- New port: security/openvas

This is the Open Vulnerability Assessment Scanner (OpenVAS) of the Greenbone
Vulnerability Management (GVM) Solution.

It is used for the Greenbone Security Manager appliances and is a full-featured
scan engine that executes a continuously updated and extended feed of Network
Vulnerability Tests (NVTs).

WWW: https://github.com/greenbone/openvas

security/openvas/Makefile

@@ -0,0 +1,38 @@
+# $FreeBSD$
+
+PORTNAME=	openvas
+DISTVERSION=	20.8.0
+DISTVERSIONPREFIX=	v
+CATEGORIES=	security
+
+MAINTAINER=	acm@FreeBSD.org
+COMMENT=	Open vulnerability assessment scanner
+
+LICENSE=	GPLv2+
+
+BUILD_DEPENDS=	flex:textproc/flex
+LIB_DEPENDS=	libgvm_base.so:security/gvm-libs \
+		libgcrypt.so:security/libgcrypt \
+		libpcap.so.1:net/libpcap \
+		libksba.so:security/libksba \
+		libgpgme.so:security/gpgme \
+		libssh.so:security/libssh \
+		libgnutls.so:security/gnutls \
+		libnetsnmp.so:net-mgmt/net-snmp
+RUN_DEPENDS=	redis-server:databases/redis \
+		snmpget:net-mgmt/net-snmp \
+		rsync:net/rsync \
+		${PYTHON_PKGNAMEPREFIX}impacket>=0:net/py-impacket@${PY_FLAVOR}
+USE_GITHUB=	yes
+GH_ACCOUNT=	greenbone
+
+USES=		bison cmake gnome pkgconfig python:3.5+
+USE_GNOME=	glib20
+
+USERS=		gvm
+GROUPS=		${USERS}
+
+post-install:
+	@${MKDIR} ${STAGEDIR}/var/run/ospd
+
+.include <bsd.port.mk>

security/openvas/distinfo

@@ -0,0 +1,3 @@
+TIMESTAMP = 1609452424
+SHA256 (greenbone-openvas-v20.8.0_GH0.tar.gz) = fe0e03d59012bf93614f76afc40d783aa5be4d8879bbe418dddc9745a4d19ccb
+SIZE (greenbone-openvas-v20.8.0_GH0.tar.gz) = 423880

security/openvas/files/patch-CMakeLists.txt

@@ -0,0 +1,38 @@
+--- CMakeLists.txt	2020-08-11 07:00:25.000000000 -0500
++++ CMakeLists.txt	2021-01-04 19:19:49.997745000 -0500
+@@ -148,7 +148,7 @@
+ endif (NOT LIBDIR)
+ 
+ if (NOT LOCALSTATEDIR)
+-  set (LOCALSTATEDIR "${CMAKE_INSTALL_PREFIX}/var")
++  set (LOCALSTATEDIR "/var")
+ endif (NOT LOCALSTATEDIR)
+ 
+ if (NOT DATADIR)
+@@ -156,7 +156,7 @@
+ endif (NOT DATADIR)
+ 
+ if (NOT OPENVAS_RUN_DIR)
+-  set (OPENVAS_RUN_DIR "${LOCALSTATEDIR}/run")
++  set (OPENVAS_RUN_DIR "${LOCALSTATEDIR}/run/gvm")
+ endif (NOT OPENVAS_RUN_DIR)
+ 
+ if (NOT OPENVAS_FEED_LOCK_PATH)
+@@ -204,7 +204,7 @@
+ configure_file (doc/openvas.8.in doc/openvas.8 @ONLY)
+ configure_file (VERSION.in VERSION @ONLY)
+ configure_file (tools/greenbone-nvt-sync.in tools/greenbone-nvt-sync @ONLY)
+-configure_file (src/openvas_log_conf.cmake_in src/openvas_log.conf)
++configure_file (src/openvas_log_conf.cmake_in src/openvas_log.conf.sample)
+ 
+ ## Testing
+ 
+@@ -219,7 +219,7 @@
+   set (COVERAGE_FLAGS "--coverage")
+ endif (ENABLE_COVERAGE)
+ 
+-set (HARDENING_FLAGS            "-Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -fstack-protector")
++set (HARDENING_FLAGS            "-Wformat -Wformat-security")
+ set (LINKER_HARDENING_FLAGS     "-Wl,-z,relro -Wl,-z,now")
+ # The "-D_FILE_OFFSET_BITS=64 -DLARGEFILE_SOURCE=1" is necessary for GPGME!
+ set (GPGME_C_FLAGS              "-D_FILE_OFFSET_BITS=64 -DLARGEFILE_SOURCE=1")

