A utility like pkg-audit for Arch Linux. Based on Arch Security Team data.

Related tags

Static Code Auditing security archlinux
Overview

arch-audit

crats.io Build Status FOSSA Status

pkg-audit-like utility for Arch Linux.

Based on data from security.archlinux.org collected by the awesome Arch Security Team.

Installation

Latest release from official repositories

pacman -S arch-audit

Development version from AUR

The PKGBUILD is available on AUR.

After the installation just execute arch-audit.

Development version from sources

git clone https://github.com/ilpianista/arch-audit
cd arch-audit
cargo build
cargo run

Completion

Completions are generated using the completions subcommand of arch-audit and are available for various shells like zsh, bash, fish and more:

arch-audit completions zsh > /usr/share/zsh/site-functions/_arch-audit
arch-audit completions bash > /usr/share/bash-completion/completions/arch-audit
arch-audit completions fish > /usr/share/fish/vendor_completions.d/arch-audit.fish

Example output

$ arch-audit
bzip2 is affected by CVE-2016-3189. Medium risk!
curl is affected by CVE-2016-9594, CVE-2016-9586. Update to 7.52.1-1!
gst-plugins-bad is affected by CVE-2016-9447, CVE-2016-9446, CVE-2016-9445. High risk!
jasper is affected by CVE-2016-8886. Medium risk!
libimobiledevice is affected by CVE-2016-5104. Low risk!
libtiff is affected by CVE-2015-7554. Critical risk!
libusbmuxd is affected by CVE-2016-5104. Low risk!
openjpeg2 is affected by CVE-2016-9118, CVE-2016-9117, CVE-2016-9116, CVE-2016-9115, CVE-2016-9114, CVE-2016-9113. High risk!
openssl is affected by CVE-2016-7055. Low risk!

$ arch-audit --upgradable --quiet
curl>=7.52.1-1

$ arch-audit -uf "%n|%c"
curl|CVE-2016-9594,CVE-2016-9586

Donate

Donations via Liberapay or Bitcoin (1Ph3hFEoQaD4PK6MhL3kBNNh9FZFBfisEH) are always welcomed, thank you!

False Positive

Please before reporting false positive check https://security.archlinux.org first. arch-audit parses that page and then if that page reports a false positive, arch-audit will do too. Get in touch with the Arch Linux Security team via IRC at freenode#archlinux-security. Thanks!

License

MIT

FOSSA Status

Comments
  • Added bold text to package and color to CVE only.

    Added bold text to package and color to CVE only.

    Clean up and reverted to first commit.

    Formatted the output like Package {pkg} is affected by {severity} {issues}. with the pkg in bold and the severity and issue colored.

    opened by joshuachp 4
  • added manpage

    added manpage

    Heyho, I created a manpage for your project. When you edit the PKGBUILD just make sure to gzip the manpage and move it to "${pkgdir}/usr/share/man/man1/"

    Best regards

    Chris

    EDIT: nvm that upgradable is a valid english word. I have reset the other changes and just added the man page.

    opened by shibumi 4
  • Move clap configuration to cli.yaml

    Move clap configuration to cli.yaml

    Was reading through the clap documentation and saw this feature to move the clap configuration out into a .yaml file. Cleans up main.rs a little bit, and the yaml file has a nice syntax for adding any new options or subcommands.

    Recompiled arch-audit and tested that usage and behaviour of the binary seems to be unaffected by this change:

    debug $ pwd
/home/dbishop/projects/arch-audit/target/debug
debug $ ./arch-audit -h
arch-audit 0.1.4

USAGE:
    arch-audit [FLAGS] [OPTIONS]

FLAGS:
    -h, --help          Prints help information
    -q, --quiet         Show only vulnerable package names and their versions
    -u, --upgradable    Show only packages that have already been fixed
    -V, --version       Prints version information

OPTIONS:
    -b, --dbpath <dbpath>    Set an alternate database location
    -f, --format <format>    Specify a format to control the output. Placeholders are %n (pkgname) and %c (CVEs)
debug $ ./arch-audit -q
libtiff
bzip2
jasper
libwmf
debug $ ./arch-audit -V
arch-audit 0.1.4

    Hope this is of some help or use. Let me know if there's anything else I should do before this can be merged.

    opened by donniebishop 4
  • Add config file and socks5 support

    Add config file and socks5 support

    Replaces curl with reqwest and introduces config files, the resolution order is argument > ~/.config/arch-audit.conf > /etc/arch-audit.conf > default value.

