git: bf79ecf9cf - main - [phb:security] Fix vuln.xml testing procedure

Fernando Apesteguía fernape at FreeBSD.org
Fri Mar 12 12:49:51 UTC 2021 

The branch main has been updated by fernape:

URL: https://cgit.FreeBSD.org/doc/commit/?id=bf79ecf9cf9ebb19587ac2c40f1cb4c9fab77fbe

commit bf79ecf9cf9ebb19587ac2c40f1cb4c9fab77fbe
Author:     Fernando Apesteguía <fernape at FreeBSD.org>
AuthorDate: 2021-03-11 14:47:12 +0000
Commit:     Fernando Apesteguía <fernape at FreeBSD.org>
CommitDate: 2021-03-12 12:45:48 +0000

    [phb:security] Fix vuln.xml testing procedure
    
    Summary:
    In [[https://svnweb.freebsd.org/ports?view=revision&revision=562203|r562203]]
    and [[https://svnweb.freebsd.org/ports?view=revision&revision=562203|r562204]] the vuln.xml file was splitted by year.
    
    As stated in the commit message, `pkg(8) audit` does not support entities and hence,
    we need to use the vuln-flat.xml file to test changes to the port.
    
    Test Plan:
    * Try something like this:
    
    ```
    $ pkg audit -f ./vuln.xml gitea-1.13.4
    pkg: Syntax error while parsing vulnxml
    pkg: cannot process vulnxml
    ```
    
    and then:
    
    ```
    $ pkg audit -f ./vuln-flat.xml gitea-1.13.4
    0 problem(s) in 0 installed package(s) found.
    ```
    
    After the patch:
    
    * `igor` clean
    * The documentation is rendered properly.
    
    Reviewers: 0mp, gbe
    
    Differential Revision: https://reviews.freebsd.org/D29219
---
 .../content/en/books/porters-handbook/security/chapter.adoc  | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/documentation/content/en/books/porters-handbook/security/chapter.adoc b/documentation/content/en/books/porters-handbook/security/chapter.adoc
index bdb03952e3..3a3d5b9b26 100644
--- a/documentation/content/en/books/porters-handbook/security/chapter.adoc
+++ b/documentation/content/en/books/porters-handbook/security/chapter.adoc
@@ -198,6 +198,14 @@ Verify its syntax and formatting:
 % make validate
 ....
 
+The previous command generates the [.filename]#vuln-flat.xml# file. It can also
+be generated with:
+
+[source,bash]
+....
+% make vuln-flat.xml
+....
+
 [NOTE]
 ====
 At least one of these packages needs to be installed: package:textproc/libxml2[], package:textproc/jade[].
@@ -207,7 +215,7 @@ Verify that the `<affected>` section of the entry will match the correct package
 
 [source,bash]
 ....
-% pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58
+% pkg audit -f ${PORTSDIR}/security/vuxml/vuln-flat.xml dropbear-2013.58
 ....
 
 Make sure that the entry produces no spurious matches in the output.
@@ -216,7 +224,7 @@ Now check whether the right package versions are matched by the entry:
 
 [source,bash]
 ....
-% pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58 dropbear-2013.59
+% pkg audit -f ${PORTSDIR}/security/vuxml/vuln-flat.xml dropbear-2013.58 dropbear-2013.59
 dropbear-2012.58 is vulnerable:
 dropbear -- exposure of sensitive information, DoS
 CVE: CVE-2013-4434

More information about the dev-commits-doc-all mailing list