Date: Fri, 12 Mar 2021 12:49:51 GMT From: Fernando Apesteguía <fernape@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: bf79ecf9cf - main - [phb:security] Fix vuln.xml testing procedure Message-ID: <202103121249.12CCnpv1071071@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/doc/commit/?id=bf79ecf9cf9ebb19587ac2c40f1cb4c9fab77fbe commit bf79ecf9cf9ebb19587ac2c40f1cb4c9fab77fbe Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2021-03-11 14:47:12 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2021-03-12 12:45:48 +0000 [phb:security] Fix vuln.xml testing procedure Summary: In [[https://svnweb.freebsd.org/ports?view=revision&revision=562203|r562203]] and [[https://svnweb.freebsd.org/ports?view=revision&revision=562203|r562204]] the vuln.xml file was splitted by year. As stated in the commit message, `pkg(8) audit` does not support entities and hence, we need to use the vuln-flat.xml file to test changes to the port. Test Plan: * Try something like this: ``` $ pkg audit -f ./vuln.xml gitea-1.13.4 pkg: Syntax error while parsing vulnxml pkg: cannot process vulnxml ``` and then: ``` $ pkg audit -f ./vuln-flat.xml gitea-1.13.4 0 problem(s) in 0 installed package(s) found. ``` After the patch: * `igor` clean * The documentation is rendered properly. Reviewers: 0mp, gbe Differential Revision: https://reviews.freebsd.org/D29219 --- .../content/en/books/porters-handbook/security/chapter.adoc | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/documentation/content/en/books/porters-handbook/security/chapter.adoc b/documentation/content/en/books/porters-handbook/security/chapter.adoc index bdb03952e3..3a3d5b9b26 100644 --- a/documentation/content/en/books/porters-handbook/security/chapter.adoc +++ b/documentation/content/en/books/porters-handbook/security/chapter.adoc @@ -198,6 +198,14 @@ Verify its syntax and formatting: % make validate .... +The previous command generates the [.filename]#vuln-flat.xml# file. It can also +be generated with: + +[source,bash] +.... +% make vuln-flat.xml +.... + [NOTE] ==== At least one of these packages needs to be installed: package:textproc/libxml2[], package:textproc/jade[]. @@ -207,7 +215,7 @@ Verify that the `<affected>` section of the entry will match the correct package [source,bash] .... -% pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58 +% pkg audit -f ${PORTSDIR}/security/vuxml/vuln-flat.xml dropbear-2013.58 .... Make sure that the entry produces no spurious matches in the output. @@ -216,7 +224,7 @@ Now check whether the right package versions are matched by the entry: [source,bash] .... -% pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58 dropbear-2013.59 +% pkg audit -f ${PORTSDIR}/security/vuxml/vuln-flat.xml dropbear-2013.58 dropbear-2013.59 dropbear-2012.58 is vulnerable: dropbear -- exposure of sensitive information, DoS CVE: CVE-2013-4434
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202103121249.12CCnpv1071071>