Date: Sun, 12 Mar 2023 18:40:03 GMT From: =?utf-8?Q?Fernando=20Apestegu=C3=ADa?= <fernape@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 7744049a400b - main - security/vuxml: Autofill CVE information Message-ID: <202303121840.32CIe3bE039837@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=7744049a400bd21999ae1a7b724d2378fd3e9d6b commit 7744049a400bd21999ae1a7b724d2378fd3e9d6b Author: Fernando ApesteguĂa <fernape@FreeBSD.org> AuthorDate: 2023-03-03 22:44:52 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2023-03-12 18:31:09 +0000 security/vuxml: Autofill CVE information The `newentry` target accepts an optional parameter CVE_ID. When provided, the newentry.sh script tries to retrieve information from the NVD and MITRE databases and fill the template accordingly. The script needs `textproc/jq` and warns the user and exists if it is not found. How to use it: make newentry CVE_ID=CVE-2022-39282 Note that this is just a helper. *YOU HUMAN* have to check that the information is correct. Reviewed by: tcberner, jlduran_gmail.com, mat Differential Revision: https://reviews.freebsd.org/D38894 --- security/vuxml/Makefile | 2 +- security/vuxml/files/newentry.sh | 67 ++++++++++++++++++++++++++++++++++------ 2 files changed, 59 insertions(+), 10 deletions(-) diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile index 1c5016141eb3..d8305c85191a 100644 --- a/security/vuxml/Makefile +++ b/security/vuxml/Makefile @@ -92,7 +92,7 @@ tidy: ${VUXML_FLAT_FILE} ${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy" newentry: - @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" + @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" ${CVE_ID} .if defined(VID) && !empty(VID) html: work/${VID}.html diff --git a/security/vuxml/files/newentry.sh b/security/vuxml/files/newentry.sh index 953d9dcd11e4..6da86b75a65b 100644 --- a/security/vuxml/files/newentry.sh +++ b/security/vuxml/files/newentry.sh @@ -1,5 +1,9 @@ #! /bin/sh +set -eu + vuxml_file="$1" +CVE_ID="${2:-}" + if [ -z "${vuxml_file}" ]; then exec >&2 echo "Usage: newentry.sh /path/to/vuxml/document" @@ -7,40 +11,85 @@ if [ -z "${vuxml_file}" ]; then fi tmp="`mktemp ${TMPDIR:-/tmp}/vuxml.XXXXXXXXXX`" || exit 1 +tmp_mitre="" +tmp_nvd="" + doclean="yes" cleanup() { if [ "${doclean}" = "yes" ]; then - rm -f "${tmp}" + rm -f "${tmp}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null fi } trap cleanup EXIT 1 2 13 15 vid="`uuidgen | tr '[:upper:]' '[:lower:]'`" [ -z "$vid" ] && exit 1 +cvename="INSERT CVE RECORD IF AVAILABLE" +cveurl="INSERT BLOCKQUOTE URL HERE" +details="." discovery="`date -u '+%Y-%m'`-FIXME" || exit 1 entry="`date -u '+%Y-%m-%d'`" || exit 1 +package_name="" +references="INSERT URL HERE" +topic="" +source="SO-AND-SO" +upstream_fix="" + +# Try to retrieve information if a CVE identifier was provided +if [ -n "${CVE_ID}" ]; then + if ! command -v jq > /dev/null; then + echo textproc/jq is needed for CVE automatic entry fill + exit 1 + fi + + # NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT + # cve-2022-39282. + CVE_ID=$(echo "${CVE_ID}" | tr '[:lower:]' '[:upper:]') || exit 1 + + # Get information from the NVD database JSON format + tmp_nvd="`mktemp ${TMPDIR:-/tmp}/nvd_json_data.XXXXXXXXXX`" || exit 1 + fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1 + # Get information from MITRE database (they provide a nice "topic" + tmp_mitre="`mktemp ${TMPDIR:-/tmp}/mitre.XXXXXXXXXX`" || exit 1 + fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}" + + # Create variables from input and online sources + cvename="${CVE_ID}" + cveurl=https://nvd.nist.gov/vuln/detail/${CVE_ID} + pref=.vulnerabilities[0].cve + details=$(jq -r "${pref}.descriptions[0].value|@html" "${tmp_nvd}" | fmt -p -s | sed '1!s/^/\t/') || exit 1 + discovery=$(jq -r "${pref}.published|@html" "${tmp_nvd}" | cut -f1 -dT) || exit 1 + pref=.vulnerabilities[0].cve.configurations[0].nodes[0].cpeMatch[0] + package_name=$(jq -r "${pref}.criteria|@html" "${tmp_nvd}" | cut -f4 -d:) || exit 1 + upstream_fix=$(jq -r "${pref}.versionEndExcluding|@html" "${tmp_nvd}") || exit 1 + pref=.vulnerabilities[0].cve.references[0] + references=$(jq -r "${pref}.url|@html" "${tmp_nvd}" | tr " " "\n") || exit 1 + source=$(jq -r "${pref}.source|@html" "${tmp_nvd}" | tr " " "\n") || exit 1 + topic=$(jq -r ".containers.cna.title|@html" "${tmp_mitre}" ) || exit 1 +fi + awk '/^<\?/,/^<vuxml/ { print }' "${vuxml_file}" >> "${tmp}" || exit 1 cat << EOF >> "${tmp}" || exit 1 <vuln vid="${vid}"> - <topic> -- </topic> + <topic>${package_name} -- ${topic}</topic> <affects> <package> - <name></name> - <range><lt></lt></range> + <name>${package_name}</name> + <range><lt>${upstream_fix}</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> - <blockquote cite="INSERT URL HERE"> - <p>.</p> + <p>${source} reports:</p> + <blockquote cite="${references}"> + <p>${details}</p> </blockquote> </body> </description> <references> - <cvename>INSERT CVE RECORD IF AVAILABLE</cvename> - <url>INSERT BLOCKQUOTE URL HERE</url> + <cvename>${cvename}</cvename> + <url>${cveurl}</url> </references> <dates> <discovery>${discovery}</discovery>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202303121840.32CIe3bE039837>