A utility like pkg-audit for Arch Linux. Based on Arch Security Team data.

Overview

arch-audit

crats.io Build Status FOSSA Status

pkg-audit-like utility for Arch Linux.

Based on data from security.archlinux.org collected by the awesome Arch Security Team.

Installation

Latest release from official repositories

pacman -S arch-audit

Development version from AUR

The PKGBUILD is available on AUR.

After the installation just execute arch-audit.

Development version from sources

git clone https://github.com/ilpianista/arch-audit
cd arch-audit
cargo build
cargo run

Completion

Completions are generated using the completions subcommand of arch-audit and are available for various shells like zsh, bash, fish and more:

arch-audit completions zsh > /usr/share/zsh/site-functions/_arch-audit
arch-audit completions bash > /usr/share/bash-completion/completions/arch-audit
arch-audit completions fish > /usr/share/fish/vendor_completions.d/arch-audit.fish

Example output

$ arch-audit
bzip2 is affected by CVE-2016-3189. Medium risk!
curl is affected by CVE-2016-9594, CVE-2016-9586. Update to 7.52.1-1!
gst-plugins-bad is affected by CVE-2016-9447, CVE-2016-9446, CVE-2016-9445. High risk!
jasper is affected by CVE-2016-8886. Medium risk!
libimobiledevice is affected by CVE-2016-5104. Low risk!
libtiff is affected by CVE-2015-7554. Critical risk!
libusbmuxd is affected by CVE-2016-5104. Low risk!
openjpeg2 is affected by CVE-2016-9118, CVE-2016-9117, CVE-2016-9116, CVE-2016-9115, CVE-2016-9114, CVE-2016-9113. High risk!
openssl is affected by CVE-2016-7055. Low risk!

$ arch-audit --upgradable --quiet
curl>=7.52.1-1

$ arch-audit -uf "%n|%c"
curl|CVE-2016-9594,CVE-2016-9586

Donate

Donations via Liberapay or Bitcoin (1Ph3hFEoQaD4PK6MhL3kBNNh9FZFBfisEH) are always welcomed, thank you!

False Positive

Please before reporting false positive check https://security.archlinux.org first. arch-audit parses that page and then if that page reports a false positive, arch-audit will do too. Get in touch with the Arch Linux Security team via IRC at freenode#archlinux-security. Thanks!

License

MIT

FOSSA Status

Comments
  • Added bold text to package and color to CVE only.

    Added bold text to package and color to CVE only.

    Clean up and reverted to first commit.

    Formatted the output like Package {pkg} is affected by {severity} {issues}. with the pkg in bold and the severity and issue colored.

    opened by joshuachp 4
  • added manpage

    added manpage

    Heyho, I created a manpage for your project. When you edit the PKGBUILD just make sure to gzip the manpage and move it to "${pkgdir}/usr/share/man/man1/"

    Best regards

    Chris

    EDIT: nvm that upgradable is a valid english word. I have reset the other changes and just added the man page.

    opened by shibumi 4
  • Move clap configuration to cli.yaml

    Move clap configuration to cli.yaml

    Was reading through the clap documentation and saw this feature to move the clap configuration out into a .yaml file. Cleans up main.rs a little bit, and the yaml file has a nice syntax for adding any new options or subcommands.

    Recompiled arch-audit and tested that usage and behaviour of the binary seems to be unaffected by this change:

    debug $ pwd
    /home/dbishop/projects/arch-audit/target/debug
    debug $ ./arch-audit -h
    arch-audit 0.1.4
    
    USAGE:
        arch-audit [FLAGS] [OPTIONS]
    
    FLAGS:
        -h, --help          Prints help information
        -q, --quiet         Show only vulnerable package names and their versions
        -u, --upgradable    Show only packages that have already been fixed
        -V, --version       Prints version information
    