security/openvas/files/patch-misc_ftp_funcs.c

@@ -0,0 +1,11 @@
+--- misc/ftp_funcs.c	2020-12-31 17:13:13.381267000 -0500
++++ misc/ftp_funcs.c	2020-12-31 17:15:17.095282000 -0500
+@@ -20,6 +20,8 @@
+ 
+ #include "network.h"
+ 
++#include <sys/types.h>
++#include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <stdio.h>
+ #include <stdlib.h>

security/openvas/files/patch-misc_network.c

@@ -0,0 +1,10 @@
+--- misc/network.c	2020-12-31 17:15:39.790259000 -0500
++++ misc/network.c	2020-12-31 17:16:09.182113000 -0500
+@@ -44,6 +44,7 @@
+ #include <string.h>
+ #include <sys/time.h> /* for gettimeofday */
+ #include <sys/types.h>
++#include <sys/socket.h>
+ #include <unistd.h>
+ 
+ #ifdef __FreeBSD__

security/openvas/files/patch-nasl_CMakeLists.txt

@@ -0,0 +1,28 @@
+--- nasl/CMakeLists.txt	2020-12-31 21:48:33.070235000 -0500
++++ nasl/CMakeLists.txt	2020-12-31 21:49:07.420166000 -0500
+@@ -86,6 +86,11 @@
+ 
+ message (STATUS "Looking for pcap...")
+ find_library (PCAP pcap)
++if (PCAP)
++  execute_process (COMMAND pkgconf libpcap --libs
++    OUTPUT_VARIABLE PCAP_LDFLAGS
++    OUTPUT_STRIP_TRAILING_WHITESPACE)
++endif (PCAP)
+ 
+ find_library (GPGME gpgme)
+ message (STATUS "Looking for gpgme... ${GPGME}")
+@@ -227,11 +232,11 @@
+ 
+ # Link the openvas-nasl executable
+ add_executable (openvas-nasl nasl.c)
+-target_link_libraries (openvas-nasl openvas_nasl_shared openvas_misc_shared ${GNUTLS_LDFLAGS} ${LIBSSH_LDFLAGS})
++target_link_libraries (openvas-nasl openvas_nasl_shared openvas_misc_shared ${GNUTLS_LDFLAGS} ${LIBSSH_LDFLAGS} ${PCAP_LDFLAGS})
+ 
+ # Link the openvas-nasl-lint executable
+ add_executable (openvas-nasl-lint nasl-lint.c)
+-target_link_libraries (openvas-nasl-lint openvas_nasl_shared openvas_misc_shared ${GLIB_LDFLAGS} ${GIO_LDFLAGS})
++target_link_libraries (openvas-nasl-lint openvas_nasl_shared openvas_misc_shared ${GLIB_LDFLAGS} ${GIO_LDFLAGS} ${PCAP_LDFLAGS})
+ 
+ ## Install
+ 

security/openvas/files/patch-nasl_capture_packet.h

@@ -0,0 +1,10 @@
+--- nasl/capture_packet.h	2020-12-31 17:18:54.965710000 -0500
++++ nasl/capture_packet.h	2020-12-31 17:18:25.229452000 -0500
+@@ -19,6 +19,7 @@
+ #ifndef CAPTURE_PACKET_H
+ #define CAPTURE_PACKET_H
+ 
++#include <sys/types.h>
+ #include <netinet/in.h>
+ #include <netinet/ip6.h>
+ 

