Add files via upload

Author: HubTou

License

@@ -0,0 +1,11 @@
+Copyright 2023+ Hubert Tournier
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Makefile

@@ -0,0 +1,63 @@
+NAME=vuxml
+SOURCES=src/${NAME}/__init__.py src/${NAME}/main.py src/${NAME}/library.py
+
+# Default action is to show this help message:
+.help:
+	@echo "Possible targets:"
+	@echo "  check-code     Verify PEP 8 compliance (lint)"
+	@echo "  check-security Verify security issues (audit)"
+	@echo "  check-unused   Find unused code"
+	@echo "  check-version  Find required Python version"
+	@echo "  check-sloc     Count Single Lines of Code"
+	@echo "  checks         Make all the previous tests"
+	@echo "  format         Format code"
+	@echo "  package        Build package"
+	@echo "  upload-test    Upload the package to TestPyPi"
+	@echo "  upload         Upload the package to PyPi"
+	@echo "  distclean      Remove all generated files"
+
+check-code: /usr/local/bin/pylint
+	-pylint ${SOURCES}
+
+lint: check-code
+
+check-security: /usr/local/bin/bandit
+	-bandit -r ${SOURCES}
+
+audit: check-security
+
+check-unused: /usr/local/bin/vulture
+	-vulture --sort-by-size ${SOURCES}
+
+check-version: /usr/local/bin/vermin
+	-vermin ${SOURCES}
+
+check-sloc: /usr/local/bin/pygount
+	-pygount --format=summary .
+
+checks: check-code check-security check-unused check-version check-sloc
+
+format: /usr/local/bin/black
+	black ${SOURCES}
+
+love:
+	@echo "Not war!"
+
+man/${NAME}.1.gz: man/${NAME}.1
+	@gzip -k9c man/${NAME}.1 > man/${NAME}.1.gz
+
+man/${NAME}.3.gz: man/${NAME}.3
+	@gzip -k9c man/${NAME}.3 > man/${NAME}.3.gz
+
+package: man/${NAME}.1.gz man/${NAME}.3.gz
+	python -m build
+
+upload-test:
+	python -m twine upload --repository testpypi dist/*
+
+upload:
+	python -m twine upload dist/*
+
+distclean:
+	rm -rf build dist src/*.egg-info man/${NAME}.1.gz man/${NAME}.3.gz
+

README.md

@@ -15,3 +15,4 @@ This repository includes a command-line utility:
 
 And a Python library:
 * [vuxml(3)](https://github.com/HubTou/vuxml/blob/main/VUXML.3.md) - FreeBSD VuXML library
+

TODO.md

@@ -10,3 +10,4 @@ into account when checking if a vulnerable Python package is also a vulnerable F
 
 ## Other possible features
 * Disabling color output.
+

VUXML.1.md

@@ -131,3 +131,4 @@ This utility is available under the [3-clause BSD license](https://opensource.or
 [PORTREVISION and PORTEPOCH](https://people.freebsd.org/~olivierd/porters-handbook/makefile-naming.html) (ie. software versions ending with "\_number" or ",number")
 are not taken into account when checking if a vulnerable Python package is also a vulnerable FreeBSD port.
 I would have to develop my own versions comparison library in order to handle that (well, maybe one day :-) ).
+

VUXML.3.md

@@ -109,3 +109,4 @@ This library is available under the [3-clause BSD license](https://opensource.or
 [PORTREVISION and PORTEPOCH](https://people.freebsd.org/~olivierd/porters-handbook/makefile-naming.html) (ie. software versions ending with "\_number" or ",number")
 are not taken into account when checking if a vulnerable Python package is also a vulnerable FreeBSD port.
 I would have to develop my own versions comparison library in order to handle that (well, maybe one day :-) ).
+

