From nobody Sun Mar 12 18:40:03 2023
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PZT9c0nZ0z3xT5g;
	Sun, 12 Mar 2023 18:40:04 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PZT9c0HD5z44wD;
	Sun, 12 Mar 2023 18:40:04 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1678646404;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=bdl49yz0s/6KjR6CiT+1KJAfjf8JVOcI3cHzrpWaBpA=;
	b=QlRqEEZeDUagEcWPTCt2R+vqJtBVX7atw0w/8FQNxXkBnanppQWtEn1+qyiqdicqv9fzUb
	Gkh0zsoaxC7mw8nI9KwSpu1ZYfBFy7pP4EaTyu64U9giw8sKxoMazzj05a2gqEmxxkAUnU
	ui03+ImkX83R8MNX+G1Ah/ejrFXYRE9psDZBIpIBkz03rklxEP5yKbafO9mUfwsO0jJb6R
	8SOzh2g/Q/oTAXr+9gz0+M+XBI3a5tWaZLdWQS5q4PUsJLD/1Jyzmg6HGEQdSEbgTnlVEN
	3zXJh8uDD8cezp9QAXQH3/xn08IWuvZHuZhIgXDHIELwErbng9YMdbzrS1RY+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1678646404;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=bdl49yz0s/6KjR6CiT+1KJAfjf8JVOcI3cHzrpWaBpA=;
	b=EGS+szuFzKDkgBougOkvG8mbny0mSy9qKDK3PReSQNJsQqBBOqpFbAlyl5Jt6F3uW8WcFh
	AUC6EzWMeYDzEUi1J+p3QM0ESOHu4P9MD3qC/GQ2EsDm5Ft2FnpB3wizYUhf7weztcDKjQ
	YEq0g/hO0DY/szoxDkeF+dFQeCRsGqu0uNljhKRUKcFfyUWD90SWzOeSEDqkqay8UUQO3x
	Rqq+vFm0lhHFDUB4SSai/CdJHgdGFXFuNKjHxbrb4m2E6QE/N2Jt6nwVsBu1CeBJRknAWx
	bj7hrtU0k4BESNCBMeIVrfQsmS6vBNWEds/U59SK/exUghHYn7d2FOV7DESi0Q==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1678646404; a=rsa-sha256; cv=none;
	b=oOalrh8jryHOoP0Zc/NXQ/cwUNe4ahQDHNQiI+4xb5ik+EkpQRwADQto2ecUl61C3qatcB
	c/VNVF2gRGeCtJkzcRrDqnHs2v2lOQJ9jLTYn+ayug+j+uvfkZv8CG38QBqD+8xZB+bB2Z
	smajwV2YTEeXWXwWia0U4S0+FVdpdfUzne0pzRi4I8c6MomJFanKUN73WmQd5MJlmPtBY6
	Ac4deNk6m2g0oBGIiqR1Cr9kjzGWT8lPgv3aE9ITQQllzzByhjfCE8mo4+HJs3nwvAjGF4
	nq3GAHYSJC1XzP/mKHzZWZsh8w9xComdan8SlEcAEUl6wOpGKhTKjcw97wtjbA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PZT9b6SSHzMZs;
	Sun, 12 Mar 2023 18:40:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 32CIe3wT039840;
	Sun, 12 Mar 2023 18:40:03 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 32CIe3bE039837;
	Sun, 12 Mar 2023 18:40:03 GMT
	(envelope-from git)
Date: Sun, 12 Mar 2023 18:40:03 GMT
Message-Id: <202303121840.32CIe3bE039837@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: =?utf-8?Q?Fernando=20Apestegu=C3=ADa?= <fernape@FreeBSD.org>
Subject: git: 7744049a400b - main - security/vuxml: Autofill CVE information
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: fernape
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 7744049a400bd21999ae1a7b724d2378fd3e9d6b
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by fernape:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7744049a400bd21999ae1a7b724d2378fd3e9d6b

commit 7744049a400bd21999ae1a7b724d2378fd3e9d6b
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2023-03-03 22:44:52 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-03-12 18:31:09 +0000

    security/vuxml: Autofill CVE information
    
    The `newentry` target accepts an optional parameter CVE_ID.
    When provided, the newentry.sh script tries to retrieve information from the
    NVD and MITRE databases and fill the template accordingly.
    
    The script needs `textproc/jq` and warns the user and exists if it is not found.
    
    How to use it:
    
    make newentry CVE_ID=CVE-2022-39282
    
    Note that this is just a helper. *YOU HUMAN* have to check that the information
    is correct.
    
