Missing package in tutorial. "Make" generates alot of noise. Drop root user requirement.

[daniela-waranie]

I followed this tutorial: https://github.com/sjvermeu/cvechecker/wiki/Installation#manual-any-linux-distribution

$ sudo apt-get install -y sqlite3 libconfig-dev libsqlite3-dev autoconf xsltproc
# ...
$ git clone https://github.com/sjvermeu/cvechecker.git
# ...
$ cd cvechecker
$ autoreconf --force --install
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking Determining host operating system... Linux
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of gcc... gcc3
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for unistd.h... (cached) yes
checking argp.h usability... yes
checking argp.h presence... yes
checking for argp.h... yes
checking for string.h... (cached) yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for gethostname... yes
checking for memset... yes
checking for regcomp... yes
checking for strchr... yes
checking for strrchr... yes
checking for strstr... yes
checking for strlcpy... no
checking for BSD... no
configure: error: Package requirements (libbsd) were not met:

No package 'libbsd' found

Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.

Alternatively, you may set the environment variables BSD_CFLAGS
and BSD_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.

Looks like package libbsd-dev is missing in your list:
sudo apt-get install libbsd-dev

BTW: i drop mysql support:

$ ./configure --enable-sqlite3 
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking Determining host operating system... Linux
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of gcc... gcc3
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for unistd.h... (cached) yes
checking argp.h usability... yes
checking argp.h presence... yes
checking for argp.h... yes
checking for string.h... (cached) yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for gethostname... yes
checking for memset... yes
checking for regcomp... yes
checking for strchr... yes
checking for strrchr... yes
checking for strstr... yes
checking for strlcpy... no
checking for BSD... yes
checking for size_t... yes
configure: WARNING: Please make sure pkg-config is installed and autoreconf run
checking for BSD... yes
checking for CONFIG... yes
checking for SQLITE3... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating data/Makefile
config.status: creating conf/Makefile
config.status: creating scripts/Makefile
config.status: creating docs/Makefile
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands

But make produces a lot of noise:

$ make
make  all-recursive
make[1]: Entering directory '/home/dani/dev/cvechecker'
Making all in src
make[2]: Entering directory '/home/dani/dev/cvechecker/src'
depbase=`echo cvecheck.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
gcc -DHAVE_CONFIG_H -I. -I..  -D_USE_SQLITE3    -g -O2   -MT cvecheck.o -MD -MP -MF $depbase.Tpo -c -o cvecheck.o cvecheck.c &&\
mv -f $depbase.Tpo $depbase.Po
depbase=`echo swstring.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
gcc -DHAVE_CONFIG_H -I. -I..  -D_USE_SQLITE3    -g -O2   -MT swstring.o -MD -MP -MF $depbase.Tpo -c -o swstring.o swstring.c &&\
mv -f $depbase.Tpo $depbase.Po
depbase=`echo output/stringscmd.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
gcc -DHAVE_CONFIG_H -I. -I..  -D_USE_SQLITE3    -g -O2   -MT output/stringscmd.o -MD -MP -MF $depbase.Tpo -c -o output/stringscmd.o output/stringscmd.c &&\
mv -f $depbase.Tpo $depbase.Po
depbase=`echo sqlite3/sqlite3_impl.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
gcc -DHAVE_CONFIG_H -I. -I..  -D_USE_SQLITE3    -g -O2   -MT sqlite3/sqlite3_impl.o -MD -MP -MF $depbase.Tpo -c -o sqlite3/sqlite3_impl.o sqlite3/sqlite3_impl.c &&\
mv -f $depbase.Tpo $depbase.Po
sqlite3/sqlite3_impl.c: In function ‘sqlite_dbimpl_load_databases’:
sqlite3/sqlite3_impl.c:318:23: warning: ‘main.db’ directive writing 7 bytes into a region of size between 1 and 256 [-Wformat-overflow=]
  318 |   sprintf(buffer2, "%smain.db", buffer);
      |                       ^~~~~~~
In file included from /usr/include/stdio.h:867,
                 from sqlite3/../swstring.h:2,
                 from sqlite3/sqlite3_impl.h:6,
                 from sqlite3/sqlite3_impl.c:1:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:36:10: note: ‘__builtin___sprintf_chk’ output between 8 and 263 bytes into a destination of size 256
   36 |   return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   37 |       __bos (__s), __fmt, __va_arg_pack ());
      |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sqlite3/sqlite3_impl.c:340:29: warning: ‘%d’ directive writing between 1 and 3 bytes into a region of size between 0 and 255 [-Wformat-overflow=]
  340 |       sprintf(buffer2, "%s%c%d.db", buffer, partchar[c], i);
      |                             ^~
sqlite3/sqlite3_impl.c:340:24: note: directive argument in the range [1, 128]
  340 |       sprintf(buffer2, "%s%c%d.db", buffer, partchar[c], i);
      |                        ^~~~~~~~~~~
In file included from /usr/include/stdio.h:867,
                 from sqlite3/../swstring.h:2,
                 from sqlite3/sqlite3_impl.h:6,
                 from sqlite3/sqlite3_impl.c:1:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:36:10: note: ‘__builtin___sprintf_chk’ output between 6 and 263 bytes into a destination of size 256
   36 |   return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   37 |       __bos (__s), __fmt, __va_arg_pack ());
      |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sqlite3/sqlite3_impl.c: In function ‘find_cpe_for_software’:
sqlite3/sqlite3_impl.c:1034:22: warning: ‘0)’ directive writing 2 bytes into a region of size between 1 and 4096 [-Wformat-overflow=]
 1034 |   sprintf(inset2, "%s0)", inset1);
      |                      ^~
In file included from /usr/include/stdio.h:867,
                 from sqlite3/../swstring.h:2,
                 from sqlite3/sqlite3_impl.h:6,
                 from sqlite3/sqlite3_impl.c:1:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:36:10: note: ‘__builtin___sprintf_chk’ output between 3 and 4098 bytes into a destination of size 4096
   36 |   return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   37 |       __bos (__s), __fmt, __va_arg_pack ());
      |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sqlite3/sqlite3_impl.c:1031:26: warning: ‘,’ directive writing 1 byte into a region of size between 0 and 4095 [-Wformat-overflow=]
 1031 |     sprintf(inset2, "%s%d,", inset1, cpeid);
      |                          ^
In file included from /usr/include/stdio.h:867,
                 from sqlite3/../swstring.h:2,
                 from sqlite3/sqlite3_impl.h:6,
                 from sqlite3/sqlite3_impl.c:1:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:36:10: note: ‘__builtin___sprintf_chk’ output between 3 and 4108 bytes into a destination of size 4096
   36 |   return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   37 |       __bos (__s), __fmt, __va_arg_pack ());
      |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
depbase=`echo dummy/dummy_mysql.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
gcc -DHAVE_CONFIG_H -I. -I..  -D_USE_SQLITE3    -g -O2   -MT dummy/dummy_mysql.o -MD -MP -MF $depbase.Tpo -c -o dummy/dummy_mysql.o dummy/dummy_mysql.c &&\
mv -f $depbase.Tpo $depbase.Po
gcc  -g -O2     -o cvechecker cvecheck.o swstring.o output/stringscmd.o sqlite3/sqlite3_impl.o dummy/dummy_mysql.o  -lconfig -lbsd -lsqlite3
make[2]: Leaving directory '/home/dani/dev/cvechecker/src'
Making all in data
make[2]: Entering directory '/home/dani/dev/cvechecker/data'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/home/dani/dev/cvechecker/data'
Making all in conf
make[2]: Entering directory '/home/dani/dev/cvechecker/conf'
rm -f cvechecker.conf cvechecker.conf.tmp
srcdir=''; \
  test -f ./cvechecker.conf.in || srcdir=./; \
  sed -e 's|@localstatedir[@]|/usr/local/var|g' -e 's|@pkgdatadir[@]|/usr/local/share/cvechecker|g' ${srcdir}cvechecker.conf.in > cvechecker.conf.tmp
chmod a-w cvechecker.conf.tmp
mv cvechecker.conf.tmp cvechecker.conf
make[2]: Leaving directory '/home/dani/dev/cvechecker/conf'
Making all in scripts
make[2]: Entering directory '/home/dani/dev/cvechecker/scripts'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/home/dani/dev/cvechecker/scripts'
Making all in docs
make[2]: Entering directory '/home/dani/dev/cvechecker/docs'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/home/dani/dev/cvechecker/docs'
make[2]: Entering directory '/home/dani/dev/cvechecker'
make[2]: Leaving directory '/home/dani/dev/cvechecker'
make[1]: Leaving directory '/home/dani/dev/cvechecker'

Is that ok?

My System:

• non-root user
• Ubuntu 20.04

Make

$ make -v
GNU Make 4.2.1
Built for x86_64-pc-linux-gnu
Copyright (C) 1988-2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

[daniela-waranie]

While it is ok to run make install and make postinstall with sudo, I see no reason why cvechecker or pullcves should run as root user.

Please store DB in users home dir instead of: /usr/local/var/cvschecker/local/main.db

[sjvermeu]

The root requirement is only for the installation. The installation preferably creates a machine account to run the command with. The command needs read privileges on the system (or at least on the installed software locations) which often doesn't require privileged authorizations, and write privileges towards its on-system database.

While you can also just run cvechecker from an end user perspective, that isn't the main intention. You can integrate cvechecker with your software installation tool (cfr the instructions for Gentoo Linux) where it updates the database after every package installation to always reflect the current state. Another way is to execute the checks through a scheduler of some sort (like cron) from a system perspective. Hence why the tool isn't by default suggested to be an end user tool - but there is nothing prohibiting you from installing it as such.

As for the noise (well, not noise - QA and other quality indicators), I'll have a look at those and fix the code where possible.

[sjvermeu]

I've added the libbsd-dev requirement in the installation instructions.

As for the quality warnings from the compiler, the majority of these have been resolved. The ones you refer to do remain for now, so I'm going to leave this issue open while I ponder how to resolve that. I do think that all copy operations take the field sizes into account, and the code will indeed truncate the output if it goes beyond the maximum field size. If it is truncated, the internal SQL command that it invokes towards sqlite will be incorrect and the application will fail.

To fix this properly, I will need to make sure the dynamic SQL statement is length-wise guaranteed to remain within its bounds, which is hard as it is built up based on the user's current database. It isn't impossible to rewrite the code to deal with that, but requires a bit of thought.