security/openvas/files/patch-nasl_nasl_builtin_find_service.c

@@ -0,0 +1,10 @@
+--- nasl/nasl_builtin_find_service.c	2020-12-31 21:25:42.383545000 -0500
++++ nasl/nasl_builtin_find_service.c	2020-12-31 21:26:14.781948000 -0500
+@@ -34,6 +34,7 @@
+ #include <string.h>    /* for strstr() */
+ #include <sys/time.h>  /* for gettimeofday() */
+ #include <sys/types.h> /* for waitpid() */
++#include <sys/socket.h>
+ #include <sys/wait.h>  /* for waitpid() */
+ #include <unistd.h>    /* for usleep() */
+ 

security/openvas/files/patch-nasl_nasl_builtin_openvas_tcp_scanner.c

@@ -0,0 +1,11 @@
+--- nasl/nasl_builtin_openvas_tcp_scanner.c	2020-12-31 17:19:06.511436000 -0500
++++ nasl/nasl_builtin_openvas_tcp_scanner.c	2020-12-31 17:20:31.824455000 -0500
+@@ -428,7 +428,7 @@
+               bzero (&sa6, sizeof (sa6));
+               if (IN6_IS_ADDR_V4MAPPED (pia))
+                 {
+-                  sa.sin_addr.s_addr = pia->s6_addr32[3];
++                  sa.sin_addr.s_addr = pia->s6_addr[12];
+                   sa.sin_family = AF_INET;
+                   sa.sin_port = htons (port);
+                   len = sizeof (struct sockaddr_in);

security/openvas/files/patch-nasl_nasl_builtin_synscan.c

@@ -0,0 +1,29 @@
+--- nasl/nasl_builtin_synscan.c	2020-08-11 07:00:25.000000000 -0500
++++ nasl/nasl_builtin_synscan.c	2021-01-04 17:11:12.118080000 -0500
+@@ -36,6 +36,8 @@
+ #include <arpa/inet.h> /* for AF_INET */
+ #include <gvm/base/logging.h>
+ #include <gvm/base/prefs.h> /* for prefs_get */
++#include <sys/types.h>
++#include <sys/socket.h>
+ #include <netinet/ip.h>
+ #include <netinet/tcp.h> /* for TH_SYN */
+ #include <stdlib.h>      /* for rand() */
+@@ -699,7 +701,7 @@
+   if (IN6_IS_ADDR_V4MAPPED (dst6))
+     {
+       family = AF_INET;
+-      dst.s_addr = dst6->s6_addr32[3];
++      dst.s_addr = dst6->s6_addr[12];
+       soc = rawsocket (AF_INET);
+     }
+   else
+@@ -787,7 +789,7 @@
+   struct in_addr *dst;
+   struct in_addr inaddr;
+ 
+-  inaddr.s_addr = dst6->s6_addr32[3];
++  inaddr.s_addr = dst6->s6_addr[12];
+   dst = &inaddr;
+ 
+   if (islocalhost (dst))

security/openvas/files/patch-nasl_nasl_host.c

@@ -0,0 +1,11 @@
+--- nasl/nasl_host.c	2021-01-04 17:21:14.150833000 -0500
++++ nasl/nasl_host.c	2021-01-04 17:21:49.587410000 -0500
+@@ -38,6 +38,8 @@
+ #include "nasl_tree.h"
+ #include "nasl_var.h"
+ 
++#include <sys/types.h>
++#include <sys/socket.h>
+ #include <arpa/inet.h> /* for inet_aton */
+ #include <gvm/base/networking.h>
+ #include <gvm/util/kb.h>

