+FIXED=$(printf '%s' "${ALL}" | grep -w '(fixed')

 # Arguments: Field offset to aggregate by
 count_entries() {
-	CUT_FIELD="${1}"
-	cut -f "${CUT_FIELD}" -d " "| sort | uniq -c
+  CUT_FIELD="${1}"
+  cut -f "${CUT_FIELD}" -d " " | sort | uniq -c
 }

 case "${MODE}" in
-	'cve')
-		remote_count=$(echo "${REMOTE}" | count_entries "${FIELD}" | wc -l)
-		high_count=$(echo "${HIGH}" | count_entries "${FIELD}" | wc -l)
-		medium_count=$(echo "${MEDIUM}" | count_entries "${FIELD}" | wc -l)
-		low_count=$(echo "${LOW}" | count_entries "${FIELD}" | wc -l)
-		other_count=$(echo "${OTHER}" | count_entries "${FIELD}" | wc -l)
-		fixed_count=$(echo "${FIXED}" | count_entries "${FIELD}" | wc -l)
-		;;
-	'pkg' | *)
-		remote_count=$(echo "${REMOTE}" | wc -l)
-		high_count=$(echo "${HIGH}" | wc -l)
-		medium_count=$(echo "${MEDIUM}" | wc -l)
-		low_count=$(echo "${LOW}" | wc -l)
-		other_count=$(echo "${OTHER}" | wc -l)
-		fixed_count=$(echo "${FIXED}" | wc -l)
-		;;
+  'cve')
+    remote_count=$(printf '%s' "${REMOTE}" | count_entries "${FIELD}" | wc -l)
+    high_count=$(printf '%s' "${HIGH}" | count_entries "${FIELD}" | wc -l)
+    medium_count=$(printf '%s' "${MEDIUM}" | count_entries "${FIELD}" | wc -l)
+    low_count=$(printf '%s' "${LOW}" | count_entries "${FIELD}" | wc -l)
+    other_count=$(printf '%s' "${OTHER}" | count_entries "${FIELD}" | wc -l)
+    fixed_count=$(printf '%s' "${FIXED}" | count_entries "${FIELD}" | wc -l)
+    ;;
+  'pkg' | *)
+    remote_count=$(printf '%s' "${REMOTE}" | wc -l)
+    high_count=$(printf '%s' "${HIGH}" | wc -l)
+    medium_count=$(printf '%s' "${MEDIUM}" | wc -l)
+    low_count=$(printf '%s' "${LOW}" | wc -l)
+    other_count=$(printf '%s' "${OTHER}" | wc -l)
+    fixed_count=$(printf '%s' "${FIXED}" | wc -l)
+    ;;
 esac

 # Reformat the output of the cut|sort|uniq... to a more human-friendly "item (count)" format
 CVECOUNTRE='s/^ *\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/'

-# shellcheck disable=SC2005 disable=SC2046
-# The nested $(echo ...)s are needed to yet the newlines
-cat <<EOF
-remote.value $remote_count
-remote.extinfo $(echo $(echo "${REMOTE}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}"))
-high.value $high_count
-high.extinfo $(echo $(echo "${HIGH}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}"))
-medium.value $medium_count
-medium.extinfo $(echo $(echo "${MEDIUM}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}"))
-low.value $low_count
-low.extinfo $(echo $(echo "${LOW}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}"))
-other.value $other_count
-other.extinfo $(echo $(echo "${OTHER}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}"))
-fixed.value $fixed_count
-fixed.extinfo $(echo $(echo "${FIXED}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}"))
+cat <<- EOF
+	remote.value $remote_count
+	remote.extinfo $(printf '%s' "${REMOTE}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}" | xargs)
+	high.value $high_count
+	high.extinfo $(printf '%s' "${HIGH}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}" | xargs)
+	medium.value $medium_count
+	medium.extinfo $(printf '%s' "${MEDIUM}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}" | xargs)
+	low.value $low_count
+	low.extinfo $(printf '%s' "${LOW}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}" | xargs)
+	other.value $other_count
+	other.extinfo $(printf '%s' "${OTHER}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}" | xargs)
+	fixed.value $fixed_count
+	fixed.extinfo $(printf '%s' "${FIXED}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}" | xargs)
 EOF