From nobody Mon Sep 25 11:26:12 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RvLD512SXz4vPYk; Mon, 25 Sep 2023 11:26:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RvLD50QCKz3Y56; Mon, 25 Sep 2023 11:26:13 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1695641173; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4HtIlI2vplgeAwhiUGKZZ+DgFC2ay59Q5Ym3vc72Pp8=; b=oWiP0m2cVXDU3Gx7UMll+xpgDyFEicWNfBbHVf7+GdpxiqmyulT6v2pWGJFVKZDvKMBB0E m+FlnpXGiXMcAfGm0MS4s5BVQFxHJcKOWvdqfpCQ/44OxcXDETUoP5/Sf65yAYIWZZPomA Y/oOjKsPYX1td4V1Ff7QQlbmag0baqW/iZcG+EvcZDRhU7kqkgF8mnvmpi4tAUJ+vljQOl c0/VOw4YA1s55fF3Dkn95IFD+EtFjwrTNpggT9RsRQ03RwaKHkK5tXqQZNl71ubude/RE9 RUmdui3W6nOFJeJ1wvggzNn5APcwr68PLUPAXIhLtTg5GfOMYyHpQmXJpAcw2g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1695641173; a=rsa-sha256; cv=none; b=pSUqPiK5vY9Gut5t7tl00wwa3B9ztDERHz5vmAFQR/rssqwn7HkDqFDFqWgOd27N2jkqce CcG/I9JM+zEh+vxsN+WrOynjqMaAb4MiWRL7y0PdReGDCeAFGBK77tuHFPASl6/KuDkWD9 cFGkEtlUBHAgTlChRF2CSGIdBFnhPw/6UvGjjXhc6Ii7EuE29sSVZE4XSREZuNwrkD7GX3 Dpls+CNNFwWijFy2h2XO6W6zLpHUF6//iTll8K5rek68h+f0buS8QvkRFCykD4CEeoWXdT RmusjoifyzNGmhUGKoC9VSbNvP57JSxWOPyWN4tgdx7XFTUDLfUISG257BcmUA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1695641173; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4HtIlI2vplgeAwhiUGKZZ+DgFC2ay59Q5Ym3vc72Pp8=; b=p3FrfIR3ZMVXoM/vDkntrgAu7A4ITf6sZlxsJdUfDwE/sSLsaDQd6D/U2Z3j2n23lhwpoq hf+7/YtHr8IfehCEKTDDgaY5eninmX+z1Zu49trP6TSOI4BAD8T2oLyVspFnh03fnR2x8Q wWDNo/0slS+LqTy9SM/98CUJ17umITbRQV64QrY4cmGYClH71DkFiFVnmQGMSR8E1j77vQ zlmzwPyS2q9PSIxRBxuTxK/raAu9ckP1VpuXWYTfppvw6W7+8WHl6PMWgXxwoIw7NN4nNz zol4iDdv+6iiPjjdEdfCtJNIIQ9VQ6M/7rD0BSXdab8hSFMMaw6PXnrYE3tHBg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RvLD46b75z1QnS; Mon, 25 Sep 2023 11:26:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 38PBQCAP094162; Mon, 25 Sep 2023 11:26:12 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 38PBQCrk094159; Mon, 25 Sep 2023 11:26:12 GMT (envelope-from git) Date: Mon, 25 Sep 2023 11:26:12 GMT Message-Id: <202309251126.38PBQCrk094159@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= Subject: git: e90a0b117fdc - main - security/vuxml: Add SA_ID to make newentry List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fernape X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e90a0b117fdc61d6d6bc4b02a4b7b5be5a878b2d Auto-Submitted: auto-generated The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=e90a0b117fdc61d6d6bc4b02a4b7b5be5a878b2d commit e90a0b117fdc61d6d6bc4b02a4b7b5be5a878b2d Author: Fernando ApesteguĂ­a AuthorDate: 2023-09-22 18:17:13 +0000 Commit: Fernando ApesteguĂ­a CommitDate: 2023-09-25 11:25:55 +0000 security/vuxml: Add SA_ID to make newentry Automate registration of FreeBSD Security Advisories. It adds a new parameter for the newentry subcommand accepting a SA ID as present in the FreeBSD Security Advisories web page (https://www.freebsd.org/security/advisories/) Fills an entry following the common structure for FreeBSD SAs and leaves some "FIXME" strings in those places that need special care. Developers should NOT blindly trust the output of the script. `make newentry SA_ID=FreeBSD-SA-23:11.wifi.asc` `make newentry SA_ID=FreeBSD-SA-22:01.vt` Reviewed by: philip@ Differential Revision: https://reviews.freebsd.org/D41966 --- security/vuxml/Makefile | 2 +- security/vuxml/files/newentry.sh | 91 +++++++++++++++++++++++++++++++++++----- 2 files changed, 81 insertions(+), 12 deletions(-) diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile index d8305c85191a..3e5d1d98ab34 100644 --- a/security/vuxml/Makefile +++ b/security/vuxml/Makefile @@ -92,7 +92,7 @@ tidy: ${VUXML_FLAT_FILE} ${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy" newentry: - @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" ${CVE_ID} + @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" "CVE_ID=${CVE_ID}" "SA_ID=${SA_ID}" .if defined(VID) && !empty(VID) html: work/${VID}.html diff --git a/security/vuxml/files/newentry.sh b/security/vuxml/files/newentry.sh index 6da86b75a65b..58b2d874ec7e 100644 --- a/security/vuxml/files/newentry.sh +++ b/security/vuxml/files/newentry.sh @@ -2,22 +2,47 @@ set -eu vuxml_file="$1" -CVE_ID="${2:-}" +CVE_ID="" +SA_ID="" -if [ -z "${vuxml_file}" ]; then +show_usage() { exec >&2 - echo "Usage: newentry.sh /path/to/vuxml/document" + echo "Usage: newentry.sh /path/to/vuxml/document [CVE_ID|SA_ID]" exit 1 +} + +if [ -z "${vuxml_file}" ]; then + show_usage fi +shift +while [ $# -gt 0 ]; do +case "$1" in + CVE_ID=*) + CVE_ID="${1#CVE_ID=}" + shift + ;; + SA_ID=*) + SA_ID="${1#SA_ID=}" + shift + ;; + *) + echo "Invalid argument: $1" + show_usage + exit 1 + ;; +esac +done + tmp="`mktemp ${TMPDIR:-/tmp}/vuxml.XXXXXXXXXX`" || exit 1 +tmp_fbsd_sa="" tmp_mitre="" tmp_nvd="" doclean="yes" cleanup() { if [ "${doclean}" = "yes" ]; then - rm -f "${tmp}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null + rm -f "${tmp}" "${tmp_fbsd_sa}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null fi } trap cleanup EXIT 1 2 13 15 @@ -34,6 +59,14 @@ references="INSERT URL HERE" topic="" source="SO-AND-SO" upstream_fix="" +impact="" +DESC_BODY=" +

