From d0a837056f77c45a7ce7aebbdcbba8d541edbdbd Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Thu, 1 Sep 2016 10:49:19 +1000
Subject: [PATCH 1/9] [debsecan] Better label wording

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/system/debsecan | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/plugins/system/debsecan b/plugins/system/debsecan
index 6d1ffb4d..1dba81f7 100755
--- a/plugins/system/debsecan
+++ b/plugins/system/debsecan
@@ -34,27 +34,27 @@ graph_args -l 0 --base 1000
 graph_vlabel number of CVE
 graph_category system
 graph_period second
-graph_info This graph show the number of known vulnerabilities present on your system. Use debsecan to see detail.
+graph_info This graph show the number of known vulnerabilities present on your system. Use debsecan to see details.
 high.label high
 high.type GAUGE
 high.max 50000
 high.min 0
-high.info The number CVE marked high high priority
+high.info The number of CVEs marked high priority
 medium.label medium
 medium.type GAUGE
 medium.max 50000
 medium.min 0
-medium.info The number CVE marked medium high priority
+medium.info The number of CVEs marked medium priority
 low.label low
 low.type GAUGE
 low.max 50000
 low.min 0
-low.info The number CVE marked low high priority
+low.info The number of CVEs marked low priority
 other.label other
 other.type GAUGE
 other.max 50000
 other.min 0
-other.info The number CVE with unspecified priority
+other.info The number of CVEs with unspecified priority
 EOF_
   exit 0
 fi

From 87f5a74ec85240107432c189119d3756e21df4e6 Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Thu, 1 Sep 2016 10:50:00 +1000
Subject: [PATCH 2/9] [debsecan] Use temp filename rather than PID-derived

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/system/debsecan | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/plugins/system/debsecan b/plugins/system/debsecan
index 1dba81f7..b0b27e9d 100755
--- a/plugins/system/debsecan
+++ b/plugins/system/debsecan
@@ -59,11 +59,12 @@ EOF_
   exit 0
 fi
 
-debsecan 2> /dev/null > /tmp/debsecan.munin.$$
-high=`grep -c 'high urgency' /tmp/debsecan.munin.$$`
-medium=`grep -c 'medium urgency' /tmp/debsecan.munin.$$`
-low=`grep -c 'low urgency)' /tmp/debsecan.munin.$$`
-other=`grep -c -v -e 'low urgency' -e 'medium urgency' -e 'high urgency' /tmp/debsecan.munin.$$`
+OUT=`mktemp -t debescan.XXXXXX`
+debsecan 2> /dev/null > ${OUT}
+high=`grep -c 'high urgency' ${OUT}`
+medium=`grep -c 'medium urgency' ${OUT}`
+low=`grep -c 'low urgency)' ${OUT}`
+other=`grep -c -v -e 'low urgency' -e 'medium urgency' -e 'high urgency' ${OUT}`
 cat <<EOF_
 high.value $high
 medium.value $medium
@@ -71,4 +72,4 @@ low.value $low
 other.value $other
 EOF_
 
-rm -f /tmp/debsecan.munin.$$
+rm -f ${OUT}

From 1a5b42e80dad973aed996389ac3df943112ce120 Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Thu, 1 Sep 2016 10:50:19 +1000
Subject: [PATCH 3/9] [debsecan] Use stacked areas, and colour-code urgency

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/system/debsecan | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/plugins/system/debsecan b/plugins/system/debsecan
index b0b27e9d..4cbf40ba 100755
--- a/plugins/system/debsecan
+++ b/plugins/system/debsecan
@@ -36,23 +36,27 @@ graph_category system
 graph_period second
 graph_info This graph show the number of known vulnerabilities present on your system. Use debsecan to see details.
 high.label high
+high.colour FF0000
 high.type GAUGE
-high.max 50000
+high.draw AREASTACK
 high.min 0
 high.info The number of CVEs marked high priority
 medium.label medium
+medium.colour FFA500
 medium.type GAUGE
-medium.max 50000
+medium.draw AREASTACK
 medium.min 0
 medium.info The number of CVEs marked medium priority
 low.label low
+low.colour 0000FF
 low.type GAUGE
-low.max 50000
+low.draw AREASTACK
 low.min 0
 low.info The number of CVEs marked low priority
 other.label other
+other.colour 00A5FF
 other.type GAUGE
-other.max 50000
+other.draw AREASTACK
 other.min 0
 other.info The number of CVEs with unspecified priority
 EOF_

