List apps linked against a potentially heartbleed-vulnerable openssl on your Mac

heartbleed-apps

for i in /usr/local/{bin,sbin}/*; do otool -L $i; done | sed -e '/^.*is not an object file.*$/d' -e 's|^\(/.*\):$|@\1|' | awk 'BEGIN { RS="@" } !/ssl/ { next } !/^[[:space:]]*(\/.*ssl\.0.9.8.*\.dylib)/ { print $1 }'

Interesting things I discovered during this exercise:
• common system tools use all the wrong default behaviours for 2014. Who the heck wants BRE? Where's negative lookahead assertion? Why won't awk match form feed? This gist could be a lot shorter / sensible.
• you can force sed to ERE with -E. No such option exists for awk.
• saving two characters in your sed command by using 3 to turn on ERE is not a win, even if the regexp is slightly more readable.
• this gist will give false positives, because otool reports e.g. openssl 1.0.1g as 1.0.0 so its not possible to just match vulnerable versions, as vulnerable and not vulnerable 1.0's appear the same. Fixing this doubles the command length, more or less.
• github.com renewed their SSL cert quickly. Good Guy Github :)
• option+8 makes dots. ••••••••••••••••••••
• ᗧ • • • ᗣ