    OPTIONS:
        -b, --dbpath <dbpath>    Set an alternate database location
        -f, --format <format>    Specify a format to control the output. Placeholders are %n (pkgname) and %c (CVEs)
    debug $ ./arch-audit -q
    libtiff
    bzip2
    jasper
    libwmf
    debug $ ./arch-audit -V
    arch-audit 0.1.4
    

    Hope this is of some help or use. Let me know if there's anything else I should do before this can be merged.

    opened by donniebishop 4
  • Add config file and socks5 support

    Add config file and socks5 support

    Replaces curl with reqwest and introduces config files, the resolution order is argument > ~/.config/arch-audit.conf > /etc/arch-audit.conf > default value.

    Configuring arch-audit to use tor looks like this, all settings are optional in the config file:

    [network]
    #source = "https://security.archlinux.org/all.json"
    proxy = "socks5://127.0.0.1:9050"
    
    opened by kpcyrd 3
  • [service]: Activated different security features and disabled logfile

    [service]: Activated different security features and disabled logfile

    There is no need for a call like usr/bin/sh -c 'arch-audit -uq > /tmp/arch-audit.log' journald will log every output from STDOUT, STDERR etc. The logfile for arch-audit will be journalctl -u arch-audit.service.

    I've also activated a few security features that systemd provides:

    • PrivateTmp (arch-audit will have an own /tmp dir)
    • ProtectSystem=full (arch-audit will have no write access to /usr /boot or /etc)
    • ProtectHome (arch-audit will have no access to user /homes/)
    • PrivateDevices (arch audit will have no access to devices like /dev/sda, only to a few dummy devices like /dev/urandom etc)
    opened by shibumi 3
  • Fix typos in messages when an upgrade is available

    Fix typos in messages when an upgrade is available

    When there is an updated package that fixes a vulnerability, the output currently ends with something like

    High risk!. Update to 244.2-1!
    

    Replace "!." with a single exclamation mark. Also, add a missing "the" to the message that is displayed when the updated package is in the testing repositories.

    opened by lfos 1
  • Add license scan report and status

    Add license scan report and status

    Your FOSSA integration was successful! Attached in this PR is a badge and license report to track scan status in your README.

    Below are docs for integrating FOSSA license checks into your CI:

    opened by fossabot 1
  • Do not print packages with state Vulnerable when upgradable_only is set

    Do not print packages with state Vulnerable when upgradable_only is set

    In some cases packages on archs sec tracker have a fixed version that is not yet released or not yet in the archs repos. Status remains "Vulnerable" in those cases. arch-audit does not take that into account though and happily prints their security status even if -u is set on cli, even though there is clearly no update available.

    openssl and lib32-openssl are examples of this behaviour.

    opened by Arvedui 1
  • Code cleanup, restructure output slightly.

    Code cleanup, restructure output slightly.

    Changes made:

    • Enums implement more traits
    • Severity and CVEs are printed using Display instead of Debug (this removes the brackets and quotes)
    • Messages were restructured so that the risk is at the front
    • Clippy now passes
    opened by clarfonthey 0
  • Move clap configuration to cli.yml

    Move clap configuration to cli.yml

    Was reading through the clap documentation and saw this feature to move the clap configuration out into a .yaml file. Cleans up main.rs a little bit, and the yaml file has a nice syntax for adding any new options or subcommands.

    Recompiled arch-audit and tested that usage and behaviour of the binary seems to be unaffected by this change:

    debug $ pwd
    /home/dbishop/projects/arch-audit/target/debug
    debug $ ./arch-audit -h
    arch-audit 0.1.4
    
    USAGE:
        arch-audit [FLAGS] [OPTIONS]
    
    FLAGS:
        -h, --help          Prints help information
        -q, --quiet         Show only vulnerable package names and their versions
        -u, --upgradable    Show only packages that have already been fixed
        -V, --version       Prints version information
    
    OPTIONS:
        -b, --dbpath <dbpath>    Set an alternate database location
        -f, --format <format>    Specify a format to control the output. Placeholders are %n (pkgname) and %c (CVEs)
    debug $ ./arch-audit -q
    libtiff
    bzip2
    jasper
    libwmf
    debug $ ./arch-audit -V
    arch-audit 0.1.4
    

    Hope this is of some help or use. Let me know if there's anything else I should do before this can be merged.