security/openvas/files/patch-nasl_nasl_init.c

@@ -0,0 +1,11 @@
+--- nasl/nasl_init.c	2020-12-31 17:24:31.913454000 -0500
++++ nasl/nasl_init.c	2020-12-31 17:25:42.418759000 -0500
+@@ -38,6 +38,8 @@
+ 
+ #include <stdlib.h> /* for getenv.  */
+ #include <string.h> /* for memset */
++#include <sys/types.h>
++#include <sys/socket.h>
+ /* to e.g. favour BSD, but also for IPPROTO_TCP and TH_FIN */
+ #include "nasl_raw.h"
+ #include "nasl_scanner_glue.h"

security/openvas/files/patch-nasl_nasl_packet_forgery.c

@@ -0,0 +1,65 @@
+--- nasl/nasl_packet_forgery.c	2020-08-11 07:00:25.000000000 -0500
++++ nasl/nasl_packet_forgery.c	2021-01-04 17:38:44.560650000 -0500
+@@ -33,6 +33,8 @@
+ #include "nasl_tree.h"
+ #include "nasl_var.h"
+ 
++#include <sys/types.h>
++#include <sys/socket.h>
+ #include <arpa/inet.h> /* for inet_aton */
+ #include <ctype.h>     /* for isprint */
+ #include <errno.h>     /* for errno */
+@@ -136,7 +138,7 @@
+   if (s != NULL)
+     inet_aton (s, &pkt->ip_dst);
+   else
+-    pkt->ip_dst.s_addr = dst_addr->s6_addr32[3];
++    memcpy(&pkt->ip_dst.s_addr, &dst_addr->s6_addr[12], 4);
+ 
+   if (data != NULL)
+     {
+@@ -1283,7 +1285,7 @@
+ 
+   if (dst == NULL || (IN6_IS_ADDR_V4MAPPED (dst) != 1))
+     return NULL;
+-  inaddr.s_addr = dst->s6_addr32[3];
++  memcpy(&inaddr.s_addr, &dst->s6_addr[12], 4);
+   for (i = 0; i < sizeof (sports) / sizeof (int); i++)
+     {
+       if (sports[i] == 0)
+@@ -1301,7 +1303,7 @@
+     port = plug_get_host_open_port (script_infos);
+ 
+   if (islocalhost (&inaddr) > 0)
+-    src.s_addr = dst->s6_addr32[3];
++    memcpy(&src.s_addr, &dst->s6_addr[12], 4);
+   else
+     {
+       bzero (&src, sizeof (src));
+@@ -1411,7 +1413,7 @@
+ 
+   if (dstip == NULL || (IN6_IS_ADDR_V4MAPPED (dstip) != 1))
+     return NULL;
+-  inaddr.s_addr = dstip->s6_addr32[3];
++  memcpy(&inaddr.s_addr, &dstip->s6_addr[12], 4);
+   soc = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);
+   if (soc < 0)
+     return NULL;
+@@ -1540,7 +1542,7 @@
+         {
+           struct in_addr src;
+           bzero (&src, sizeof (src));
+-          inaddr.s_addr = dst->s6_addr32[3];
++  	  memcpy(&inaddr.s_addr, &dst->s6_addr[12], 4);
+           interface = routethrough (&inaddr, &src);
+         }
+       else
+@@ -1680,7 +1682,7 @@
+         {
+           struct in_addr src;
+           bzero (&src, sizeof (src));
+-          inaddr.s_addr = dst->s6_addr32[3];
++	  memcpy(&inaddr.s_addr, &dst->s6_addr[12], 4);
+           interface = routethrough (&inaddr, &src);
+         }
+       else