From 4653dcd9a696faa8236fc4b9f61a16885049b12a Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Thu, 1 Sep 2016 11:17:47 +1000
Subject: [PATCH 4/9] [debescan] Add links to CVEs in extinfo

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/system/debsecan | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/plugins/system/debsecan b/plugins/system/debsecan
index 4cbf40ba..047615eb 100755
--- a/plugins/system/debsecan
+++ b/plugins/system/debsecan
@@ -63,17 +63,24 @@ EOF_
   exit 0
 fi
 
+CVERE="\(\(CVE\|TMP\)[-0-9A-Fa-f]\+\)"
+CVEBASEURL="https://security-tracker.debian.org/tracker/"
+
 OUT=`mktemp -t debescan.XXXXXX`
 debsecan 2> /dev/null > ${OUT}
 high=`grep -c 'high urgency' ${OUT}`
 medium=`grep -c 'medium urgency' ${OUT}`
 low=`grep -c 'low urgency)' ${OUT}`
-other=`grep -c -v -e 'low urgency' -e 'medium urgency' -e 'high urgency' ${OUT}`
+other=`grep -c -v '\(low\|medium\|high\) urgency' ${OUT}`
 cat <<EOF_
 high.value $high
+high.extinfo `echo $(sed -n "s#^${CVERE}.*high urgency.*#<a href=\"${CVEBASEURL}\1\">\1</a> #p" ${OUT})`
 medium.value $medium
+medium.extinfo `echo $(sed -n "s#^${CVERE}.*medium urgency.*#<a href=\"${CVEBASEURL}\1\">\1</a> #p" ${OUT})`
 low.value $low
+low.extinfo `echo $(sed -n "s#^${CVERE}.*low urgency.*#<a href=\"${CVEBASEURL}\1\">\1</a> #p" ${OUT})`
 other.value $other
+other.extinfo `echo $(grep -v -e '\(low\|medium\|high\) urgency' ${OUT} | sed -n "s#^${CVERE}.*#<a href=\"${CVEBASEURL}\1\">\1</a> #p")`
 EOF_
 
 rm -f ${OUT}

From 719190a5424395fcdfb175b0ec6edf49382ab1e5 Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Thu, 1 Sep 2016 11:19:27 +1000
Subject: [PATCH 5/9] [debescan] Can't add HMTL to extinfo ):

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/system/debsecan | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/plugins/system/debsecan b/plugins/system/debsecan
index 047615eb..b8aec1eb 100755
--- a/plugins/system/debsecan
+++ b/plugins/system/debsecan
@@ -64,7 +64,6 @@ EOF_
 fi
 
 CVERE="\(\(CVE\|TMP\)[-0-9A-Fa-f]\+\)"
-CVEBASEURL="https://security-tracker.debian.org/tracker/"
 
