From nobody Sun Mar 12 18:40:03 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PZT9c0nZ0z3xT5g; Sun, 12 Mar 2023 18:40:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PZT9c0HD5z44wD; Sun, 12 Mar 2023 18:40:04 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1678646404; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bdl49yz0s/6KjR6CiT+1KJAfjf8JVOcI3cHzrpWaBpA=; b=QlRqEEZeDUagEcWPTCt2R+vqJtBVX7atw0w/8FQNxXkBnanppQWtEn1+qyiqdicqv9fzUb Gkh0zsoaxC7mw8nI9KwSpu1ZYfBFy7pP4EaTyu64U9giw8sKxoMazzj05a2gqEmxxkAUnU ui03+ImkX83R8MNX+G1Ah/ejrFXYRE9psDZBIpIBkz03rklxEP5yKbafO9mUfwsO0jJb6R 8SOzh2g/Q/oTAXr+9gz0+M+XBI3a5tWaZLdWQS5q4PUsJLD/1Jyzmg6HGEQdSEbgTnlVEN 3zXJh8uDD8cezp9QAXQH3/xn08IWuvZHuZhIgXDHIELwErbng9YMdbzrS1RY+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1678646404; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bdl49yz0s/6KjR6CiT+1KJAfjf8JVOcI3cHzrpWaBpA=; b=EGS+szuFzKDkgBougOkvG8mbny0mSy9qKDK3PReSQNJsQqBBOqpFbAlyl5Jt6F3uW8WcFh AUC6EzWMeYDzEUi1J+p3QM0ESOHu4P9MD3qC/GQ2EsDm5Ft2FnpB3wizYUhf7weztcDKjQ YEq0g/hO0DY/szoxDkeF+dFQeCRsGqu0uNljhKRUKcFfyUWD90SWzOeSEDqkqay8UUQO3x Rqq+vFm0lhHFDUB4SSai/CdJHgdGFXFuNKjHxbrb4m2E6QE/N2Jt6nwVsBu1CeBJRknAWx bj7hrtU0k4BESNCBMeIVrfQsmS6vBNWEds/U59SK/exUghHYn7d2FOV7DESi0Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1678646404; a=rsa-sha256; cv=none; b=oOalrh8jryHOoP0Zc/NXQ/cwUNe4ahQDHNQiI+4xb5ik+EkpQRwADQto2ecUl61C3qatcB c/VNVF2gRGeCtJkzcRrDqnHs2v2lOQJ9jLTYn+ayug+j+uvfkZv8CG38QBqD+8xZB+bB2Z smajwV2YTEeXWXwWia0U4S0+FVdpdfUzne0pzRi4I8c6MomJFanKUN73WmQd5MJlmPtBY6 Ac4deNk6m2g0oBGIiqR1Cr9kjzGWT8lPgv3aE9ITQQllzzByhjfCE8mo4+HJs3nwvAjGF4 nq3GAHYSJC1XzP/mKHzZWZsh8w9xComdan8SlEcAEUl6wOpGKhTKjcw97wtjbA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PZT9b6SSHzMZs; Sun, 12 Mar 2023 18:40:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 32CIe3wT039840; Sun, 12 Mar 2023 18:40:03 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 32CIe3bE039837; Sun, 12 Mar 2023 18:40:03 GMT (envelope-from git) Date: Sun, 12 Mar 2023 18:40:03 GMT Message-Id: <202303121840.32CIe3bE039837@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: =?utf-8?Q?Fernando=20Apestegu=C3=ADa?= Subject: git: 7744049a400b - main - security/vuxml: Autofill CVE information List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fernape X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 7744049a400bd21999ae1a7b724d2378fd3e9d6b Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=7744049a400bd21999ae1a7b724d2378fd3e9d6b commit 7744049a400bd21999ae1a7b724d2378fd3e9d6b Author: Fernando ApesteguĂ­a AuthorDate: 2023-03-03 22:44:52 +0000 Commit: Fernando ApesteguĂ­a CommitDate: 2023-03-12 18:31:09 +0000 security/vuxml: Autofill CVE information The `newentry` target accepts an optional parameter CVE_ID. When provided, the newentry.sh script tries to retrieve information from the NVD and MITRE databases and fill the template accordingly. The script needs `textproc/jq` and warns the user and exists if it is not found. How to use it: make newentry CVE_ID=CVE-2022-39282 Note that this is just a helper. *YOU HUMAN* have to check that the information is correct. Reviewed by: tcberner, jlduran_gmail.com, mat Differential Revision: https://reviews.freebsd.org/D38894 --- security/vuxml/Makefile | 2 +- security/vuxml/files/newentry.sh | 67 ++++++++++++++++++++++++++++++++++------ 2 files changed, 59 insertions(+), 10 