git: e90a0b117fdc - main - security/vuxml: Add SA_ID to make newentry
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 25 Sep 2023 11:26:12 UTC
The branch main has been updated by fernape:
URL: https://cgit.FreeBSD.org/ports/commit/?id=e90a0b117fdc61d6d6bc4b02a4b7b5be5a878b2d
commit e90a0b117fdc61d6d6bc4b02a4b7b5be5a878b2d
Author: Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2023-09-22 18:17:13 +0000
Commit: Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-09-25 11:25:55 +0000
security/vuxml: Add SA_ID to make newentry
Automate registration of FreeBSD Security Advisories.
It adds a new parameter for the newentry subcommand accepting a SA ID as present
in the FreeBSD Security Advisories web page
(https://www.freebsd.org/security/advisories/)
Fills an entry following the common structure for FreeBSD SAs and leaves some
"FIXME" strings in those places that need special care.
Developers should NOT blindly trust the output of the script.
`make newentry SA_ID=FreeBSD-SA-23:11.wifi.asc`
`make newentry SA_ID=FreeBSD-SA-22:01.vt`
Reviewed by: philip@
Differential Revision: https://reviews.freebsd.org/D41966
---
security/vuxml/Makefile | 2 +-
security/vuxml/files/newentry.sh | 91 +++++++++++++++++++++++++++++++++++-----
2 files changed, 81 insertions(+), 12 deletions(-)
diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile
index d8305c85191a..3e5d1d98ab34 100644
--- a/security/vuxml/Makefile
+++ b/security/vuxml/Makefile
@@ -92,7 +92,7 @@ tidy: ${VUXML_FLAT_FILE}
${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy"
newentry:
- @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" ${CVE_ID}
+ @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" "CVE_ID=${CVE_ID}" "SA_ID=${SA_ID}"
.if defined(VID) && !empty(VID)
html: work/${VID}.html
diff --git a/security/vuxml/files/newentry.sh b/security/vuxml/files/newentry.sh
index 6da86b75a65b..58b2d874ec7e 100644
--- a/security/vuxml/files/newentry.sh
+++ b/security/vuxml/files/newentry.sh
@@ -2,22 +2,47 @@
set -eu
vuxml_file="$1"
-CVE_ID="${2:-}"
+CVE_ID=""
+SA_ID=""
-if [ -z "${vuxml_file}" ]; then
+show_usage() {
exec >&2
- echo "Usage: newentry.sh /path/to/vuxml/document"
+ echo "Usage: newentry.sh /path/to/vuxml/document [CVE_ID|SA_ID]"
exit 1
+}
+
+if [ -z "${vuxml_file}" ]; then
+ show_usage
fi
+shift
+while [ $# -gt 0 ]; do
+case "$1" in
+ CVE_ID=*)
+ CVE_ID="${1#CVE_ID=}"
+ shift
+ ;;
+ SA_ID=*)
+ SA_ID="${1#SA_ID=}"
+ shift
+ ;;
+ *)
+ echo "Invalid argument: $1"
+ show_usage
+ exit 1
+ ;;
+esac
+done
+
tmp="`mktemp ${TMPDIR:-/tmp}/vuxml.XXXXXXXXXX`" || exit 1
+tmp_fbsd_sa=""
tmp_mitre=""
tmp_nvd=""
doclean="yes"
cleanup() {
if [ "${doclean}" = "yes" ]; then
- rm -f "${tmp}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null
+ rm -f "${tmp}" "${tmp_fbsd_sa}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null
fi
}
trap cleanup EXIT 1 2 13 15
@@ -34,6 +59,14 @@ references="INSERT URL HERE"
topic=""
source="SO-AND-SO"
upstream_fix=""
+impact=""
+DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\">
+ <p>${source} reports:</p>
+ <blockquote cite=\"${references}\">
+ <p>${details}</p>
+ </blockquote>
+ </body>"
+
# Try to retrieve information if a CVE identifier was provided
if [ -n "${CVE_ID}" ]; then
@@ -49,7 +82,7 @@ if [ -n "${CVE_ID}" ]; then
# Get information from the NVD database JSON format
tmp_nvd="`mktemp ${TMPDIR:-/tmp}/nvd_json_data.XXXXXXXXXX`" || exit 1
fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1
- # Get information from MITRE database (they provide a nice "topic"
+ # Get information from MITRE database (they provide a nice "topic")
tmp_mitre="`mktemp ${TMPDIR:-/tmp}/mitre.XXXXXXXXXX`" || exit 1
fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}"
@@ -68,6 +101,47 @@ if [ -n "${CVE_ID}" ]; then
topic=$(jq -r ".containers.cna.title|@html" "${tmp_mitre}" ) || exit 1
fi
+if [ -n "${SA_ID}" ]; then
+ SA_URL_BASE=https://www.freebsd.org/security/advisories/
+
+ # Get information from the Project's SA site
+ tmp_fbsd_sa="$(mktemp ${TMPDIR:-/tmp}/fbsd_sa_data.XXXXXXXXXX)" || exit 1
+ fetch -q -o "${tmp_fbsd_sa}" ${SA_URL_BASE}${SA_ID} || exit 1
+
+ # Create variables from SA note
+ if grep -q 'CVE Name' "${tmp_fbsd_sa}"; then
+ cve_tmp=$(grep 'CVE Name' "${tmp_fbsd_sa}" | cut -f2 -d:) || exit 1
+ cvename="${cve_tmp#"${cve_tmp%%[![:space:]]*}"}"
+
+ # NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT
+ # cve-2022-39282.
+ cvename=$(echo "${cvename}" | tr '[:lower:]' '[:upper:]') || exit 1
+ cveurl="https://nvd.nist.gov/vuln/detail/${cvename}"
+ fi
+
+ details=$(awk '/II. Problem Description/ {f=1;next;next} /III. Impact/ {f=0} (f==1) {print}' "${tmp_fbsd_sa}" ) || exit 1
+ details=$(echo "<p>${details}</p>" | fmt -p -s | sed -e 's/<p> /<p>/' | sed '1!s/^/\t/')
+ impact=$(awk '/III. Impact/ {f=1;next;next} /IV. Workaround/ {f=0} (f==1) {print}' "${tmp_fbsd_sa}") || exit 1
+ impact=$(echo "<p>${impact}</p>" | fmt -p -s | sed -e 's/<p> /<p>/' | sed '1!s/^/\t/')
+
+ package_name="FreeBSD"
+ if grep -Eq 'Module:.*kernel' "${tmp_fbsd_sa}"; then
+ package_name="${package_name}-kernel"
+ fi
+
+ upstream_fix="FIXME"
+ references="${SA_URL_BASE}${SA_ID}"
+ source="The FreeBSD Project"
+ topic_tmp=$(grep 'Topic:' "${tmp_fbsd_sa}" | cut -f2 -d:) || exit 1
+ topic="${topic_tmp#"${topic_tmp%%[![:space:]]*}"}"
+
+DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\">
+ <h1>Problem Description:</h1>
+ ${details}
+ <h1>Impact:</h1>
+ ${impact}
+ </body>"
+fi
awk '/^<\?/,/^<vuxml/ { print }' "${vuxml_file}" >> "${tmp}" || exit 1
cat << EOF >> "${tmp}" || exit 1
@@ -80,12 +154,7 @@ cat << EOF >> "${tmp}" || exit 1
</package>
</affects>
<description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>${source} reports:</p>
- <blockquote cite="${references}">
- <p>${details}</p>
- </blockquote>
- </body>
+ ${DESC_BODY}
</description>
<references>
<cvename>${cvename}</cvename>