    Reviewed by: tcberner, jlduran_gmail.com, mat
    Differential Revision: https://reviews.freebsd.org/D38894
---
 security/vuxml/Makefile          |  2 +-
 security/vuxml/files/newentry.sh | 67 ++++++++++++++++++++++++++++++++++------
 2 files changed, 59 insertions(+), 10 deletions(-)

diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile
index 1c5016141eb3..d8305c85191a 100644
--- a/security/vuxml/Makefile
+++ b/security/vuxml/Makefile
@@ -92,7 +92,7 @@ tidy: ${VUXML_FLAT_FILE}
 	${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy"
 
 newentry:
-	@${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}"
+	@${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" ${CVE_ID}
 
 .if defined(VID) && !empty(VID)
 html: work/${VID}.html
diff --git a/security/vuxml/files/newentry.sh b/security/vuxml/files/newentry.sh
index 953d9dcd11e4..6da86b75a65b 100644
--- a/security/vuxml/files/newentry.sh
+++ b/security/vuxml/files/newentry.sh
@@ -1,5 +1,9 @@
 #! /bin/sh
+set -eu
+
 vuxml_file="$1"
+CVE_ID="${2:-}"
+
 if [ -z "${vuxml_file}" ]; then
   exec >&2
   echo "Usage: newentry.sh /path/to/vuxml/document"
@@ -7,40 +11,85 @@ if [ -z "${vuxml_file}" ]; then
 fi
 
 tmp="`mktemp ${TMPDIR:-/tmp}/vuxml.XXXXXXXXXX`" || exit 1
+tmp_mitre=""
+tmp_nvd=""
+
 doclean="yes"
 cleanup() {
   if [ "${doclean}" = "yes" ]; then
-    rm -f "${tmp}"
+    rm -f "${tmp}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null
   fi
 }
 trap cleanup EXIT 1 2 13 15
 
 vid="`uuidgen | tr '[:upper:]' '[:lower:]'`"
 [ -z "$vid" ] && exit 1
+cvename="INSERT CVE RECORD IF AVAILABLE"
+cveurl="INSERT BLOCKQUOTE URL HERE"
+details="."
 discovery="`date -u '+%Y-%m'`-FIXME" || exit 1
 entry="`date -u '+%Y-%m-%d'`" || exit 1
+package_name=""
+references="INSERT URL HERE"
+topic=""
+source="SO-AND-SO"
+upstream_fix=""
+
+# Try to retrieve information if a CVE identifier was provided
+if [ -n "${CVE_ID}" ]; then
+	if ! command -v jq > /dev/null; then
+		echo textproc/jq is needed for CVE automatic entry fill
+		exit 1
+	fi
+
+	# NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT
+	# cve-2022-39282.
+	CVE_ID=$(echo "${CVE_ID}" | tr '[:lower:]' '[:upper:]') || exit 1
+
+	# Get information from the NVD database JSON format
+	tmp_nvd="`mktemp ${TMPDIR:-/tmp}/nvd_json_data.XXXXXXXXXX`" || exit 1
+	fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1
+	# Get information from MITRE database (they provide a nice "topic"
+	tmp_mitre="`mktemp ${TMPDIR:-/tmp}/mitre.XXXXXXXXXX`" || exit 1
+	fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}"
+
+	# Create variables from input and online sources
+	cvename="${CVE_ID}"
+	cveurl=https://nvd.nist.gov/vuln/detail/${CVE_ID}
+	pref=.vulnerabilities[0].cve
+	details=$(jq -r "${pref}.descriptions[0].value|@html" "${tmp_nvd}" | fmt -p -s | sed '1!s/^/\t/') || exit 1
+	discovery=$(jq -r "${pref}.published|@html" "${tmp_nvd}" | cut -f1 -dT) || exit 1
+	pref=.vulnerabilities[0].cve.configurations[0].nodes[0].cpeMatch[0]
+	package_name=$(jq -r "${pref}.criteria|@html" "${tmp_nvd}" | cut -f4 -d:) || exit 1
+	upstream_fix=$(jq -r "${pref}.versionEndExcluding|@html" "${tmp_nvd}") || exit 1
+	pref=.vulnerabilities[0].cve.references[0]
+	references=$(jq -r "${pref}.url|@html" "${tmp_nvd}" | tr " " "\n") || exit 1
+	source=$(jq -r "${pref}.source|@html" "${tmp_nvd}" | tr " " "\n") || exit 1
+	topic=$(jq -r ".containers.cna.title|@html" "${tmp_mitre}" ) || exit 1
+fi
+
 
 awk '/^<\?/,/^<vuxml/ { print }' "${vuxml_file}" >> "${tmp}" || exit 1
 cat << EOF >> "${tmp}" || exit 1
   <vuln vid="${vid}">
-    <topic> -- </topic>
+    <topic>${package_name} -- ${topic}</topic>
     <affects>
       <package>
-	<name></name>
-	<range><lt></lt></range>
+	<name>${package_name}</name>
+	<range><lt>${upstream_fix}</lt></range>
       </package>
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
-	<p>SO-AND-SO reports:</p>
-	<blockquote cite="INSERT URL HERE">
-	  <p>.</p>
+	<p>${source} reports:</p>
+	<blockquote cite="${references}">
+	  <p>${details}</p>
 	</blockquote>
       </body>
     </description>
     <references>
-      <cvename>INSERT CVE RECORD IF AVAILABLE</cvename>
-      <url>INSERT BLOCKQUOTE URL HERE</url>
+      <cvename>${cvename}</cvename>
+      <url>${cveurl}</url>
     </references>
     <dates>
       <discovery>${discovery}</discovery>