    Configuring arch-audit to use tor looks like this, all settings are optional in the config file:

    [network]
#source = "https://security.archlinux.org/all.json"
proxy = "socks5://127.0.0.1:9050"
    opened by kpcyrd 3
  • [service]: Activated different security features and disabled logfile

    [service]: Activated different security features and disabled logfile

    There is no need for a call like usr/bin/sh -c 'arch-audit -uq > /tmp/arch-audit.log' journald will log every output from STDOUT, STDERR etc. The logfile for arch-audit will be journalctl -u arch-audit.service.

    I've also activated a few security features that systemd provides:

    • PrivateTmp (arch-audit will have an own /tmp dir)
    • ProtectSystem=full (arch-audit will have no write access to /usr /boot or /etc)
    • ProtectHome (arch-audit will have no access to user /homes/)
    • PrivateDevices (arch audit will have no access to devices like /dev/sda, only to a few dummy devices like /dev/urandom etc)
    opened by shibumi 3
  • Fix typos in messages when an upgrade is available

    Fix typos in messages when an upgrade is available

    When there is an updated package that fixes a vulnerability, the output currently ends with something like

    High risk!. Update to 244.2-1!

    Replace "!." with a single exclamation mark. Also, add a missing "the" to the message that is displayed when the updated package is in the testing repositories.

    opened by lfos 1
  • Add license scan report and status

    Add license scan report and status

    Your FOSSA integration was successful! Attached in this PR is a badge and license report to track scan status in your README.

    Below are docs for integrating FOSSA license checks into your CI:

    opened by fossabot 1
  • Do not print packages with state Vulnerable when upgradable_only is set

    Do not print packages with state Vulnerable when upgradable_only is set

    In some cases packages on archs sec tracker have a fixed version that is not yet released or not yet in the archs repos. Status remains "Vulnerable" in those cases. arch-audit does not take that into account though and happily prints their security status even if -u is set on cli, even though there is clearly no update available.

    openssl and lib32-openssl are examples of this behaviour.

    opened by Arvedui 1
  • Code cleanup, restructure output slightly.

    Code cleanup, restructure output slightly.

    Changes made:

    • Enums implement more traits
    • Severity and CVEs are printed using Display instead of Debug (this removes the brackets and quotes)
    • Messages were restructured so that the risk is at the front
    • Clippy now passes
    opened by clarfonthey 0
  • Move clap configuration to cli.yml

    Move clap configuration to cli.yml

    Was reading through the clap documentation and saw this feature to move the clap configuration out into a .yaml file. Cleans up main.rs a little bit, and the yaml file has a nice syntax for adding any new options or subcommands.

    Recompiled arch-audit and tested that usage and behaviour of the binary seems to be unaffected by this change:

    debug $ pwd
/home/dbishop/projects/arch-audit/target/debug
debug $ ./arch-audit -h
arch-audit 0.1.4

USAGE:
    arch-audit [FLAGS] [OPTIONS]

FLAGS:
    -h, --help          Prints help information
    -q, --quiet         Show only vulnerable package names and their versions
    -u, --upgradable    Show only packages that have already been fixed
    -V, --version       Prints version information

OPTIONS:
    -b, --dbpath <dbpath>    Set an alternate database location
    -f, --format <format>    Specify a format to control the output. Placeholders are %n (pkgname) and %c (CVEs)
debug $ ./arch-audit -q
libtiff
bzip2
jasper
libwmf
debug $ ./arch-audit -V
arch-audit 0.1.4

    Hope this is of some help or use. Let me know if there's anything else I should do before this can be merged.

