Thursday, October 20, 2016

Fuzzy Assessment: Part 2 - Knowing your way in the SWAMP

The previous post introduced the SWAMP to perform a software assessment on OpenSSH 4.3. The motivation was to see if modern tools and processes could automatically identify the issues called out in the book from manual analysis in 2006 as compared to automatic analysis in 2016. As we saw in the last post, doing a “next next run” process of adding a package and performing an assessment did not produce helpful results.

Let’s take a deeper look at the process to understand more of what is going on. This post will go over the files needed for the build process, explain why more commands are needed in the build process, and change the build process from the recommendation.


Section 1: Let’s take a look under the hood

  1. As we saw in the previous post, when we built the package, the wizard told us to fly, you fools. No. The wizard told us that there was no “Makefile” and in the failure report we received after the assessment indicated that there was no “Makefile”.
  2. The installation instructions from OpenSSH said all we needed to do was, “./configure; make; make install”. From a basic high level view, this process gathers up the various source code files and produces a working binary. Let’s do a level set. Let’s find a “configure” and “makefile” in the OpenSSH directory.
  3. Browse in the file system the folder containing the extracted OpenSSH contents. Or, unzip the OpenSSH 4.3 zip file if you haven’t already.
  4. Here we see that there is no regular “configure”


  5. Here we see that there is no regular “makefile”



  6. Those files are like that because…. reasons. No. The configure and makefile files are in those states for portability. The previous post was a run-through of the entire process to get familiar with how things work. We need to understand why the files are like that and how to work with them.
  7. The three articles below really helped me to understand why the commands in the next section needed to be done with the files in the OpenSSH directory.

    https://robots.thoughtbot.com/the-magic-behind-configure-make-make-install

    http://www.ifnamemain.com/posts/2014/Mar/13/autoconf_automake/

    http://markuskimius.wikidot.com/programming:tut:autotools:1
  8. From the above links, we need to do the following:

    autoconf

    ./configure

    make

    make install
  9. Let’s add these options in the SWAMP in the next section


Section 2: Let’s change it up in the SWAMP

  1. Log into the SWAMP at https://www.mir-swamp.org
  2. Click on “Packages”
  3. Click on the name of the package. In this instance we’re using “OpenSSH 4.3 blog”.
  4. Scroll to the bottom to see the version 4.3
  5. Click on the number. This is an instance where changing the build process is not very intuitive at first.


  6. Click “Build”


  7. Scroll to the bottom and click “Edit Build Info”

  8. Change the build drop down from “make” to “configure+make”


  9. Now we will get additional fields to play with to change the “configure” process and the “build” process
  10. As a quick peek, scroll to the bottom to see what would run if we stopped here


  11. With the auto-populated things in place now (./configure and make), we just need to add “autoconf” and “make install”
  12. Scroll to the top to the “Configure settings” section


  13. Add in “autoconf; “ before “./configure” as below


  14. At the top, click “Build” to configure this part of the build process
  15. Scroll down to the newly popped out “Build section”


  16. Add in “; make install” in the “Build options” text box


  17. If we scroll to the bottom, we see our new build process

  18. Click “Save Build Info”. Sometimes, I’ve found I need to click this button twice for it to save and progress to the next window.

  19. The output from autoconf will create the necessary “configure” program. The configure program will be able to ingest the “makefile.in” file for the rest of the build process to continue.
  20. Click “Details”


  21. Click “Run New Assessment”


  22. Change the platform to “Red Hat Enterprise Linux 32-bit”, then click “Save and Run”


  23. Check the box if you want to receive email notifications and click “Run Now”


  24. Click “OK” in the notification window
  25. The “Auto refresh” check box may already be checked, but wait for the assessment to pass or fail


  26. Unfortunately, this build will fail as well. But, we are getting closer! :)


  27. Click on the “!” exclamation point on the Clang line
  28. We can see that we get much farther in the process with the automatically generated ./configure file. However, we see an error with ./configure.

    <long section of similar output>
  29. The next posts will address this issue and additional errors that we will run into the farther we get into this process. However, once we resolve these issues, OpenSSH will be built correctly and we will see the results of our work!

No comments:

Post a Comment