security/openvas/files/patch-nasl_nasl_packet_forgery_v6.c

@@ -0,0 +1,21 @@
+--- nasl/nasl_packet_forgery_v6.c	2020-08-11 07:00:25.000000000 -0500
++++ nasl/nasl_packet_forgery_v6.c	2021-01-04 17:39:47.104902000 -0500
+@@ -36,6 +36,8 @@
+  * 09/02/2010 Preeti Subramanian <spreeti@secpod.com>
+  */
+ 
++#include <sys/types.h>
++#include <sys/socket.h>
+ #include <arpa/inet.h> /* for inet_aton */
+ #include <ctype.h>     /* for isprint */
+ #include <pcap.h>      /* for PCAP_ERRBUF_SIZE */
+@@ -44,9 +46,7 @@
+ #include <sys/param.h>
+ #include <sys/time.h> /* for gettimeofday */
+ #include <unistd.h>   /* for close */
+-#ifdef __FreeBSD__
+ #include <netinet/in.h>
+-#endif
+ 
+ #include "../misc/bpf_share.h"    /* for bpf_open_live */
+ #include "../misc/pcap_openvas.h" /* for routethrough */

security/openvas/files/patch-nasl_nasl_socket.c

@@ -0,0 +1,29 @@
+--- nasl/nasl_socket.c	2020-12-31 17:33:40.663863000 -0500
++++ nasl/nasl_socket.c	2020-12-31 17:36:11.693013000 -0500
+@@ -51,6 +51,8 @@
+ #include <stdlib.h>              /* for atoi() */
+ #include <string.h>              /* for bzero */
+ #include <sys/time.h>
++#include <sys/types.h>
++#include <sys/socket.h>
+ #include <unistd.h> /* for close */
+ 
+ #ifndef EADDRNOTAVAIL
+@@ -311,7 +313,7 @@
+   if (IN6_IS_ADDR_V4MAPPED (p))
+     {
+       bzero (&daddr, sizeof (daddr));
+-      daddr.sin_addr.s_addr = p->s6_addr32[3];
++      daddr.sin_addr.s_addr = p->s6_addr[12];
+       daddr.sin_family = AF_INET;
+       daddr.sin_port = htons (dport);
+       unblock_socket (sock);
+@@ -546,7 +548,7 @@
+   if (IN6_IS_ADDR_V4MAPPED (ia))
+     {
+       bzero (&soca, sizeof (soca));
+-      soca.sin_addr.s_addr = ia->s6_addr32[3];
++      soca.sin_addr.s_addr = ia->s6_addr[12];
+       soca.sin_port = htons (port);
+       soca.sin_family = AF_INET;
+ 

security/openvas/files/patch-src_CMakeLists.txt

@@ -0,0 +1,13 @@
+--- src/CMakeLists.txt	2020-08-11 07:00:25.000000000 -0500
++++ src/CMakeLists.txt	2021-01-04 19:20:27.629700000 -0500
+@@ -228,8 +228,8 @@
+          PERMISSIONS OWNER_EXECUTE OWNER_READ OWNER_WRITE
+          GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+ 
+-install (FILES ${CMAKE_BINARY_DIR}/src/openvas_log.conf
+-         DESTINATION ${OPENVAS_SYSCONF_DIR})
++install (FILES ${CMAKE_BINARY_DIR}/src/openvas_log.conf.sample
++         DESTINATION "${OPENVAS_SYSCONF_DIR}")
+ 
+ install (FILES ${CMAKE_BINARY_DIR}/tools/greenbone-nvt-sync
+          DESTINATION ${BINDIR}

security/openvas/files/patch-src_pluginscheduler.c

@@ -0,0 +1,29 @@
+--- src/pluginscheduler.c	2020-08-11 07:00:25.000000000 -0500
++++ src/pluginscheduler.c	2021-01-04 18:10:12.943469000 -0500
+@@ -33,7 +33,7 @@
+ #include <glib.h>
+ #include <gvm/base/prefs.h>     /* for prefs_get() */
+ #include <gvm/util/nvticache.h> /* for nvticache_t */
+-#include <malloc.h>
++#include <stdlib.h>
+ #include <string.h> /* for strcmp() */
+ 
+ #undef G_LOG_DOMAIN
+@@ -325,7 +325,7 @@
+       plugins_scheduler_free (ret);
+       return NULL;
+     }
+-  malloc_trim (0);
++//  malloc_trim (0);
+   return ret;
+ }
+ 
+@@ -427,7 +427,7 @@
+           element = element->next;
+         }
+     }
+-  malloc_trim (0);
++//  malloc_trim (0);
+ }
+ 
+ struct scheduler_plugin *