 OUT=`mktemp -t debescan.XXXXXX`
 debsecan 2> /dev/null > ${OUT}
@@ -74,13 +73,13 @@ low=`grep -c 'low urgency)' ${OUT}`
 other=`grep -c -v '\(low\|medium\|high\) urgency' ${OUT}`
 cat <<EOF_
 high.value $high
-high.extinfo `echo $(sed -n "s#^${CVERE}.*high urgency.*#<a href=\"${CVEBASEURL}\1\">\1</a> #p" ${OUT})`
+high.extinfo `echo $(sed -n "s#^${CVERE}.*high urgency.*#\1 #p" ${OUT})`
 medium.value $medium
-medium.extinfo `echo $(sed -n "s#^${CVERE}.*medium urgency.*#<a href=\"${CVEBASEURL}\1\">\1</a> #p" ${OUT})`
+medium.extinfo `echo $(sed -n "s#^${CVERE}.*medium urgency.*#\1 #p" ${OUT})`
 low.value $low
-low.extinfo `echo $(sed -n "s#^${CVERE}.*low urgency.*#<a href=\"${CVEBASEURL}\1\">\1</a> #p" ${OUT})`
+low.extinfo `echo $(sed -n "s#^${CVERE}.*low urgency.*#\1 #p" ${OUT})`
 other.value $other
-other.extinfo `echo $(grep -v -e '\(low\|medium\|high\) urgency' ${OUT} | sed -n "s#^${CVERE}.*#<a href=\"${CVEBASEURL}\1\">\1</a> #p")`
-EOF_
+other.extinfo `echo $(grep -v -e '\(low\|medium\|high\) urgency' ${OUT} | sed -n "s#^${CVERE}.*#\1 #p")`
+EOF
 
 rm -f ${OUT}

From b80913c039ca1c437e45be855c5ea26a6a842258 Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Thu, 1 Sep 2016 11:23:47 +1000
Subject: [PATCH 6/9] [debescan] Remove stray whitespaces

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/system/debsecan | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/system/debsecan b/plugins/system/debsecan
index b8aec1eb..cf4eb4aa 100755
--- a/plugins/system/debsecan
+++ b/plugins/system/debsecan
@@ -13,7 +13,7 @@
 #%# capabilities=autoconf
 
 # Auto enable if we have debsecan only
-if [ "$1" = "autoconf" ] ; then 
+if [ "$1" = "autoconf" ] ; then
   if [ -x /usr/bin/debsecan ]; then
     echo yes
   else
@@ -22,7 +22,7 @@ if [ "$1" = "autoconf" ] ; then
   exit 0
 fi
 
-# Fail if we don't have debsecan 
+# Fail if we don't have debsecan
 if [ ! -x /usr/bin/debsecan ]; then
   exit 1
 fi

From 7487332a751ebe0cba1c24279f97043285a1630a Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Thu, 1 Sep 2016 20:33:10 +1000
Subject: [PATCH 7/9] [debsecan] Show package with CVE counts rather than CVEs

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/system/debsecan | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/plugins/system/debsecan b/plugins/system/debsecan
index cf4eb4aa..c2103f38 100755
--- a/plugins/system/debsecan
+++ b/plugins/system/debsecan
@@ -64,22 +64,33 @@ EOF_
 fi
 
 CVERE="\(\(CVE\|TMP\)[-0-9A-Fa-f]\+\)"
+CVECOUNTRE="s/^.*\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/"
 
 OUT=`mktemp -t debescan.XXXXXX`
+HIGH=`mktemp -t debescan.XXXXXX`
+MEDIUM=`mktemp -t debescan.XXXXXX`
+LOW=`mktemp -t debescan.XXXXXX`
+OTHER=`mktemp -t debescan.XXXXXX`
 debsecan 2> /dev/null > ${OUT}
-high=`grep -c 'high urgency' ${OUT}`
-medium=`grep -c 'medium urgency' ${OUT}`
-low=`grep -c 'low urgency)' ${OUT}`
-other=`grep -c -v '\(low\|medium\|high\) urgency' ${OUT}`
-cat <<EOF_
+grep 'high urgency' ${OUT} > ${HIGH}
+grep 'medium urgency' ${OUT} > ${MEDIUM}
+grep 'low urgency)' ${OUT} > ${LOW}
+grep -v '\(low\|medium\|high\) urgency' ${OUT} > ${OTHER}
+
+high=`cat ${HIGH} | wc -l`
+medium=`cat ${MEDIUM} | wc -l`
+low=`cat ${LOW} | wc -l`
+other=`cat ${OTHER} | wc -l`
+
+cat <<EOF
 high.value $high
-high.extinfo `echo $(sed -n "s#^${CVERE}.*high urgency.*#\1 #p" ${OUT})`
+high.extinfo `echo $(cut -f 2 -d" " ${HIGH} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
 medium.value $medium
-medium.extinfo `echo $(sed -n "s#^${CVERE}.*medium urgency.*#\1 #p" ${OUT})`
+medium.extinfo `echo $(cut -f 2 -d" " ${MEDIUM} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
 low.value $low
-low.extinfo `echo $(sed -n "s#^${CVERE}.*low urgency.*#\1 #p" ${OUT})`
+low.extinfo `echo $(cut -f 2 -d" " ${LOW} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
 other.value $other
-other.extinfo `echo $(grep -v -e '\(low\|medium\|high\) urgency' ${OUT} | sed -n "s#^${CVERE}.*#\1 #p")`
+other.extinfo `echo $(cut -f 2 -d" " ${OTHER} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
 EOF
 