    Note: Resubmitting due to fudging the first PR up

    opened by donniebishop 0
  • build(deps): bump regex from 1.5.4 to 1.5.6

    build(deps): bump regex from 1.5.4 to 1.5.6

    Bumps regex from 1.5.4 to 1.5.6.

    Changelog

    Sourced from regex's changelog.

    1.5.6 (2022-05-20)

    This release includes a few bug fixes, including a bug that produced incorrect matches when a non-greedy ? operator was used.

    1.5.5 (2022-03-08)

    This releases fixes a security bug in the regex compiler. This bug permits a vector for a denial-of-service attack in cases where the regex being compiled is untrusted. There are no known problems where the regex is itself trusted, including in cases of untrusted haystacks.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • build(deps): bump tokio from 1.11.0 to 1.13.1

    build(deps): bump tokio from 1.11.0 to 1.13.1

    Bumps tokio from 1.11.0 to 1.13.1.

    Release notes

    Sourced from tokio's releases.

    Tokio v1.13.1

    1.13.1 (November 15, 2021)

    This release fixes a data race when sending and receiving on a closed oneshot channel (RUSTSEC-2021-0124).

    Fixed

    • sync: fix a data race between oneshot::Sender::send and awaiting a oneshot::Receiver when the oneshot has been closed (#4226)

    Tokio v1.13.0

    1.13.0 (October 29, 2021)

    Fixed

    • sync: fix Notify to clone the waker before locking its waiter list (#4129)
    • tokio: add riscv32 to non atomic64 architectures (#4185)

    Added

    • net: add poll_{recv,send}_ready methods to udp and uds_datagram (#4131)
    • net: add try_*, readable, writable, ready, and peer_addr methods to split halves (#4120)
    • sync: add blocking_lock to Mutex (#4130)
    • sync: add watch::Sender::send_replace (#3962, #4195)
    • sync: expand Debug for Mutex<T> impl to unsized T (#4134)
    • tracing: instrument time::Sleep (#4072)
    • tracing: use structured location fields for spawned tasks (#4128)

    Changed

    • io: add assert in copy_bidirectional that poll_write is sensible (#4125)
    • macros: use qualified syntax when polling in select! (#4192)
    • runtime: handle block_on wakeups better (#4157)
    • task: allocate callback on heap immediately in debug mode (#4203)
    • tokio: assert platform-minimum requirements at build time (#3797)

    Documented

    • docs: conversion of doc comments to indicative mood (#4174)
    • docs: add returning on the first error example for try_join! (#4133)
    • docs: fixing broken links in tokio/src/lib.rs (#4132)
    • signal: add example with background listener (#4171)
    • sync: add more oneshot examples (#4153)
    • time: document Interval::tick cancel safety (#4152)

    #3797: tokio-rs/tokio#3797 #3962: tokio-rs/tokio#3962

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
Releases(0.1.20)
Owner
Andrea Scarpino
Site Reliability Engineer (aka DevOps). Privacy and FLOSS evangelist. White hat. @archlinux developer fellow.
Andrea Scarpino
GitHub https://gitlab.com/ilpianista/arch-audit
Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

null 294 Dec 23, 2022
Audit Cargo.lock files for dependencies with security vulnerabilities

RustSec Crates ?? ??️ ?? The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io. The a

RustSec 1.2k Dec 30, 2022
Audit Cargo.lock files for dependencies with security vulnerabilities

RustSec Crates ?? ??️ ?? The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io. The a

