Dobby
Static analyzer library for DPKG-versioned packages.
This tool takes a set of versioned packages and compares those versions against a source of version vulnerability information. The tool can implement arbitrary strategies to this end, and at Meraki helps to answer these questions:
On the current system or across all of our servers, which packages on those servers are impacted by published vulnerabilities?
Of the packages with published vulnerabilities, which have fix versions currently available in the repository upstream, and what are those fix versions for each distribution?
If a process is running version 1 of a service, and version 2 is installed on the system, which vulnerabilities (if any) are addressed by a service restart?
For building the package set, included is DpkgStatusFile
, which by default builds
a package set from /var/lib/dpkg/status
, but can read and parase any similarly
formatted file.
For vulnerability information source, two strategies are included:
VulnSource::Debian
: Retrieve CVE/etc information from the Debian Security Tracker.VulnSource::Ubuntu
: Checkout and parse the Ubuntu Security Tracker using bzr.
Initializing the vulnerability database can be expensive in time, bandwidth and space. It is recommended that you initialize only a single vulnerability database for processing multiple package sets.
Usage
As a gem:
require 'dobby'
package_set = []
[file1, file2].each do |f|
package_set << Dobby::PackageSource::DpkgStatusFile.new(file_path: f)
end
strategy = Dobby::VulnSource::Debian.new
database = Dobby::Database.new(strategy)
scanner = Dobby::Scanner.new(nil, database)
package_set.each do |package_source|
packages = package_source.parse
scanner.packages = packages
puts scanner.scan
end
From the command line:
# Output issues for the current system as pretty text to stdout
dobby /var/lib/dpkg/status
# ... and also write issues as JSON to file.json
dobby -f simple -f json -o file.json /var/lib/dpkg/status
# Show issues for multiple files
dobby file1 file2 file3
As a gem with a custom output formatter:
# my_custom_executor.rb
require 'dobby'
require 'my/custom/formatter'
cli = Dobby::CLI.new
cli.run
# CLI:
my_custom_executor.rb -f My::Custom::Formatter /var/lib/dpkg/status
Compatibility
Dobby supports the following Ruby implementations:
- MRI 2.2
- MRI 2.3
- MRI 2.4
- MRI 2.5
- MRI trunk
Building
rake build
Contributing
If you have found a bug or have a feature idea, take a look at the contribution guidelines.
Changelog
The changelog is available here.
License
The gem is available as open source under the terms of the MIT License.