    Note: Resubmitting due to fudging the first PR up

    opened by donniebishop 0
  • build(deps): bump regex from 1.5.4 to 1.5.6

    build(deps): bump regex from 1.5.4 to 1.5.6

    Bumps regex from 1.5.4 to 1.5.6.

    Changelog

    Sourced from regex's changelog.

    1.5.6 (2022-05-20)

    This release includes a few bug fixes, including a bug that produced incorrect matches when a non-greedy ? operator was used.

    1.5.5 (2022-03-08)

    This releases fixes a security bug in the regex compiler. This bug permits a vector for a denial-of-service attack in cases where the regex being compiled is untrusted. There are no known problems where the regex is itself trusted, including in cases of untrusted haystacks.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • build(deps): bump tokio from 1.11.0 to 1.13.1

    build(deps): bump tokio from 1.11.0 to 1.13.1

    Bumps tokio from 1.11.0 to 1.13.1.

    Release notes

    Sourced from tokio's releases.

    Tokio v1.13.1

    1.13.1 (November 15, 2021)

    This release fixes a data race when sending and receiving on a closed oneshot channel (RUSTSEC-2021-0124).

    Fixed

    • sync: fix a data race between oneshot::Sender::send and awaiting a oneshot::Receiver when the oneshot has been closed (#4226)

    Tokio v1.13.0

    1.13.0 (October 29, 2021)

    Fixed

    • sync: fix Notify to clone the waker before locking its waiter list (#4129)
    • tokio: add riscv32 to non atomic64 architectures (#4185)

    Added

    • net: add poll_{recv,send}_ready methods to udp and uds_datagram (#4131)
    • net: add try_*, readable, writable, ready, and peer_addr methods to split halves (#4120)
    • sync: add blocking_lock to Mutex (#4130)
    • sync: add watch::Sender::send_replace (#3962, #4195)
    • sync: expand Debug for Mutex<T> impl to unsized T (#4134)
    • tracing: instrument time::Sleep (#4072)
    • tracing: use structured location fields for spawned tasks (#4128)

    Changed

    • io: add assert in copy_bidirectional that poll_write is sensible (#4125)
    • macros: use qualified syntax when polling in select! (#4192)
    • runtime: handle block_on wakeups better (#4157)
    • task: allocate callback on heap immediately in debug mode (#4203)
    • tokio: assert platform-minimum requirements at build time (#3797)

    Documented

    • docs: conversion of doc comments to indicative mood (#4174)
    • docs: add returning on the first error example for try_join! (#4133)
    • docs: fixing broken links in tokio/src/lib.rs (#4132)
    • signal: add example with background listener (#4171)
    • sync: add more oneshot examples (#4153)
    • time: document Interval::tick cancel safety (#4152)

    #3797: tokio-rs/tokio#3797 #3962: tokio-rs/tokio#3962

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
Releases(0.1.20)
Owner
Andrea Scarpino
Site Reliability Engineer (aka DevOps). Privacy and FLOSS evangelist. White hat. @archlinux developer fellow.
Andrea Scarpino
Automate device security provisioning with edge intelligence.