security/openvas/files/patch-tools_greenbone-nvt-sync.in

@@ -0,0 +1,37 @@
+--- tools/greenbone-nvt-sync.in	2020-08-11 07:00:25.000000000 -0500
++++ tools/greenbone-nvt-sync.in	2021-01-02 02:45:37.863324000 -0500
+@@ -87,10 +87,10 @@
+ LOG_CMD="logger -t $SCRIPT_NAME"
+ 
+ check_logger () {
+-  logger --socket-error=on -p daemon.info -t $SCRIPT_NAME "Checking logger" --no-act 1>/dev/null 2>&1
++  logger -p daemon.info -t $SCRIPT_NAME "Checking logger"  1>/dev/null 2>&1
+   if [ $? -gt 0 ]
+   then
+-    LOG_CMD="logger --socket-error=off -s -t $SCRIPT_NAME"
++    LOG_CMD="logger -s -t $SCRIPT_NAME"
+     $LOG_CMD -p daemon.warning "The log facility is not working as expected. All messages will be written to the standard error stream."
+   fi
+ }
+@@ -428,7 +428,7 @@
+         log_err "rsync failed, aborting synchronization."
+         exit 1
+       fi
+-      eval "cd \"$NVT_DIR\" ; md5sum -c --status \"$NVT_DIR/md5sums\""
++      eval "cd \"$NVT_DIR\" ; xargs -n 2 md5 -c < \"$NVT_DIR/md5sums\" > /dev/null"
+       if [ $? -ne 0 ]  ; then
+         if [ -n "$retried" ]
+         then
+@@ -462,10 +462,10 @@
+ 
+ do_self_test ()
+ {
+-  MD5SUM_AVAIL=`command -v md5sum`
++  MD5SUM_AVAIL=`command -v md5`
+   if [ $? -ne 0 ] ; then
+     SELFTEST_FAIL=1
+-    stderr_write "The md5sum binary could not be found."
++    stderr_write "The md5 binary could not be found."
+   fi
+ 
+   RSYNC_AVAIL=`command -v rsync`

security/openvas/pkg-descr

@@ -0,0 +1,8 @@
+This is the Open Vulnerability Assessment Scanner (OpenVAS) of the Greenbone 
+Vulnerability Management (GVM) Solution.
+
+It is used for the Greenbone Security Manager appliances and is a full-featured
+scan engine that executes a continuously updated and extended feed of Network 
+Vulnerability Tests (NVTs).
+
+WWW: https://github.com/greenbone/openvas

security/openvas/pkg-plist

@@ -0,0 +1,23 @@
+bin/greenbone-nvt-sync
+bin/openvas-nasl
+bin/openvas-nasl-lint
+@sample %%ETCDIR%%/openvas_log.conf.sample
+lib/libopenvas_misc.so
+lib/libopenvas_misc.so.20
+lib/libopenvas_misc.so.20.8.0
+lib/libopenvas_nasl.so
+lib/libopenvas_nasl.so.20
+lib/libopenvas_nasl.so.20.8.0
+sbin/openvas
+share/man/man1/openvas-nasl-lint.1.gz
+share/man/man1/openvas-nasl.1.gz
+share/man/man8/greenbone-nvt-sync.8.gz
+share/man/man8/openvas.8.gz
+@dir %%ETCDIR%%/gnupg
+@dir %%DATADIR%%
+@dir(gvm,gvm,750) /var/lib/openvas/gnupg
+@dir(gvm,gvm,750) /var/lib/openvas/plugins
+@dir(gvm,gvm,750) /var/lib/openvas
+@dir(gvm,gvm,750) /var/log/gvm
+@dir(gvm,gvm,750) /var/run/ospd
+