FreeBSD pkg audit should be optional, or not fail if status code != 0

[wolpert]

Erroneous Behavior

Currently in FreeBSD packages, cmake-core has a vulnerability. When topgrade executes pkg audit -Fr it displays the vulnerability the errors out because the status return is 1 and not 0. However, topgrade should continue. Right now, audit cannot be disabled for FreeBSD (AFAIK) and topgrade just exits out even though it should not. We need to either make the audit optional or let it not fail if status code result is not zero.

Expected Behavior

Calling pkg audit -Fr on FreeBSD where a vulnerability is found should display to error but continue going. Note I would not want to make it part of the System step or package upgrade step... as I want those 'as is'. If I had to remove it by disabling System, I'd just manually have to add in the upgrade. But if that was the required technique, It would at least work.

Preferred option to me is to create an audit step (default on) given auditing is part of multiple systems.

Steps to reproduce

1. Use FreeBSD 14.x
2. sudo pkg install cmake
3. run topgrade

Possible Cause (Optional)

The audit command is required and status checked.

Here is where the audit command is required, and the implementation with status checked

Sample fix in this PR: #640

Problem persists without calling from topgrade

• Yes
• No

Sorta, you can see this by doing the following:

1. sudo pkg install cmake
2. pkg audit -Fr
3. echo $?

Did you run topgrade through Remote Execution

• Yes
• No

If yes, does the issue still occur when you run topgrade directlly in your
remote host

• Yes
• No

Configuration file (Optional)

Used the default configuration file.

Additional Details

• Operation System/Version

14.0-RELEASE-p3

• Installation

Cargo

• Topgrade version (topgrade -V)

Topgrade 13.0.0

Verbose Output (topgrade -v)

DEBUG Configuration at /home/wolpert/.config/topgrade.toml
DEBUG Version: 13.0.0
DEBUG OS: x86_64-unknown-freebsd
DEBUG Args { inner: ["topgrade", "-v"] }
DEBUG Binary path: Ok("/home/wolpert/.cargo/bin/topgrade")
DEBUG self-update Feature Enabled: false
DEBUG Configuration: Config { opt: CommandLineArgs { edit_config: false, show_config_reference: false, run_in_tmux: false, cleanup: false, dry_run: false, no_retry: false, disable: [], only: [], custom_commands: [], env: [], verbose: true, keep_at_end: false, skip_notify: false, yes: None, disable_predefined_git_repos: false, config: None, remote_host_limit: None, show_skipped: false, log_filter: "warn", gen_completion: None, gen_manpage: false, no_self_update: false }, config_file: ConfigFile { include: None, misc: Some(Misc { pre_sudo: None, sudo_command: None, disable: None, ignore_failures: None, remote_topgrades: None, remote_topgrade_path: None, ssh_arguments: None, tmux_arguments: None, set_title: None, display_time: None, assume_yes: None, no_retry: None, run_in_tmux: None, cleanup: None, notify_each_step: None, skip_notify: None, bashit_branch: None, only: None, no_self_update: None, log_filters: None }), pre_commands: Some({}), post_commands: None, commands: Some({}), python: Some(Python { enable_pip_review: None, enable_pip_review_local: None, enable_pipupgrade: None, pipupgrade_arguments: None }), composer: Some(Composer { self_update: None }), brew: Some(Brew { greedy_cask: None, autoremove: None }), linux: Some(Linux { yay_arguments: None, aura_aur_arguments: None, aura_pacman_arguments: None, arch_package_manager: None, show_arch_news: None, garuda_update_arguments: None, trizen_arguments: None, pikaur_arguments: None, pamac_arguments: None, dnf_arguments: None, nix_arguments: None, nix_env_arguments: None, apt_arguments: None, enable_tlmgr: None, redhat_distro_sync: None, suse_dup: None, rpm_ostree: None, emerge_sync_flags: None, emerge_update_flags: None, home_manager_arguments: None }), git: Some(Git { max_concurrency: None, pull_arguments: None, push_arguments: None, repos: None, pull_only_repos: None, push_only_repos: None, pull_predefined: None }), windows: Some(Windows { accept_all_updates: None, self_rename: None, open_remotes_in_new_terminal: None, enable_winget: None, wsl_update_pre_release: None, wsl_update_use_web_download: None }), npm: Some(NPM { use_sudo: None }), yarn: None, vim: None, firmware: Some(Firmware { upgrade: None }), vagrant: None, flatpak: Some(Flatpak { use_sudo: None }), distrobox: Some(Distrobox { use_root: None, containers: None }) }, allowed_steps: [AM, AppMan, Asdf, Atom, Bin, Bob, BrewCask, BrewFormula, Bun, Cargo, Chezmoi, Chocolatey, Choosenim, Composer, Conda, ConfigUpdate, Containers, CustomCommands, DebGet, Deno, Distrobox, DkpPacman, Dotnet, Emacs, Firmware, Flatpak, Flutter, Fossil, Gcloud, Gem, Ghcup, GithubCliExtensions, GitRepos, GnomeShellExtensions, Go, Guix, Haxelib, Helm, HomeManager, Jetpack, Julia, Juliaup, Kakoune, Helix, Krew, Lure, Macports, Mamba, Miktex, Mas, Maza, Micro, Myrepos, Nix, Node, Opam, Pacdef, Pacstall, Pearl, Pip3, PipReview, PipReviewLocal, Pipupgrade, Pipx, Pkg, Pkgin, Pnpm, Powershell, Protonup, Raco, Rcm, Remotes, Restarts, Rtcl, RubyGems, Rustup, Scoop, Sdkman, SelfUpdate, Sheldon, Shell, Snap, Sparkle, Spicetify, Stack, Stew, System, Tldr, Tlmgr, Tmux, Toolbx, Vagrant, Vcpkg, Vim, Vscode, Winget, Wsl, WslUpdate, Yadm, Yarn] }
DEBUG Detected "/usr/local/bin/git" as "git"
DEBUG Cannot find "pwsh"
DEBUG Cannot find "powershell"
DEBUG Path "/home/wolpert/.config/emacs" doesn't exist
DEBUG Path "/home/wolpert/.emacs.d" doesn't exist
DEBUG Cannot find "doas"
DEBUG Detected "/usr/local/bin/sudo" as "sudo"
DEBUG Step "FreeBSD Packages"
── 09:07:22 - FreeBSD Packages ─────────────────────────────────────────────────

