Adding CVE detection support

INTERNALS.md

@@ -7,7 +7,8 @@
 * [System checks](#mysqltuner-system-checks)
 * [Server version checks](#mysqltuner-server-version-checks)
 * [MySQL Storage engine general information](#mysql-storage-engine-general-information)
-* [Security checks](#mysqltuner-security-checks)
+* [Security checks](#mysqltuner-security-checks)
+* [CVE checks](#mysqltuner-cve-checks)
 * [Database information](#mysqltuner-database-information)
 * [Index information](#mysqltuner-index-information)
 * [Connections information](#mysqltuner-connections-information)
@@ -86,6 +87,11 @@
 * Using basic_passwords.txt as password database
 * Password list checks can be avoid (option: --skippassword) 
 
+## MySQLTuner CVE vulnerabilities checks
+
+* option: --cvefile
+* Check if your MariaDB or MySQL version contains CVE bulletins.
+
 ## MySQLTuner database information
 * Per database information
 	* Rows number

README.md

@@ -17,6 +17,7 @@ Compatibility:
 * Unix/Linux based operating system (tested on Linux, BSD variants, and Solaris variants)
 * Windows is not supported at this time (Help wanted !!!!!)
 * Unrestricted read access to the MySQL server (OS root access recommended for MySQL < 5.1)
+* CVE vulnerabilites detection support from [https://cve.mitre.org](https://cve.mitre.org)
 
 ***WARNING***
 --
@@ -41,6 +42,7 @@ You can download the entire repository by using 'git clone' followed by the clon
 
 	wget http://mysqltuner.pl/ -O mysqltuner.pl
 	wget https://raw.githubusercontent.com/major/MySQLTuner-perl/master/basic_passwords.txt -O basic_passwords.txt
+	wget https://raw.githubusercontent.com/major/MySQLTuner-perl/master/vulnerabilities.csv -O vulnerabilities.csv
 	perl mysqltuner.pl
 	
 Of course, you can add the execute bit (`chmod +x mysqltuner.pl`) so you can execute it without calling perl directly.
@@ -60,6 +62,10 @@ __Usage:__ Enable maximum output information around MySQL/MariaDb without debugg
 
 	perl mysqltuner.pl --buffers --dbstat --idxstat
 
+__Usage:__ Enable CVE vulnerabilities check for your MariaDB or MySQL version
+
+	perl mysqltuner.pl --cvefile=vulnerabilities.csv
+
 __Usage:__ Write your result in a file with information displayed  
 
 	perl mysqltuner.pl --outputfile /tmp/result_mysqltuner.txt
@@ -126,6 +132,11 @@ These kinds of things are bound to happen.  Here are the details I need from you
 * The full text of the error
 * A copy of SHOW VARIABLES and SHOW GLOBAL STATUS output (if possible)
 
+Question: How to perform a CVE vulneralibity checks ?
+
+* Download vulnerabilities.cvs from this repository.
+* use option --cvefile to perform CVE checks
+
 MySQLTuner and Vagrant
 --
 **MySQLTuner** contains a Vagrant configuration for test purpose and development

mysqltuner.pl

@@ -1,5 +1,5 @@
 #!/usr/bin/env perl
-# mysqltuner.pl - Version 1.6.1
+# mysqltuner.pl - Version 1.6.2
 # High Performance MySQL Tuning Script
 # Copyright (C) 2006-2015 Major Hayden - major@mhtx.net
 #
@@ -51,7 +51,7 @@ use Data::Dumper;
 $Data::Dumper::Pair = " : ";
 
 # Set up a few variables for use in the script
-my $tunerversion = "1.6.1";
+my $tunerversion = "1.6.2";
 my ( @adjvars, @generalrec );
 