RustSec 1.2k Jan 5, 2023
Arch Linux Security Update Notifications

arch-audit-gtk Show an indicator if there are any security updates missing for your Arch Linux system. Install git clone https://aur.archlinux.org/arc

null 48 Nov 28, 2022
Imagine the information security compliance guideline says you need an antivirus but you run Arch Linux

libredefender Imagine the information security compliance guideline says you need an antivirus but you run Arch Linux. libredefender is an antivirus p

null 83 Dec 26, 2022
Transform Linux Audit logs for SIEM usage

Linux Audit – Usable, Robust, Easy Logging TLDR: Instead of audit events that look like this… type=EXECVE msg=audit(1626611363.720:348501): argc=3 a0=

null 465 Jan 1, 2023
Tool for audit and reclaim of delegated SPL Token accounts

Usage Install prerequisites System development libraries sudo apt install libssl-dev libudev-dev pkg-config gcc Rust curl --proto '=https' --tlsv1.2

Solana Foundation 4 Jan 27, 2022
Warp is a blazingly fast, Rust-based terminal that makes you and your team more productive at running, debugging, and deploying code and infrastructure.

Warp is a blazingly fast, Rust-based terminal that makes you and your team more productive at running, debugging, and deploying code and infrastructure.

Warp 10.4k Jan 4, 2023
Everyday-use client-side map-aware Arch Linux mirror ranking tool

Rate Arch Mirrors This is a tool, which fetches mirrors, skips outdated/syncing Arch Linux mirrors, then uses info about submarine cables and internet

Nikita Almakov 196 Jan 2, 2023
Check the reproducibility status of your Arch Linux packages (read-only mirror)

arch-repro-status A CLI tool for querying the reproducibility status of the Arch Linux packages using data from a rebuilderd instance such as reproduc

Arch Linux 12 Nov 16, 2022
For something between the likes of a toy bootloader or tiny kernel and Arch Linux.

For something between the likes of a toy bootloader or tiny kernel and Arch Linux.

Aarush Gupta 3 Oct 9, 2022
Manage lockfiles in PKGBUILDs for upstreams that don't ship them, `updpkgsums` for dependency trees (Arch Linux tooling)

updlockfiles Manage lockfiles for packages that don't ship any upstream. Like updpkgsums but for 3rd party dependency trees. If you're not actively ma

null 11 Oct 27, 2022
Client for spotify's apt repository in Rust for Arch Linux

spotify-launcher Spotify has a free linux client but prohibits re-distribution, so this is a freely distributable opensource program that manages a sp

null 93 Jun 20, 2023
Scan the symbols of all ELF binaries in all Arch Linux packages for usage of malloc_usable_size

Scan the symbols of all ELF binaries in all Arch Linux packages for usage of malloc_usable_size (-D_FORTIFY_SOURCE=3 compatibility)

null 3 Sep 9, 2023
Outp0st is an open-source UI tool to enable next-level team collaboration on dApp development over Terra blockchain

Outp0st is an open-source UI tool to enable next-level team collaboration on dApp development over Terra blockchain

Genolis 2 May 4, 2022
Rust library for build smart contracts on Internet Computer, by the Spinner.Cash team.

Spinner Rust library for building smart contracts on the Internet Computer. More specifically it is used by Spinner.Cash, a decentralized layer-2 prot

Spinner 6 May 31, 2022
Helps you keep track of time for team members across different time zones & DST changes

Teamdate Helps you keep track of time for team members across different timezones and other daylight saving changes based off their location. Because

Alex Snaps 7 Jan 9, 2023
A Yocto setup and management tool that helps you keep your environment up-to-date and in-sync with your team

yb (Yocto Buddy) yb is designed to make it easy to setup and (perhaps more importantly) keep Yocto environments up-to-date and in-sync with your team.

null 13 Oct 31, 2022
A Team Fortress 2 SDK written in Rust that I update every now and then

tf-rs A Team Fortress 2 SDK written in Rust that I update every now and then. Most of this has been written in early November. I've published it so th

cristei 2 Dec 17, 2022
This is the Rust course used by the Android team at Google. It provides you the material to quickly teach Rust to everyone.

Comprehensive Rust ?? This repository has the source code for Comprehensive Rust ?? , a four day Rust course developed by the Android team. The course

Google 5.2k Jan 3, 2023