DEBUG Executing command /usr/local/bin/sudo /usr/sbin/pkg upgrade

Updating FreeBSD repository catalogue...

FreeBSD repository is up to date.

All repositories are up to date.

Checking for upgrades (0 candidates): 100%

Processing candidates (0 candidates): 100%

Checking integrity... done (0 conflicting)

Your packages are up to date.

DEBUG Step "FreeBSD Upgrade"
── 09:07:23 - FreeBSD Update ───────────────────────────────────────────────────

DEBUG Executing command /usr/local/bin/sudo /usr/sbin/freebsd-update fetch install

src component not installed, skipped

Looking up update.FreeBSD.org mirrors... 3 mirrors found.

Fetching metadata signature for 14.0-RELEASE from update1.freebsd.org... done.

Fetching metadata index... done.

Inspecting system... done.

Preparing to download files... done.
No updates needed to update system to 14.0-RELEASE-p4.

No updates are available to install.
DEBUG Executing command /usr/local/bin/sudo /usr/sbin/pkg audit -Fr

vulnxml file up-to-date

cmake-core-3.26.1_3 is vulnerable:

curl -- SOCKS5 heap buffer overflow

CVE: CVE-2023-38545

WWW: https://vuxml.FreeBSD.org/freebsd/d6c19e8c-6806-11ee-9464-b42e991fc52e.html
Packages that depend on cmake-core: cmake
1 problem(s) in 1 installed package(s) found.

DEBUG Command failed: Err(

0: Command failed: /usr/local/bin/sudo /usr/sbin/pkg audit -Fr

1: /usr/local/bin/sudo failed: exit status: 1
Location:

/home/wolpert/.cargo/registry/src/index.crates.io-6f17d22bba15001f/topgrade-13.0.0/src/steps/os/freebsd.rs:36)

Error:

0: Command failed: /usr/local/bin/sudo /usr/sbin/pkg audit -Fr

1: /usr/local/bin/sudo failed: exit status: 1
Location:

/home/wolpert/.cargo/registry/src/index.crates.io-6f17d22bba15001f/topgrade-13.0.0/src/steps/os/freebsd.rs:36