diff options
| author | Fernando ApesteguĂa <fernape@FreeBSD.org> | 2023-09-22 18:17:13 +0000 |
|---|---|---|
| committer | Fernando ApesteguĂa <fernape@FreeBSD.org> | 2023-09-25 11:25:55 +0000 |
| commit | e90a0b117fdc61d6d6bc4b02a4b7b5be5a878b2d (patch) | |
| tree | 198951e3fd5459fefc07a8c4addd4083d4fdddf5 | |
| parent | c41955fd12d48fa71b1d250d6fe9bd257d295a1f (diff) | |
| download | ports-e90a0b117fdc61d6d6bc4b02a4b7b5be5a878b2d.tar.gz ports-e90a0b117fdc61d6d6bc4b02a4b7b5be5a878b2d.zip | |
security/vuxml: Add SA_ID to make newentry
Automate registration of FreeBSD Security Advisories.
It adds a new parameter for the newentry subcommand accepting a SA ID as present
in the FreeBSD Security Advisories web page
(https://www.freebsd.org/security/advisories/)
Fills an entry following the common structure for FreeBSD SAs and leaves some
"FIXME" strings in those places that need special care.
Developers should NOT blindly trust the output of the script.
`make newentry SA_ID=FreeBSD-SA-23:11.wifi.asc`
`make newentry SA_ID=FreeBSD-SA-22:01.vt`
Reviewed by: philip@
Differential Revision: https://reviews.freebsd.org/D41966
| -rw-r--r-- | security/vuxml/Makefile | 2 | ||||
| -rw-r--r-- | security/vuxml/files/newentry.sh | 91 |
2 files changed, 81 insertions, 12 deletions
diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile index d8305c85191a..3e5d1d98ab34 100644 --- a/security/vuxml/Makefile +++ b/security/vuxml/Makefile @@ -92,7 +92,7 @@ tidy: ${VUXML_FLAT_FILE} ${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy" newentry: - @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" ${CVE_ID} + @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" "CVE_ID=${CVE_ID}" "SA_ID=${SA_ID}" .if defined(VID) && !empty(VID) html: work/${VID}.html diff --git a/security/vuxml/files/newentry.sh b/security/vuxml/files/newentry.sh index 6da86b75a65b..58b2d874ec7e 100644 --- a/security/vuxml/files/newentry.sh +++ b/security/vuxml/files/newentry.sh @@ -2,22 +2,47 @@ set -eu vuxml_file="$1" -CVE_ID="${2:-}" +CVE_ID="" +SA_ID="" -if [ -z "${vuxml_file}" ]; then +show_usage() { exec >&2 - echo "Usage: newentry.sh /path/to/vuxml/document" + echo "Usage: newentry.sh /path/to/vuxml/document [CVE_ID|SA_ID]" exit 1 +} + +if [ -z "${vuxml_file}" ]; then + show_usage fi +shift +while [ $# -gt 0 ]; do +case "$1" in + CVE_ID=*) + CVE_ID="${1#CVE_ID=}" + shift + ;; + SA_ID=*) + SA_ID="${1#SA_ID=}" + shift + ;; + *) + echo "Invalid argument: $1" + show_usage + exit 1 + ;; +esac +done + tmp="`mktemp ${TMPDIR:-/tmp}/vuxml.XXXXXXXXXX`" || exit 1 +tmp_fbsd_sa="" tmp_mitre="" tmp_nvd="" doclean="yes" cleanup() { if [ "${doclean}" = "yes" ]; then - rm -f "${tmp}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null + rm -f "${tmp}" "${tmp_fbsd_sa}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null fi } trap cleanup EXIT 1 2 13 15 @@ -34,6 +59,14 @@ references="INSERT URL HERE" topic="" source="SO-AND-SO" upstream_fix="" +impact="" +DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\"> + <p>${source} reports:</p> + <blockquote cite=\"${references}\"> + <p>${details}</p> + </blockquote> + </body>" + # Try to retrieve information if a CVE identifier was provided if [ -n "${CVE_ID}" ]; then @@ -49,7 +82,7 @@ if [ -n "${CVE_ID}" ]; then # Get information from the NVD database JSON format tmp_nvd="`mktemp ${TMPDIR:-/tmp}/nvd_json_data.XXXXXXXXXX`" || exit 1 fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1 - # Get information from MITRE database (they provide a nice "topic" + # Get information from MITRE database (they provide a nice "topic") tmp_mitre="`mktemp ${TMPDIR:-/tmp}/mitre.XXXXXXXXXX`" || exit 1 fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}" @@ -68,6 +101,47 @@ if [ -n "${CVE_ID}" ]; then topic=$(jq -r ".containers.cna.title|@html" "${tmp_mitre}" ) || exit 1 fi +if [ -n "${SA_ID}" ]; then + SA_URL_BASE=https://www.freebsd.org/security/advisories/ + + # Get information from the Project's SA site + tmp_fbsd_sa="$(mktemp ${TMPDIR:-/tmp}/fbsd_sa_data.XXXXXXXXXX)" || exit 1 + fetch -q -o "${tmp_fbsd_sa}" ${SA_URL_BASE}${SA_ID} || exit 1 + + # Create variables from SA note + if grep -q 'CVE Name' "${tmp_fbsd_sa}"; then + cve_tmp=$(grep 'CVE Name' "${tmp_fbsd_sa}" | cut -f2 -d:) || exit 1 + cvename="${cve_tmp#"${cve_tmp%%[![:space:]]*}"}" + + # NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT + # cve-2022-39282. + cvename=$(echo "${cvename}" | tr '[:lower:]' '[:upper:]') || exit 1 + cveurl="https://nvd.nist.gov/vuln/detail/${cvename}" + fi + + details=$(awk '/II. Problem Description/ {f=1;next;next} /III. Impact/ {f=0} (f==1) {print}' "${tmp_fbsd_sa}" ) || exit 1 + details=$(echo "<p>${details}</p>" | fmt -p -s | sed -e 's/<p> /<p>/' | sed '1!s/^/\t/') + impact=$(awk '/III. Impact/ {f=1;next;next} /IV. Workaround/ {f=0} (f==1) {print}' "${tmp_fbsd_sa}") || exit 1 + impact=$(echo "<p>${impact}</p>" | fmt -p -s | sed -e 's/<p> /<p>/' | sed '1!s/^/\t/') + + package_name="FreeBSD" + if grep -Eq 'Module:.*kernel' "${tmp_fbsd_sa}"; then + package_name="${package_name}-kernel" + fi + + upstream_fix="FIXME" + references="${SA_URL_BASE}${SA_ID}" + source="The FreeBSD Project" + topic_tmp=$(grep 'Topic:' "${tmp_fbsd_sa}" | cut -f2 -d:) || exit 1 + topic="${topic_tmp#"${topic_tmp%%[![:space:]]*}"}" + +DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\"> + <h1>Problem Description:</h1> + ${details} + <h1>Impact:</h1> + ${impact} + </body>" +fi awk '/^<\?/,/^<vuxml/ { print }' "${vuxml_file}" >> "${tmp}" || exit 1 cat << EOF >> "${tmp}" || exit 1 @@ -80,12 +154,7 @@ cat << EOF >> "${tmp}" || exit 1 </package> </affects> <description> - <body xmlns="http://www.w3.org/1999/xhtml"> - <p>${source} reports:</p> - <blockquote cite="${references}"> - <p>${details}</p> - </blockquote> - </body> + ${DESC_BODY} </description> <references> <cvename>${cvename}</cvename> |