Commit graph

26 commits

Author SHA1 Message Date
agc
5293710fb4 Add SHA512 digests for distfiles for security category
Problems found locating distfiles:
	Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
	Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
	Package libidea: missing distfile libidea-0.8.2b.tar.gz
	Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
	Package uvscan: missing distfile vlp4510e.tar.Z

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.
2015-11-04 01:17:40 +00:00
mef
e9b11ec7ca (pkgsrc)
- Add LICENSE= gnu-gpl-v2
(upstream)
 - Update 1.27 to 1.31
----------------------
2014-08-03 David A. Wheeler <dwheeler, at, dwheeler.com>
        * Release version 1.31, a set of small improvements mostly CWE-related.
        * Note that flawfinder is officially CWE-compatible.
        * Support GNU make install conventions (prefix, bindir, DESTDIR, etc.).
          The older program-specific conventions are still supported, but
          the documentation emphasizes using the standard conventions instead.
        * Simplified installation text.
        * Added more wide character function rules.
        * Add reference to info at "http://www.dwheeler.com/secure-programs".
        * Document that hitlists should be trusted to be loaded or diffed.
          These are implented using Python's pickle module, and that module
          presumes the data is from a trustworthy source.  In the expected
          use case this is fine... but it needed to be documented.
        * Tweak/improve mappings to CWE.  E.G., strlen()
          better maps to CWE-126 (buffer over-read).  In a few cases the
          CWE mappings weren't reported as such; that is now fixed.
          CWEs are actually a hierarchy; expose a little of this so
          people can more easily search on them.
        * Improved error detection and reporting.  In particular, error
          messages are sent to standard errors, filenames listed but
          non-existent trigger a separate warning, and there's a warning
          about non-existent filenames listed on the command line that
          begin with the UTF-8 long dash sequence (users might not notice
          the difference between long dash and dash, and this can happen
          in some cases when copying and pasting).
        * Add "-H" option as synonym for "--html".

2014-07-19 David A. Wheeler <dwheeler, at, dwheeler.com>
        * Release 1.29, primarily for CWE improvements.
        * Multi-line formatting is faster and formats better.
        * Documentation about CWEs has been improved.
        * HTML format includes links from CWE identifiers to their definitions.
        * Tweak CWE mappings, e.g., strlen maps to CWE-126 (buffer over-read).
        * Option "--listrules" now gives default warning and is tab-delimited.
        * Regression test suite now also tests the generated HTML.

2014-07-13 David A. Wheeler <dwheeler, at, dwheeler.com>
        * Release 1.28
        * Common Weakness Enumeration (CWE) references are
          now included in most hits
        * Handle files not ending in newline (thanks to Alexis Wilke)
        * Documentation clarifications
        * Added support for "git diff" in patchfile processing
        * Handles unbalanced double-quotes in sprintf
        * Fix incorrect time executed report
        * Fix bug to allow "flawfinder ." (fix bug#3)
        * Fix ignore directive when filenames differ (fix bug#6)
2015-03-11 00:51:06 +00:00
wiz
3faf991a33 Bump applications PKGREVISIONs for python users that might be using
python3, since the default changed from python33 to python34.

I probably bumped too many. I hope I got them all.
2014-05-17 16:10:41 +00:00
wiz
a1f0ff3f67 No need to have two variables for the same logic.
Replace PYTHON_PATCH_SCRIPTS with REPLACE_PYTHON.
2014-01-25 10:45:15 +00:00
asau
1a433eae91 Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days. 2012-10-23 18:16:19 +00:00
obache
2cd654bab6 Bump PKGREVISION from default python to 2.7. 2012-03-15 11:53:20 +00:00
joerg
3a06eb96bf Bump revision for PYTHON_VERSION_DEFAULT change. 2010-02-10 19:17:31 +00:00
joerg
b7f3604848 DESTDIR support 2010-01-27 16:52:13 +00:00
joerg
3c645bb7fc Switch to Python 2.5 as default. Bump revision of all packages that have
changed runtime dependencies now.
2009-02-09 22:56:21 +00:00
adrianp
71bd3f9136 Update to 1.27
2007-01-16 David A. Wheeler <dwheeler, at, dwheeler.com>
* Release version 1.27

2007-01-16 Sebastien Tandel <sebastien, at, tandel (doht) be)
* Cleaned up code for patch handling, fix bug in subdir handling,
include patch info in help.