 # Set defaults
@@ -90,7 +90,7 @@ GetOptions(
     'pass=s',         'skipsize',     'checkversion', 'mysqladmin=s',
     'mysqlcmd=s',     'help',         'buffers',      'skippassword',
     'passwordfile=s', 'outputfile=s', 'silent',       'dbstat',
-    'idxstat', 'noask', 'template=s', 'reportfile=s'
+    'idxstat', 'noask', 'template=s', 'reportfile=s', 'cvefile=s',
 );
 
 if ( defined $opt{'help'} && $opt{'help'} == 1 ) { usage(); }
@@ -133,6 +133,7 @@ sub usage {
       . "      --debug              Print debug information\n"
       . "      --dbstat             Print database information\n"
       . "      --idxstat            Print index information\n"
+      . "      --cvefile            CVE File for vulnerability checks\n"
       . "      --nocolor            Don't print output in color\n"
       . "      --buffers            Print global and per-thread buffer values\n"
       . "      --outputfile <path>  Path to a output txt file\n" . "\n"
@@ -764,6 +765,36 @@ sub get_basic_passwords {
     return @lines;
 }
 
+sub cve_recommendations {
+    prettyprint
+"\n-------- CVE Security Recommendations  -------------------------------------------";
+    unless ( defined($opt{cvefile}) && -f "$opt{cvefile}" ) {
+        infoprint "Skipped due to --cvefile option";
+        return;
+    }
+
+    #prettyprint "Look for related CVE for $myvar{'version'} or lower in $opt{cvefile}";
+    my $cvefound=0;
+    open( FH, "<$opt{cvefile}" ) or die "Can't open $opt{cvefile} for read: $!";
+    while (my $cveline = <FH>)
+    {
+      my @cve=split (';', $cveline);
+      if (mysql_micro_version_le ($cve[1], $cve[2], $cve[3])) {
+        badprint "$cve[4] : $cve[5]";
+        $cvefound++;
+      }
+    
+    }
+    close FH or die "Cannot close $opt{cvefile}: $!";
+    if ($cvefound==0) {
+      goodprint "NO SECURITY CVE FOUND FOR YOUR VERSION";
+      return;
+    } 
+    badprint $cvefound . " CVE(s) found for your MySQL release.";
+    push( @generalrec, $cvefound . " CVE(s) found for your MySQL release. Consider upgrading your version !" );
+}
+
+
 sub security_recommendations {
     prettyprint
 "\n-------- Security Recommendations  -------------------------------------------";
@@ -980,6 +1011,14 @@ sub mysql_version_le {
         || $mysqlverminor == $min && $mysqlvermicro <= $mic );
 }
 
+# Checks if MySQL micro version is lower than equal to (major, minor, micro)
+sub mysql_micro_version_le {
+    my ( $maj, $min, $mic ) = @_;
+    return $mysqlvermajor == $maj
+      && ( $mysqlverminor == $min
+      && $mysqlvermicro <= $mic );
+}
+
 # Checks for 32-bit boxes with more than 2GB of RAM
 my ($arch);
 
@@ -2834,6 +2873,7 @@ check_storage_engines;       # Show enabled storage engines
 mysql_databases;             # Show informations about databases
 mysql_indexes;               # Show informations about indexes
 security_recommendations;    # Display some security recommendations
+cve_recommendations;         # Display related CVE
 calculations;                # Calculate everything we need
 mysql_stats;                 # Print the server stats
 mysql_myisam;                # Print MyISAM stats
@@ -2857,7 +2897,7 @@ __END__
 
 =head1 NAME
 
- MySQLTuner 1.6.1 - MySQL High Performance Tuning Script
+ MySQLTuner 1.6.2 - MySQL High Performance Tuning Script
 
 =head1 IMPORTANT USAGE GUIDELINES
 
@@ -2887,6 +2927,7 @@ You must provide the remote server's total memory when connecting to other serve
  --passwordfile <path>Path to a password file list(one password by line)
 
 =head1 OUTPUT OPTIONS
+
  --silent             Don't output anything on screen
  --nogood             Remove OK responses
  --nobad              Remove negative/suggestion responses
@@ -2894,6 +2935,7 @@ You must provide the remote server's total memory when connecting to other serve
  --debug              Print debug information
  --dbstat             Print database information
  --idxstat            Print index information
+ --cvefile            CVE File for vulnerability checks
  --nocolor            Don't print output in color
  --buffers            Print global and per-thread buffer values
  --outputfile <path>  Path to a output txt file
@@ -3050,7 +3092,7 @@ Jean-Marie Renouard
 
 =item *
 
-Stephan Großberndt
+Stephan GroBberndt
 
 =back