deletions(-) diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile index 1c5016141eb3..d8305c85191a 100644 --- a/security/vuxml/Makefile +++ b/security/vuxml/Makefile @@ -92,7 +92,7 @@ tidy: ${VUXML_FLAT_FILE} ${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy" newentry: - @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" + @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" ${CVE_ID} .if defined(VID) && !empty(VID) html: work/${VID}.html diff --git a/security/vuxml/files/newentry.sh b/security/vuxml/files/newentry.sh index 953d9dcd11e4..6da86b75a65b 100644 --- a/security/vuxml/files/newentry.sh +++ b/security/vuxml/files/newentry.sh @@ -1,5 +1,9 @@ #! /bin/sh +set -eu + vuxml_file="$1" +CVE_ID="${2:-}" + if [ -z "${vuxml_file}" ]; then exec >&2 echo "Usage: newentry.sh /path/to/vuxml/document" @@ -7,40 +11,85 @@ if [ -z "${vuxml_file}" ]; then fi tmp="`mktemp ${TMPDIR:-/tmp}/vuxml.XXXXXXXXXX`" || exit 1 +tmp_mitre="" +tmp_nvd="" + doclean="yes" cleanup() { if [ "${doclean}" = "yes" ]; then - rm -f "${tmp}" + rm -f "${tmp}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null fi } trap cleanup EXIT 1 2 13 15 vid="`uuidgen | tr '[:upper:]' '[:lower:]'`" [ -z "$vid" ] && exit 1 +cvename="INSERT CVE RECORD IF AVAILABLE" +cveurl="INSERT BLOCKQUOTE URL HERE" +details="." discovery="`date -u '+%Y-%m'`-FIXME" || exit 1 entry="`date -u '+%Y-%m-%d'`" || exit 1 +package_name="" +references="INSERT URL HERE" +topic="" +source="SO-AND-SO" +upstream_fix="" + +# Try to retrieve information if a CVE identifier was provided +if [ -n "${CVE_ID}" ]; then + if ! command -v jq > /dev/null; then + echo textproc/jq is needed for CVE automatic entry fill + exit 1 + fi + + # NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT + # cve-2022-39282. + CVE_ID=$(echo "${CVE_ID}" | tr '[:lower:]' '[:upper:]') || exit 1 + + # Get information from the NVD database JSON format + tmp_nvd="`mktemp ${TMPDIR:-/tmp}/nvd_json_data.XXXXXXXXXX`" || exit 1 + fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1 + # Get information from MITRE database (they provide a nice "topic" + tmp_mitre="`mktemp ${TMPDIR:-/tmp}/mitre.XXXXXXXXXX`" || exit 1 + fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}" + + # Create variables from input and online sources + cvename="${CVE_ID}" + cveurl=https://nvd.nist.gov/vuln/detail/${CVE_ID} + pref=.vulnerabilities[0].cve + details=$(jq -r "${pref}.descriptions[0].value|@html" "${tmp_nvd}" | fmt -p -s | sed '1!s/^/\t/') || exit 1 + discovery=$(jq -r "${pref}.published|@html" "${tmp_nvd}" | cut -f1 -dT) || exit 1 + pref=.vulnerabilities[0].cve.configurations[0].nodes[0].cpeMatch[0] + package_name=$(jq -r "${pref}.criteria|@html" "${tmp_nvd}" | cut -f4 -d:) || exit 1 + upstream_fix=$(jq -r "${pref}.versionEndExcluding|@html" "${tmp_nvd}") || exit 1 + pref=.vulnerabilities[0].cve.references[0] + references=$(jq -r "${pref}.url|@html" "${tmp_nvd}" | tr " " "\n") || exit 1 + source=$(jq -r "${pref}.source|@html" "${tmp_nvd}" | tr " " "\n") || exit 1 + topic=$(jq -r ".containers.cna.title|@html" "${tmp_mitre}" ) || exit 1 +fi + awk '/^<\?/,/^> "${tmp}" || exit 1 cat << EOF >> "${tmp}" || exit 1 - -- + ${package_name} -- ${topic} - - + ${package_name} + ${upstream_fix} -

SO-AND-SO reports:

-
-

.

+

${source} reports:

+
+

${details}

- INSERT CVE RECORD IF AVAILABLE - INSERT BLOCKQUOTE URL HERE + ${cvename} + ${cveurl} ${discovery}