man/vuxml.1

@@ -0,0 +1,217 @@
+.Dd March 19, 2023
+.Dt VUXML 1
+.Os
+.Sh NAME
+.Nm vuxml
+.Nd FreeBSD VuXML query tool
+.Sh SYNOPSIS
+.Nm
+.Op Fl -desc|-D
+.Op Fl -id|-i Ar VID
+.Op Fl -topic|-t Ar RE
+.Op Fl -keyword|-k Ar RE
+.Op Fl -package|-p Ar PID
+.Op Fl -re-names|-R
+.Op Fl -sources|-s
+.Op Fl -ref|-r Ar RID
+.Op Fl -discovery|-d Ar DATE
+.Op Fl -entry|-e Ar DATE
+.Op Fl -modified|-m Ar DATE
+.Op Fl -debug
+.Op Fl -help|-?
+.Op Fl -version
+.Op Fl -
+.Sh DESCRIPTION
+The
+.Nm
+utility provides easy and flexible ways to query the FreeBSD VuXML database of security issues in FreeBSD and its ports collection.
+.Pp
+You can search or explore the database:
+.Bl -bullet
+.It
+by vulnerability ID (with the
+.Op Fl -id|-i
+option),
+.It
+by regular expression in topics (with the
+.Op Fl -topic|-t
+option),
+.It
+by regular expression in topics and descriptions (with the
+.Op Fl -keyword|-k
+option),
+.It
+by package name or package name and version (with the
+.Op Fl -package|-p
+option),
+.Bl -bullet
+.It
+the package name can be treated as a regular expression (with the
+.Op Fl -re-names|-R
+option),
+.El
+.It
+by reference source, reference source and ID, or ID (with the
+.Op Fl -ref|-r
+option),
+.Bl -bullet
+.It
+existing sources can be listed (with the
+.Op Fl -sources|-s
+option),
+.El
+.It
+by discovery, entry or modification dates (with the
+.Op Fl -discovery|-d ,
+.Op Fl -entry|-e
+or
+.Op Fl -modified|-m
+options),
+.Bl -bullet
+.It
+these dates can be a specific day, month or year.
+.El
+.El
+.Pp
+For all these queries the detailed description is not printed, unless you use the
+.Op Fl -desc|-d
+option to render the HTML description as text.
+.Pp
+For the package and reference queries, the package and version, or reference source and ID, are separated using the '~' character.
+.Pp
+All the options can be used several times and their results are cumulative (ie. treated as logical OR).
+.Ss OPTIONS
+.Op Fl -desc|-D
+Print description
+.Pp
+.Op Fl -id|-i Ar VID
+Search for the specified Vulnerability ID
+.Pp
+.Op Fl -topic|-t Ar RE
+Search for the specified regex in topics
+.Pp
+.Op Fl -keyword|-k Ar RE
+Search for the specified regex in topics and desc.
+.Pp
+.Op Fl -package|-p Ar PID
+Search for the specified name in affected packages. PID can also be name~version
+.Pp
+.Op Fl -re-names|-R
+The name part of a PID is a regex
+.Pp
+.Op Fl -sources|-s
+List references sources
+.Pp
+.Op Fl -ref|-r Ar RID
+Search for the specified ID in references. RID can also be source~, source~ID
+.Pp
+.Op Fl -discovery|-d Ar DATE
+Search for the specified date in discovery dates
+.Pp
+.Op Fl -entry|-e Ar DATE
+Search for the specified date in entry dates
+.Pp
+.Op Fl -modified|-m Ar DATE
+Search for the specified date in modified dates. DATE can be YYYY-MM-DD, YYYY-MM or YYYY
+.Pp
+.Op Fl -debug
+Enable debug mode
+.Pp
+.Op Fl -help|-?
+Print usage and this help message and exit
+.Pp
+.Op Fl -version
+Print version and exit
+.Pp
+.Op Fl -
+Options processing terminator
+.Sh ENVIRONMENT
+The
+.Ev VUXML_DEBUG
+environment variable can be set to any value to enable debug mode.
+.Pp
+The
+.Ev LOCALAPPDATA
+and
+.Ev TMP
+environment variables under Windows, and
+.Ev HOME ,
+.Ev TMPDIR
+and
+.Ev TMP
+environment variables under other operating systems can influence of the caching directory used.
+.Sh FILES
+The
+.Nm
+utility will attempt to maintain a caching directory for the web service it uses, where the downloaded database will be re-used within the next 24 hours.
+.Pp
+This directory will be located in one of the following places:
+.Bl -bullet
+.It
+Windows:
+.Bl -bullet
+.It
+.Pa %LOCALAPPDATA%/cache/vuxml
+.It
+.Pa %TMP%/cache/vuxml
+.El
+.It
+Unix:
+.Bl -bullet
+.It
+.Pa ${HOME}/.cache/vuxml
+.It
+.Pa ${TMPDIR}/.cache/vuxml
+.It
+.Pa ${TMP}/.cache/vuxml
+.El
+.El
+.Sh EXIT STATUS
+.Ex -std vuxml
+.Sh EXAMPLES
+Use the following command to search for vulnerabilities affecting the "gnutls" package:
+.Bd -literal
+vuxml -p gnutls
+.Ed
+.Pp
+And the following one to search for vulnerabilities affecting packages whose name starts with "gnutls" ("gnutls", "gnutls-devel", "gnutls3" will match, while "linux-f10-gnutls" won't):
+.Bd -literal
+vuxml -Rp "^gnutls"
+.Ed
+.Sh SEE ALSO
+.Xr vuxml 3 ,
+.Lk https://www.vuxml.org/ VuXML website
+.Lk https://www.vuxml.org/freebsd/ FreeBSD VuXML website
+.Lk https://docs.freebsd.org/en/books/porters-handbook/security/ VuXML database explanation in the Porter's handbook
+.Lk https://www.freshports.org/security/vuxml/ VuXML database as a FreeBSD port
+.Xr pkg-audit 8 ,
+.Xr vxquery
+.Sh STANDARDS
+The
+.Nm
+utility is not a standard UNIX command.
+.Pp
+It tries to follow the PEP 8 style guide for Python code.
+.Sh PORTABILITY
+Tested OK under Windows.
+.Sh HISTORY
+This implementation was made for the
+.Lk https://github.com/HubTou/PNU PNU project
+.Pp
+While working on the
+.Xr pipinfo 1
+tool, I noticed that some Python packages installed as FreeBSD ports
+where marked as vulnerable in Python advisories but not in FreeBSD ports advisories.
+.Pp
+I made a tool to check the 4000+ FreeBSD ports of Python packages, and found around 1% of them vulnerable.
+.Pp
+So I made a library in order to verify if these vulnerable ports where also marked as vulnerable in FreeBSD VuXML,
+and got carried away writing this utility to demonstrate the use of the library!
+.Sh LICENSE
+This utility is available under the 3-clause BSD license.
+.Sh AUTHORS
+.An Hubert Tournier
+.Sh CAVEATS
+PORTREVISION and PORTEPOCH (ie. software versions ending with "_number" or ",number")
+are not taken into account when checking if a vulnerable Python package is also a vulnerable FreeBSD port.
+I would have to develop my own versions comparison library in order to handle that (well, maybe one day :-) ).