git: 7744049a400b - main - security/vuxml: Autofill CVE information

From: Fernando Apesteguía <fernape_at_FreeBSD.org>
Date: Sun, 12 Mar 2023 18:40:03 UTC
The branch main has been updated by fernape:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7744049a400bd21999ae1a7b724d2378fd3e9d6b

commit 7744049a400bd21999ae1a7b724d2378fd3e9d6b
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2023-03-03 22:44:52 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-03-12 18:31:09 +0000

    security/vuxml: Autofill CVE information
    
    The `newentry` target accepts an optional parameter CVE_ID.
    When provided, the newentry.sh script tries to retrieve information from the
    NVD and MITRE databases and fill the template accordingly.
    
    The script needs `textproc/jq` and warns the user and exists if it is not found.
    
    How to use it:
    
    make newentry CVE_ID=CVE-2022-39282
    
    Note that this is just a helper. *YOU HUMAN* have to check that the information
    is correct.
    
    Reviewed by: tcberner, jlduran_gmail.com, mat
    Differential Revision: https://reviews.freebsd.org/D38894
---
 security/vuxml/Makefile          |  2 +-
 security/vuxml/files/newentry.sh | 67 ++++++++++++++++++++++++++++++++++------
 2 files changed, 59 insertions(+), 10 deletions(-)

diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile
index 1c5016141eb3..d8305c85191a 100644
--- a/security/vuxml/Makefile
+++ b/security/vuxml/Makefile
@@ -92,7 +92,7 @@ tidy: ${VUXML_FLAT_FILE}
 	${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy"
 
 newentry:
-	@${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}"
+	@${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" ${CVE_ID}
 
 .if defined(VID) && !empty(VID)
 html: work/${VID}.html
diff --git a/security/vuxml/files/newentry.sh b/security/vuxml/files/newentry.sh
index 953d9dcd11e4..6da86b75a65b 100644
--- a/security/vuxml/files/newentry.sh
+++ b/security/vuxml/files/newentry.sh
@@ -1,5 +1,9 @@
 #! /bin/sh
+set -eu
+
 vuxml_file="$1"
+CVE_ID="${2:-}"
+
 if [ -z "${vuxml_file}" ]; then
   exec >&2
   echo "Usage: newentry.sh /path/to/vuxml/document"
@@ -7,40 +11,85 @@ if [ -z "${vuxml_file}" ]; then
 fi
 
 tmp="`mktemp ${TMPDIR:-/tmp}/vuxml.XXXXXXXXXX`" || exit 1
+tmp_mitre=""
+tmp_nvd=""
+
 doclean="yes"
 cleanup() {
   if [ "${doclean}" = "yes" ]; then
-    rm -f "${tmp}"
+    rm -f "${tmp}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null
   fi
 }
 trap cleanup EXIT 1 2 13 15
 
 vid="`uuidgen | tr '[:upper:]' '[:lower:]'`"
 [ -z "$vid" ] && exit 1
+cvename="INSERT CVE RECORD IF AVAILABLE"
+cveurl="INSERT BLOCKQUOTE URL HERE"
+details="."
 discovery="`date -u '+%Y-%m'`-FIXME" || exit 1
 entry="`date -u '+%Y-%m-%d'`" || exit 1
+package_name=""
+references="INSERT URL HERE"
+topic=""
+source="SO-AND-SO"
+upstream_fix=""
+
+# Try to retrieve information if a CVE identifier was provided
+if [ -n "${CVE_ID}" ]; then
+	if ! command -v jq > /dev/null; then
+		echo textproc/jq is needed for CVE automatic entry fill
+		exit 1
+	fi
+
+	# NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT
+	# cve-2022-39282.
+	CVE_ID=$(echo "${CVE_ID}" | tr '[:lower:]' '[:upper:]') || exit 1
+
+	# Get information from the NVD database JSON format
+	tmp_nvd="`mktemp ${TMPDIR:-/tmp}/nvd_json_data.XXXXXXXXXX`" || exit 1
+	fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1
+	# Get information from MITRE database (they provide a nice "topic"
+	tmp_mitre="`mktemp ${TMPDIR:-/tmp}/mitre.XXXXXXXXXX`" || exit 1
+	fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}"
+
+	# Create variables from input and online sources
+	cvename="${CVE_ID}"
+	cveurl=https://nvd.nist.gov/vuln/detail/${CVE_ID}
+	pref=.vulnerabilities[0].cve
+	details=$(jq -r "${pref}.descriptions[0].value|@html" "${tmp_nvd}" | fmt -p -s | sed '1!s/^/\t/') || exit 1
+	discovery=$(jq -r "${pref}.published|@html" "${tmp_nvd}" | cut -f1 -dT) || exit 1
+	pref=.vulnerabilities[0].cve.configurations[0].nodes[0].cpeMatch[0]
+	package_name=$(jq -r "${pref}.criteria|@html" "${tmp_nvd}" | cut -f4 -d:) || exit 1
+	upstream_fix=$(jq -r "${pref}.versionEndExcluding|@html" "${tmp_nvd}") || exit 1
+	pref=.vulnerabilities[0].cve.references[0]
+	references=$(jq -r "${pref}.url|@html" "${tmp_nvd}" | tr " " "\n") || exit 1
+	source=$(jq -r "${pref}.source|@html" "${tmp_nvd}" | tr " " "\n") || exit 1
+	topic=$(jq -r ".containers.cna.title|@html" "${tmp_mitre}" ) || exit 1
+fi
+
 
 awk '/^<\?/,/^<vuxml/ { print }' "${vuxml_file}" >> "${tmp}" || exit 1
 cat << EOF >> "${tmp}" || exit 1
   <vuln vid="${vid}">
-    <topic> -- </topic>
+    <topic>${package_name} -- ${topic}</topic>
     <affects>
       <package>
-	<name></name>
-	<range><lt></lt></range>
+	<name>${package_name}</name>
+	<range><lt>${upstream_fix}</lt></range>
       </package>
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
-	<p>SO-AND-SO reports:</p>
-	<blockquote cite="INSERT URL HERE">
-	  <p>.</p>
+	<p>${source} reports:</p>
+	<blockquote cite="${references}">
+	  <p>${details}</p>
 	</blockquote>
       </body>
     </description>
     <references>
-      <cvename>INSERT CVE RECORD IF AVAILABLE</cvename>
-      <url>INSERT BLOCKQUOTE URL HERE</url>
+      <cvename>${cvename}</cvename>
+      <url>${cveurl}</url>
     </references>
     <dates>
       <discovery>${discovery}</discovery>