2007-01-15 Steve Kemp <steve at shellcode dot org>
* Fix Debian bug 268236.
This complains that flawfinder crashes when presented with a
file it cannot read.  The patch obviously can't prevent
the problem, since the tool can't review what it can't read,
but at least it halts with a cleaner error message.

2007-01-15 cmorgan <cmorgan47, at earthlink dooot net>
* Fixed Debian bug 271287 (flawfinder).
Fixed skipping newlines when line ended with \,
which caused incorrect line number reporting.
Skip multiple whitespace at one time.

2007-01-15 David A. Wheeler <dwheeler, at, dwheeler.com>
* Modified Sebastien Tandel's code so that it also supports GNU diff
(his code worked only for svn diff)
* When using a patchfile, skip analysis of any file not
listed in the patchfile.

2007-01-15 Sebastien Tandel <sebastien, at, tandel (doht) be)
* Add support for using "svn diff" created patch files, based
on the approach described by David A. Wheeler on how it
could be done.

2007-01-15 David A. Wheeler <dwheeler, at, dwheeler.com>
* By default, now skips directories beginning with "."
(this makes it work nicely with many SCM systems).
Added "--followdotdir" option if you WANT it to enter
such directories.
* Fixed divide-by-zero when no code found (not exactly common
in normal use, but anyway!)
2007-01-17 21:48:25 +00:00
rillig
34a9ff2e26 Fixed PKGMANDIR. 2006-12-02 16:01:45 +00:00
jlam
9c8b5ede43 Point MAINTAINER to pkgsrc-users@NetBSD.org in the case where no
developer is officially maintaining the package.

The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list).  Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
2006-03-04 21:28:51 +00:00
rillig
5740707b65 Fixed all pkglint warnings. 2006-02-15 13:43:35 +00:00
joerg
5911def816 Recursive revision bump / recommended bump for gettext ABI change. 2006-02-05 23:08:03 +00:00
rillig
5946936ffc Replaced "# defined" with "yes" in Makefile variables like GNU_CONFIGURE,
NO_BUILD, USE_LIBTOOL.
2005-09-28 20:52:18 +00:00
jlam
e46a9dd380 Create directories before installing files into them. 2005-06-17 03:50:19 +00:00
agc
d81d19f8e0 Add RMD160 digests. 2005-02-24 12:51:41 +00:00
snj
24d928e694 Update flawfinder to 1.26. Don't set PY_PATCHPLIST, as it is useless.
Don't include python/extension.mk, as it is also useless.  Don't set
NO_CONFIGURE, because it makes PYTHON_PATCH_SCRIPTS useless.  Don't set
MAKEFILE, as we don't actually use the included makefile for anything.