-rm -f ${OUT}
+rm -f ${OUT} ${HIGH} ${MEDIUM} ${LOW} ${OTHER}

From 8277bf0ffea9de63e0fad85b9ba4e1877cd1452e Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Fri, 2 Sep 2016 10:05:08 +1000
Subject: [PATCH 8/9] [debsecan] Typo in temp filename

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/system/debsecan | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/plugins/system/debsecan b/plugins/system/debsecan
index c2103f38..a4f7940f 100755
--- a/plugins/system/debsecan
+++ b/plugins/system/debsecan
@@ -66,11 +66,11 @@ fi
 CVERE="\(\(CVE\|TMP\)[-0-9A-Fa-f]\+\)"
 CVECOUNTRE="s/^.*\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/"
 
-OUT=`mktemp -t debescan.XXXXXX`
-HIGH=`mktemp -t debescan.XXXXXX`
-MEDIUM=`mktemp -t debescan.XXXXXX`
-LOW=`mktemp -t debescan.XXXXXX`
-OTHER=`mktemp -t debescan.XXXXXX`
+OUT=`mktemp -t debsecan.XXXXXX`
+HIGH=`mktemp -t debsecan.XXXXXX`
+MEDIUM=`mktemp -t debsecan.XXXXXX`
+LOW=`mktemp -t debsecan.XXXXXX`
+OTHER=`mktemp -t debsecan.XXXXXX`
 debsecan 2> /dev/null > ${OUT}
 grep 'high urgency' ${OUT} > ${HIGH}
 grep 'medium urgency' ${OUT} > ${MEDIUM}

From a98ece4a974f685d3cff713542057c2e7e98819e Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Wed, 7 Sep 2016 14:58:52 +1000
Subject: [PATCH 9/9] [debsecan] Report fixed vulnerabilities, add config and
 doc

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/system/debsecan | 74 +++++++++++++++++++++++++++++++----------
 1 file changed, 56 insertions(+), 18 deletions(-)

diff --git a/plugins/system/debsecan b/plugins/system/debsecan
index a4f7940f..5f63e679 100755
--- a/plugins/system/debsecan
+++ b/plugins/system/debsecan
@@ -1,16 +1,34 @@
 #!/bin/sh
-#
-# Plugin to monitor the number of CVE vulnerabilities present on a Debian
-# system (using debsecan). Might work on other distib, who knows...
-#
-# Inspiration of the moment 10/10/2007
-#
-# Nicolas BOUTHORS <nbouthors@nbi.fr> http://nbi.fr/
-#
-# Licence : Public Domain
-#
-#%# family=auto
-#%# capabilities=autoconf
+
+: << =cut
+
+=head1 NAME
+
+debsecan - Plugin to monitor the number of CVE vulnerabilities present on a Debian
+system (using debsecan). Might work on other distib, who knows...
+
+=head1 CONFIGURATION
+
+    [debsecan]
+    env.suite jessie
+    env.fixed_warn 1
+    env.fixed_critical 1000
+
+=head1 AUTHORS
+
+* Nicolas BOUTHORS <nbouthors@nbi.fr> http://nbi.fr/, Inspiration of the moment 10/10/2007
+* Olivier Mehani <shtrom+munin@ssji.net>, 2016
+
+=head1 LICENSE
+
+Public Domain
+
+=head1 MAGIC MARKERS
+
+%# family=auto
+%# capabilities=autoconf
+
+=cut
 