UNiD Automate device security provisioning with edge intelligence Features Decentralized PKI(DPKI), DIDs, DKMS, and Credential Management End-to-End E

UNiD 101 Oct 21, 2022
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

OpenSK This repository contains a Rust implementation of a FIDO2 authenticator. We developed OpenSK as a Tock OS application. We intend to bring a ful

Google 2.4k Jan 7, 2023
The Swiss Army Knife for Binary (In)security

binsec Swiss Army Knife for Binary (In)security binsec is a minimal static analysis utility for detecting security capabilities in ELF/PE/Mach-O execu

Alan 15 Dec 16, 2022
A Rust implementation of the Message Layer Security group messaging protocol

Molasses An extremely early implementation of the Message Layer Security group messaging protocol. This repo is based on draft 4 of the MLS protocol s

Trail of Bits 109 Dec 13, 2022
Bindings to the macOS Security.framework

macOS/iOS Security framework for Rust Documentation Bindings to the Apple's Security.framework. Allows use of TLS and Keychain from Rust. License Lice

Kornel 172 Jan 2, 2023
Minimal and persistent key-value store designed with security in mind

microkv Minimal and persistent key-value store designed with security in mind. Introduction microkv is a persistent key-value store implemented in Rus

Alan 17 Jan 2, 2023
Applied offensive security with the Rust programming language

Black Hat Rust Applied offensive security with the Rust programming language Buy the book now! While the Rust Book does an excellent job teaching What

Sylvain Kerkour 2.2k Jan 8, 2023
Security advisory database for Rust crates published through crates.io

RustSec Advisory Database The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via https://crates.

RustSec 682 Jan 1, 2023
🕵️‍♀️ Find, locate, and query files for ops and security experts ⚡️⚡️⚡️

Recon Find, locate, and query files for ops and security experts Key Features • How To Use • Download • Contributing • License Key Features Query with

Rusty Ferris Club 11 Dec 16, 2022
irulescan is a static security analyzer for iRules

irulescan is a tool to scan iRules for unexpected/unsafe expressions that may have undesirable effects like double substitution.

Simon Kowallik 2 Dec 18, 2022
unfuck is a utility and library for deobfuscating obfuscated Python 2.7 bytecode

unfuck is a utility and library for deobfuscating obfuscated Python 2.7 bytecode. It is essentially a reimplementation of the Python VM with taint tracking.

Lander Brandt 171 Dec 14, 2022
Decryption utility for Yaesu ham radio firmware images

porkchop Decryption utility for Yaesu ham radio firmware images. Background Yaesu provides a firmware update utility for their ham radios that contain

Lander Brandt 20 Dec 29, 2022
cert_installer - a utility that adds a CA certificate to Android's System Trust Store

cert_installer is a utility that adds a CA certificate to Android's System Trust Store by overwriting the /system/etc/security/cacerts directory with a tmpfs mount. Changes made to the System Trust Store is not persistant across reboots.

Terry Chia 5 Apr 11, 2022
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

LibAFL, the fuzzer library. Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and main

Advanced Fuzzing League ++ 1.2k Jan 6, 2023
Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps. 👻🐚

moonwalk Cover your tracks during Linux Exploitation / Penetration Testing by leaving zero traces on system logs and filesystem timestamps. ?? Table o

Mufeed VH 1.1k Jan 6, 2023
A Rust program to control bias lighting on Linux and Windows.

displaylight_rs This Rust workspace is a rewrite of my DisplayLight project. It colors leds mounted behind the monitor with the colors shown on the di

Ivor Wanders 2 Sep 25, 2022
Linux LPE using polkit-1 written in Rust.

CVE-2021-4024-Rust Linux LPE using polkit-1 written in Rust. Build instructions Install rust if you haven't already git clone https://github.com/deoxy

Kevin Pham 1 Feb 3, 2022
Linux anti-debugging and anti-analysis rust library

DebugOff Library Linux anti-analysis Rust library The goal of this library is to make both static and dynamic (debugging) analysis more difficult. The

null 65 Jan 7, 2023
A fast Rust-based safe and thead-friendly grammar-based fuzz generator

Intro fzero is a grammar-based fuzzer that generates a Rust application inspired by the paper "Building Fast Fuzzers" by Rahul Gopinath and Andreas Ze

null 203 Nov 9, 2022