git: bf79ecf9cf - main - [phb:security] Fix vuln.xml testing procedure
Fernando ApesteguÃa
fernape at FreeBSD.org
Fri Mar 12 12:49:51 UTC 2021
The branch main has been updated by fernape:
URL: https://cgit.FreeBSD.org/doc/commit/?id=bf79ecf9cf9ebb19587ac2c40f1cb4c9fab77fbe
commit bf79ecf9cf9ebb19587ac2c40f1cb4c9fab77fbe
Author: Fernando Apesteguía <fernape at FreeBSD.org>
AuthorDate: 2021-03-11 14:47:12 +0000
Commit: Fernando Apesteguía <fernape at FreeBSD.org>
CommitDate: 2021-03-12 12:45:48 +0000
[phb:security] Fix vuln.xml testing procedure
Summary:
In [[https://svnweb.freebsd.org/ports?view=revision&revision=562203|r562203]]
and [[https://svnweb.freebsd.org/ports?view=revision&revision=562203|r562204]] the vuln.xml file was splitted by year.
As stated in the commit message, `pkg(8) audit` does not support entities and hence,
we need to use the vuln-flat.xml file to test changes to the port.
Test Plan:
* Try something like this:
```
$ pkg audit -f ./vuln.xml gitea-1.13.4
pkg: Syntax error while parsing vulnxml
pkg: cannot process vulnxml
```
and then:
```
$ pkg audit -f ./vuln-flat.xml gitea-1.13.4
0 problem(s) in 0 installed package(s) found.
```
After the patch:
* `igor` clean
* The documentation is rendered properly.
Reviewers: 0mp, gbe
Differential Revision: https://reviews.freebsd.org/D29219
---
.../content/en/books/porters-handbook/security/chapter.adoc | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/documentation/content/en/books/porters-handbook/security/chapter.adoc b/documentation/content/en/books/porters-handbook/security/chapter.adoc
index bdb03952e3..3a3d5b9b26 100644
--- a/documentation/content/en/books/porters-handbook/security/chapter.adoc
+++ b/documentation/content/en/books/porters-handbook/security/chapter.adoc
@@ -198,6 +198,14 @@ Verify its syntax and formatting:
% make validate
....
+The previous command generates the [.filename]#vuln-flat.xml# file. It can also
+be generated with:
+
+[source,bash]
+....
+% make vuln-flat.xml
+....
+
[NOTE]
====
At least one of these packages needs to be installed: package:textproc/libxml2[], package:textproc/jade[].
@@ -207,7 +215,7 @@ Verify that the `<affected>` section of the entry will match the correct package
[source,bash]
....
-% pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58
+% pkg audit -f ${PORTSDIR}/security/vuxml/vuln-flat.xml dropbear-2013.58
....
Make sure that the entry produces no spurious matches in the output.
@@ -216,7 +224,7 @@ Now check whether the right package versions are matched by the entry:
[source,bash]
....
-% pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58 dropbear-2013.59
+% pkg audit -f ${PORTSDIR}/security/vuxml/vuln-flat.xml dropbear-2013.58 dropbear-2013.59
dropbear-2012.58 is vulnerable:
dropbear -- exposure of sensitive information, DoS
CVE: CVE-2013-4434
More information about the dev-commits-doc-all
mailing list