 # Auto enable if we have debsecan only
 if [ "$1" = "autoconf" ] ; then
@@ -27,9 +45,19 @@ if [ ! -x /usr/bin/debsecan ]; then
   exit 1
 fi
 
+# Determine suite from filename...
+SUITE=`echo $0 | sed 's/.*_//'`
+if [ ${SUITE} = ${0} ]; then
+	# ...or fall back onto configuration in environment
+	SUITE=${suite:-sid}
+fi
+FIXEDWARN=${fixed_warning:-1}
+FIXEDCRIT=${fixed_critical:-1000}
+
+CVERE="\(\(CVE\|TMP\)[-0-9A-Fa-f]\+\)"
 if [ "$1" = "config" ] ; then
   cat <<EOF_
-graph_title DebSecan : vulnerabilities
+graph_title DebSecan : vulnerabilities for ${SUITE}
 graph_args -l 0 --base 1000
 graph_vlabel number of CVE
 graph_category system
@@ -59,28 +87,36 @@ other.type GAUGE
 other.draw AREASTACK
 other.min 0
 other.info The number of CVEs with unspecified priority
+fixed.label fixed
+fixed.type GAUGE
+fixed.draw LINE2
+fixed.min 0
+fixed.info The number of CVEs fixed by available updates
+fixed.warning ${FIXEDWARN}
+fixed.critical ${FIXEDCRIT}
 EOF_
   exit 0
 fi
 
-CVERE="\(\(CVE\|TMP\)[-0-9A-Fa-f]\+\)"
-CVECOUNTRE="s/^.*\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/"
+CVECOUNTRE="s/^ *\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/"
 
 OUT=`mktemp -t debsecan.XXXXXX`
 HIGH=`mktemp -t debsecan.XXXXXX`
 MEDIUM=`mktemp -t debsecan.XXXXXX`
 LOW=`mktemp -t debsecan.XXXXXX`
 OTHER=`mktemp -t debsecan.XXXXXX`
-debsecan 2> /dev/null > ${OUT}
+FIXED=`mktemp -t debsecan.XXXXXX`
+debsecan --suite ${SUITE} 2> /dev/null > ${OUT}
 grep 'high urgency' ${OUT} > ${HIGH}
 grep 'medium urgency' ${OUT} > ${MEDIUM}
 grep 'low urgency)' ${OUT} > ${LOW}
-grep -v '\(low\|medium\|high\) urgency' ${OUT} > ${OTHER}
+grep '(fixed' ${OUT} > ${FIXED}
 
 high=`cat ${HIGH} | wc -l`
 medium=`cat ${MEDIUM} | wc -l`
 low=`cat ${LOW} | wc -l`
 other=`cat ${OTHER} | wc -l`
+fixed=`cat ${FIXED} | wc -l`
 
 cat <<EOF
 high.value $high
@@ -91,6 +127,8 @@ low.value $low
 low.extinfo `echo $(cut -f 2 -d" " ${LOW} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
 other.value $other
 other.extinfo `echo $(cut -f 2 -d" " ${OTHER} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
+fixed.value $fixed
+fixed.extinfo `echo $(cut -f 2 -d" " ${FIXED} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
 EOF
 
-rm -f ${OUT} ${HIGH} ${MEDIUM} ${LOW} ${OTHER}
+rm -f ${OUT} ${HIGH} ${MEDIUM} ${LOW} ${FIXED} ${OTHER}