Changes since 1.24:
* Added more support for Microsoft's approach to internationalization.
* Added two new rules for GLib functions, "g_get_home_dir" and
  g_get_tmp_dir".
* Added curl_getenv().
* Added several rules for input functions (for -I) -
  recv, recvfrom, recvmsg, fread, and readv.
* Tightened the false positive test slightly; if a name is
  followed by = or - or + it's unlikely to be a function call,
  so it'll be quietly discarded.
* Modified the summary report format slightly.
* Modified the getpass text to remove an extraneous character.
* Added rules for cuserid, getlogin, getpass, mkstemp, getpw, memalign,
  as well as the obsolete functions gsignal, ssignal, ulimit, usleep.
* Modified text for strncat to clarify it.
* Fixed error in --columns format, so that the output is simply
  "filename:linenumber:columnnumber" when --columns (-C) is used.
* Eliminated "Number of" phrase in the footer report
* Added more statistical information to the footer report.
* Added shortcut single-letter commands (-D for --dataonly,
  -Q for --quiet, -C for --columns), so that invoking from
  editors is easier.
* Tries to autoremove some false positives.  In particular, a function
  name followed immediately by "=" (ignoring whitespace)
  is automatically considered to be a variable and NOT a function,
  and thus doesn't register as a hit.  There are exotic cases
  where this won't be correct, but they're pretty unlikely in
  real code.
* Added a "--falsepositive" (-F) option, which tries to remove
  many more likely false positives.
2004-06-23 16:19:41 +00:00
wiz
eeb4a8a94f Update to 1.24:
2003-10-29 David A. Wheeler
        * Fixed an incredibly obscure parsing error that caused some
          false positives.  If a constant C string, after the closing
          double-quote, is followed by a \ and newline (instead of a comma),
          the string might not be recognized as a constant string
          (thus triggering warnings about non-constant values in some cases).
          This kind of formatting is quite ugly and rare.
          My thanks to Sascha Nitsch (sascha, at spsn.ath.cx) for pointing
          this bug out and giving me a test case to work with.
        * Added a warning for readlink.  The implementation and warning
          are mine, but the idea of warning about readlink came from
           Stefan Kost (kost, at imn.htwk-leipzig.de).  Thanks!!

2003-09-27 David A. Wheeler
        * Released version 1.23.  Minor bugfixes.

2003-09-27 David A. Wheeler
        * Fixed subtle bug - in some circumstances single character constants
          wouldn't be parsed correctly.  My thanks to Scott Renfro
          <scottdonotspam, at renfro.org> for notifying me about this bug.
          Scott Renfro also sent me a patch; I didn't use it
          (the patch didn't handle other cases), but I'm grateful since it
          illustrated the problem.
        * Fixed documentation bug in man page.
          The option "--minlevel=X" must be preceded by two dashes,
          as are all GNU-style long options. The man page accidentally only
          had one dash in the summary (it was correct elsewhere); it now
          correctly shows both dashes.
        * Modified man page to list filename extensions that are
          interpreted as C/C++.
        * Removed index.html from distribution - it's really only for the
          website.
2004-02-14 14:21:17 +00:00
martti
8cee801716 COMMENT should start with a capital letter. 2003-07-21 17:10:16 +00:00
grant
ca3be631f2 s/netbsd.org/NetBSD.org/ 2003-07-17 22:50:55 +00:00
jschauma
e366d0c694 Use tech-pkg@ in favor of packages@ as MAINTAINER for orphaned packages.
Should anybody feel like they could be the maintainer for any of thewe packages,
please adjust.
2003-06-02 01:15:31 +00:00
wiz
bcfe715990 Update to 1.22.
This release changes the output format slightly to improve integration with
other tools, and improves the RPM packaging.
2003-03-09 18:11:05 +00:00
wiz
cc40e08ca9 Update to 1.21:
* Improved the default output so it creates multiple formatted lines
          instead of single very long lines for each hit.
          Use the new "--singleline" (-S) option to get the original
          "long line" format.
        * Removed duplicate "getpass" entry in the ruleset;
          this didn't hurt anything, but was unnecessary.
          Thanks to the user who gave me that feedback, wish I'd kept your
          email address so I could credit you properly :-).
        * Added a short tutorial to man page.
        * Fixed initial upper/lower case on many entries in the ruleset.
        * Allow "--input" as a synonym for "--inputs".
2002-09-23 15:19:37 +00:00
jlam
e44bf515dc Strip the ".buildlink" from the names of the python application and
extension Makefile fragments, because they really don't have anything to
do with the buildlink[12] frameworks.  Change all the Makefiles that use
application.buildlink.mk and extension.buildlink.mk to use application.mk
and extension.mk instead.
2002-09-21 23:46:45 +00:00
wiz
635997e19e Initial import of flawfinder-1.20.
flawfinder is a program that examines source code and reports
possible security weaknesses (``flaws'') sorted by risk level. It's
very useful for quickly finding and removing at least some potential
security problems before a program is widely released to the public.
2002-07-14 13:02:23 +00:00