Index: openacs-4/packages/acs-admin/www/posture-overview.adp
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-admin/www/posture-overview.adp,v
diff -u -r1.3 -r1.4
--- openacs-4/packages/acs-admin/www/posture-overview.adp 29 Oct 2024 15:14:33 -0000 1.3
+++ openacs-4/packages/acs-admin/www/posture-overview.adp 24 Apr 2025 15:56:16 -0000 1.4
@@ -143,7 +143,59 @@
via the SSL Labs service from Qualys.
+
+ Database Vulnerability Check
+ Database Client Library
+
+ Database Server
+
+
+
External Library Check
The following summary is based on the recommended setup of external
Index: openacs-4/packages/acs-admin/www/posture-overview.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-admin/www/posture-overview.tcl,v
diff -u -r1.2 -r1.3
--- openacs-4/packages/acs-admin/www/posture-overview.tcl 3 Sep 2024 15:37:29 -0000 1.2
+++ openacs-4/packages/acs-admin/www/posture-overview.tcl 24 Apr 2025 15:56:16 -0000 1.3
@@ -17,6 +17,7 @@
set packages [apm_enabled_packages]
set number_of_packages [llength $packages]
set version_numbers_on_result_pages [ns_config ns/server/[ns_info server] noticedetail]
+set version_numbers_on_result_pages [expr {$version_numbers_on_result_pages ? "yes" : "no"}]
if {$current_location eq ""} {
set current_location [ns_conn location]
@@ -210,13 +211,13 @@
/robots.txt
/security.txt
} {
+ set detailURL ""
+ set detailLabel ""
+
try {
ns_http run -timeout 300ms $current_location$url
} on ok {result} {
set status [dict get $result status]
- set diagnosis ""
- set detailURL ""
- set detailLabel ""
switch $status {
200 {set diagnosis "publicly accessible"}
404 {
@@ -232,10 +233,15 @@
}
}
}
+ default {
+ set diagnosis "unexpected status code: '$status'"
+ ns_log warning "posture-overview: unexpected status code '$status' for $current_location$url"
+ }
}
#append diagnosis " $node_id $package_id ($parties) // [llength $parties] // $direct_permissions"
#append report "status $status $diagnose\n
"
} on error {errorMsg} {
+ ns_log warning "posture-overview: ns_http to $current_location$url ends with $errorMsg"
set diagnosis $errorMsg
set status 0
}
@@ -265,6 +271,60 @@
}
}
+
+
+template::multirow create database_client \
+ version versionURL fixedin cve_text cve_link cve_desc
+template::multirow create database_server \
+ version versionURL fixedin cve_text cve_link cve_desc
+
+try {
+ db_with_handle -dbn "" handle { set db_info [ns_db info $handle] }
+} on error {errorMsg} {
+ ns_log notice "cannot obtain version info from database driver"
+} on ok {rc} {
+ #ns_log notice "====== GOT db_info: $db_info"
+ dict with db_info {
+ if {$type eq "PostgreSQL"} {
+ #
+ # Overload dict values with sample version numbers for
+ # demo purposes.
+ #
+ set clientversion 130004
+ set serverversion 140010
+
+ set database_client_version [expr {$clientversion / 10000}].[expr {$clientversion % 10000}]
+ set dbclient [::util::resources::check_vulnerability \
+ -service postgresql.org \
+ -library client \
+ -version $clientversion]
+ dict with dbclient {
+ foreach c $CVE {
+ #ns_log notice "CLIENT CVE $c"
+ dict with c {
+ template::multirow append database_client $database_client_version $versionURL $fixedin $name $url $description
+ }
+ }
+ }
+
+ set database_server_version [expr {$serverversion / 10000}].[expr {$serverversion % 10000}]
+ set dbserver [::util::resources::check_vulnerability \
+ -service postgresql.org \
+ -library server \
+ -version $serverversion]
+ dict with dbserver {
+ foreach c $CVE {
+ #ns_log notice "SERVER CVE $c"
+ dict with c {
+ template::multirow append database_server $database_server_version $versionURL $fixedin $name $url $description
+ }
+ }
+ }
+ }
+ }
+}
+
+
template::multirow create library_check \
library swa_link version_color \
configured_version vulnerability vulnerabilityCheckURL \
Index: openacs-4/packages/acs-tcl/tcl/utilities-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/utilities-procs.tcl,v
diff -u -r1.203 -r1.204
--- openacs-4/packages/acs-tcl/tcl/utilities-procs.tcl 3 Apr 2025 17:11:20 -0000 1.203
+++ openacs-4/packages/acs-tcl/tcl/utilities-procs.tcl 24 Apr 2025 15:56:15 -0000 1.204
@@ -3905,14 +3905,14 @@
# Include form data when it is available via [ns_form]
#
set form [ns_getform]
-
+
foreach {k v} [ns_set array $form] {
- # Remove sensible information from logging
- if {[regexp {password} $k]} {
+ # Remove sensible information from form fields for logging
+ if {[regexp -nocase "password" $k]} {
set v XXXXXX
}
-
+
if {[string length $v] > 100} {
set v "[string range $v 0 100]..."