${source} reports:

+
+

${details}

+
+ " + # Try to retrieve information if a CVE identifier was provided if [ -n "${CVE_ID}" ]; then @@ -49,7 +82,7 @@ if [ -n "${CVE_ID}" ]; then # Get information from the NVD database JSON format tmp_nvd="`mktemp ${TMPDIR:-/tmp}/nvd_json_data.XXXXXXXXXX`" || exit 1 fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1 - # Get information from MITRE database (they provide a nice "topic" + # Get information from MITRE database (they provide a nice "topic") tmp_mitre="`mktemp ${TMPDIR:-/tmp}/mitre.XXXXXXXXXX`" || exit 1 fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}" @@ -68,6 +101,47 @@ if [ -n "${CVE_ID}" ]; then topic=$(jq -r ".containers.cna.title|@html" "${tmp_mitre}" ) || exit 1 fi +if [ -n "${SA_ID}" ]; then + SA_URL_BASE=https://www.freebsd.org/security/advisories/ + + # Get information from the Project's SA site + tmp_fbsd_sa="$(mktemp ${TMPDIR:-/tmp}/fbsd_sa_data.XXXXXXXXXX)" || exit 1 + fetch -q -o "${tmp_fbsd_sa}" ${SA_URL_BASE}${SA_ID} || exit 1 + + # Create variables from SA note + if grep -q 'CVE Name' "${tmp_fbsd_sa}"; then + cve_tmp=$(grep 'CVE Name' "${tmp_fbsd_sa}" | cut -f2 -d:) || exit 1 + cvename="${cve_tmp#"${cve_tmp%%[![:space:]]*}"}" + + # NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT + # cve-2022-39282. + cvename=$(echo "${cvename}" | tr '[:lower:]' '[:upper:]') || exit 1 + cveurl="https://nvd.nist.gov/vuln/detail/${cvename}" + fi + + details=$(awk '/II. Problem Description/ {f=1;next;next} /III. Impact/ {f=0} (f==1) {print}' "${tmp_fbsd_sa}" ) || exit 1 + details=$(echo "

${details}

" | fmt -p -s | sed -e 's/

/

/' | sed '1!s/^/\t/') + impact=$(awk '/III. Impact/ {f=1;next;next} /IV. Workaround/ {f=0} (f==1) {print}' "${tmp_fbsd_sa}") || exit 1 + impact=$(echo "

${impact}

" | fmt -p -s | sed -e 's/

/

/' | sed '1!s/^/\t/') + + package_name="FreeBSD" + if grep -Eq 'Module:.*kernel' "${tmp_fbsd_sa}"; then + package_name="${package_name}-kernel" + fi + + upstream_fix="FIXME" + references="${SA_URL_BASE}${SA_ID}" + source="The FreeBSD Project" + topic_tmp=$(grep 'Topic:' "${tmp_fbsd_sa}" | cut -f2 -d:) || exit 1 + topic="${topic_tmp#"${topic_tmp%%[![:space:]]*}"}" + +DESC_BODY=" +

Problem Description:

+ ${details} +

Impact:

+ ${impact} + " +fi awk '/^<\?/,/^> "${tmp}" || exit 1 cat << EOF >> "${tmp}" || exit 1 @@ -80,12 +154,7 @@ cat << EOF >> "${tmp}" || exit 1 - -

${source} reports:

-
-

${details}

-
- + ${DESC_BODY} ${cvename}