Fanjun Kong
138 lines
3.2 KiB
Bash
Executable File
138 lines
3.2 KiB
Bash
Executable File
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
source "$(dirname "$0")/config.sh"
|
|
|
|
log() {
|
|
printf '[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$*" | tee -a "$LOG_FILE"
|
|
}
|
|
|
|
error() {
|
|
printf '[ERROR] %s\n' "$*" | tee -a "$ERROR_LOG" >&2
|
|
}
|
|
|
|
validate_config() {
|
|
local errors=0
|
|
|
|
if [ -z "${WORK_DIR:-}" ]; then
|
|
error "WORK_DIR 未设置"
|
|
errors=$((errors + 1))
|
|
fi
|
|
|
|
if [ -z "${DB_FILE:-}" ]; then
|
|
error "DB_FILE 未设置"
|
|
errors=$((errors + 1))
|
|
fi
|
|
|
|
if [ -z "${REPO_ARCH:-}" ]; then
|
|
error "REPO_ARCH 未设置"
|
|
errors=$((errors + 1))
|
|
fi
|
|
|
|
if [[ ! "${PARALLEL_JOBS:-}" =~ ^[0-9]+$ ]] || [ "${PARALLEL_JOBS:-0}" -le 0 ]; then
|
|
error "PARALLEL_JOBS 必须是大于 0 的数字"
|
|
errors=$((errors + 1))
|
|
fi
|
|
|
|
if [[ ! "${DOWNLOAD_TIMEOUT:-}" =~ ^[0-9]+$ ]] || [ "${DOWNLOAD_TIMEOUT:-0}" -le 0 ]; then
|
|
error "DOWNLOAD_TIMEOUT 必须是大于 0 的数字"
|
|
errors=$((errors + 1))
|
|
fi
|
|
|
|
if [ $errors -gt 0 ]; then
|
|
error "发现 $errors 个配置错误,请检查 config.sh"
|
|
exit 1
|
|
fi
|
|
|
|
log "配置验证通过"
|
|
}
|
|
|
|
init_workspace() {
|
|
log "初始化工作空间: $WORK_DIR"
|
|
mkdir -p "$RPM_CACHE_DIR" "$EXTRACT_DIR" "$RESULTS_DIR"
|
|
}
|
|
|
|
# 初始化数据库
|
|
init_database() {
|
|
log "初始化数据库: $DB_FILE"
|
|
sqlite3 "$DB_FILE" <<'EOF'
|
|
CREATE TABLE IF NOT EXISTS packages (
|
|
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
name TEXT NOT NULL,
|
|
version TEXT,
|
|
release TEXT,
|
|
arch TEXT,
|
|
scan_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
|
|
status TEXT,
|
|
UNIQUE(name, version, release, arch)
|
|
);
|
|
|
|
CREATE TABLE IF NOT EXISTS binaries (
|
|
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
package_id INTEGER,
|
|
file_path TEXT,
|
|
file_type TEXT,
|
|
inode INTEGER,
|
|
FOREIGN KEY (package_id) REFERENCES packages(id)
|
|
);
|
|
|
|
CREATE TABLE IF NOT EXISTS security_checks (
|
|
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
binary_id INTEGER,
|
|
pie TEXT,
|
|
nx TEXT,
|
|
canary TEXT,
|
|
fortify TEXT,
|
|
relro TEXT,
|
|
bind_now TEXT,
|
|
FOREIGN KEY (binary_id) REFERENCES binaries(id)
|
|
);
|
|
|
|
CREATE INDEX IF NOT EXISTS idx_package_name ON packages(name);
|
|
CREATE INDEX IF NOT EXISTS idx_binary_path ON binaries(file_path);
|
|
CREATE INDEX IF NOT EXISTS idx_package_status ON packages(status);
|
|
EOF
|
|
}
|
|
|
|
# 获取包列表(预筛选)
|
|
fetch_package_list() {
|
|
local output_file="${WORK_DIR}/packages.list"
|
|
log "获取 ${REPO_ARCH} 架构的包列表..."
|
|
|
|
dnf repoquery --arch "$REPO_ARCH" --qf '%{name}-%{version}-%{release}.%{arch}\n' \
|
|
> "$output_file"
|
|
|
|
local count=$(wc -l < "$output_file")
|
|
log "找到 $count 个包"
|
|
echo "$output_file"
|
|
}
|
|
|
|
# 检查依赖
|
|
check_dependencies() {
|
|
local deps=(dnf sqlite3 parallel checksec rpm2cpio file stat)
|
|
local missing=()
|
|
|
|
for cmd in "${deps[@]}"; do
|
|
if ! command -v "$cmd" &>/dev/null; then
|
|
missing+=("$cmd")
|
|
fi
|
|
done
|
|
|
|
if [ ${#missing[@]} -gt 0 ]; then
|
|
error "缺少依赖: ${missing[*]}"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
main() {
|
|
log "=== RPM 安全扫描系统初始化 ==="
|
|
validate_config
|
|
check_dependencies
|
|
init_workspace
|
|
init_database
|
|
fetch_package_list
|
|
log "初始化完成"
|
|
}
|
|
|
|
main "$@"
|