}
@@ -4574,15 +4574,16 @@
{-version:required}
} {
- Return a dict containing vulnerability info with the keys
- "hasVulnerability", "libraryURL" and "versionURL"
+ Returns a dict containing vulnerability info with the keys
+ "hasVulnerability", "libraryURL", "versionURL" and "cveURLs"
@param service name of the vulnerability checking service (currently only synk)
@param library name of the library as named by the vulnerability service
@param version version of the library to be checked
} {
set hasVulnerability ?
+ set CVE {}
switch $service {
snyk {
set vulnerabilityCheckURL https://security.snyk.io/package/npm/$library
@@ -4599,6 +4600,73 @@
#ns_log notice RESULT=$page
}
}
+ postgresql.org {
+ set vulnerabilityCheckURL https://www.postgresql.org/support/security
+ set hasVulnerability 0
+ # clientversion 170004 serverversion 170004
+ set major [expr {$version/10000}]
+ set minor [expr {$version % 10000}]
+ set versionNr $major.$minor
+ ns_log notice "PG VERSION $versionNr"
+ set page [::util::resources::http_get_with_default \
+ -url $vulnerabilityCheckURL/$major \
+ -key postgresql-$library/$major]
+ #ns_log notice "PAGE=$page"
+ dom parse -html -- $page doc
+ $doc documentElement root
+ foreach tr [$root selectNodes //tbody/tr] {
+ #ns_log notice "TR= [$tr asHTML]"
+ set freshVulnerability 0
+ set columns [$tr selectNodes td]
+ if {[llength $columns] != 5} {
+ continue
+ }
+ lassign $columns reference affected fixed component description
+ if {![string match *$library* [$component asText]]} {
+ continue
+ }
+ set fixedin .
+ foreach v [regsub -all , [$fixed asText] ""] {
+ regexp {^(\d+)[.](\d+)} $v . majorFix minorFix
+ set numFixed [expr {$majorFix*10000+$minorFix}]
+ if {$majorFix == $major && $version >= $numFixed} {
+ set freshVulnerability 0
+ #set hasVulnerability 0
+ continue
+ }
+ if {$version < $numFixed} {
+ if {$majorFix < $major} {
+ break
+ }
+ set hasVulnerability 1
+ set freshVulnerability 1
+ set fixedin $v
+ #break
+ }
+ }
+ if {$freshVulnerability} {
+ #ns_log notice "CVE [$reference asHTML]"
+ #ns_log notice "... fixed <[$fixed asText]> -> has vulnerability $hasVulnerability"
+ #ns_log notice "... component <[$component asText]>"
+ #ns_log notice "... CHECK [$reference asHTML]"
+ foreach url [$reference selectNodes .//a/@href] {
+ #ns_log notice "... check URL $url"
+ if {[regexp {(CVE[-]\d+[-]\d+)/} $url . cve]} {
+ ns_log notice "... URL $url"
+ set desc [$description asText]
+ regsub -all {more details$} $desc "" desc
+ lappend CVE [list \
+ url https://www.postgresql.org/[lindex $url end] \
+ fixedin $fixedin \
+ name $cve \
+ description $desc]
+ }
+ }
+ }
+ }
+ set vulnerabilityCheckVersionURL $vulnerabilityCheckURL/$major
+ set vulnerabilityAdvisorURL ""
+ }
default {
error "check_vulnerability: unknown service '$service'"
}
@@ -4607,7 +4675,8 @@
return [list hasVulnerability $hasVulnerability \
libraryURL $vulnerabilityCheckURL \
versionURL $vulnerabilityCheckVersionURL \
- advisorURL $vulnerabilityAdvisorURL]
+ advisorURL $vulnerabilityAdvisorURL \
+ CVE $CVE]
}
}