git: e90a0b117fdc - main - security/vuxml: Add SA_ID to make newentry

From: Fernando Apesteguía <fernape_at_FreeBSD.org>
Date: Mon, 25 Sep 2023 11:26:12 UTC
The branch main has been updated by fernape:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e90a0b117fdc61d6d6bc4b02a4b7b5be5a878b2d

commit e90a0b117fdc61d6d6bc4b02a4b7b5be5a878b2d
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2023-09-22 18:17:13 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-09-25 11:25:55 +0000

    security/vuxml: Add SA_ID to make newentry
    
    Automate registration of FreeBSD Security Advisories.
    
    It adds a new parameter for the newentry subcommand accepting a SA ID as present
    in the FreeBSD Security Advisories web page
    (https://www.freebsd.org/security/advisories/)
    
    Fills an entry following the common structure for FreeBSD SAs and leaves some
    "FIXME" strings in those places that need special care.
    Developers should NOT blindly trust the output of the script.
    
    `make newentry SA_ID=FreeBSD-SA-23:11.wifi.asc`
    `make newentry SA_ID=FreeBSD-SA-22:01.vt`
    
    Reviewed by:            philip@
    Differential Revision: https://reviews.freebsd.org/D41966
---
 security/vuxml/Makefile          |  2 +-
 security/vuxml/files/newentry.sh | 91 +++++++++++++++++++++++++++++++++++-----
 2 files changed, 81 insertions(+), 12 deletions(-)

diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile
index d8305c85191a..3e5d1d98ab34 100644
--- a/security/vuxml/Makefile
+++ b/security/vuxml/Makefile
@@ -92,7 +92,7 @@ tidy: ${VUXML_FLAT_FILE}
 	${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy"
 
 newentry:
-	@${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" ${CVE_ID}
+	@${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" "CVE_ID=${CVE_ID}" "SA_ID=${SA_ID}"
 
 .if defined(VID) && !empty(VID)
 html: work/${VID}.html
diff --git a/security/vuxml/files/newentry.sh b/security/vuxml/files/newentry.sh
index 6da86b75a65b..58b2d874ec7e 100644
--- a/security/vuxml/files/newentry.sh
+++ b/security/vuxml/files/newentry.sh
@@ -2,22 +2,47 @@
 set -eu
 
 vuxml_file="$1"
-CVE_ID="${2:-}"
+CVE_ID=""
+SA_ID=""
 
-if [ -z "${vuxml_file}" ]; then
+show_usage() {
   exec >&2
-  echo "Usage: newentry.sh /path/to/vuxml/document"
+  echo "Usage: newentry.sh /path/to/vuxml/document [CVE_ID|SA_ID]"
   exit 1
+}
+
+if [ -z "${vuxml_file}" ]; then
+	show_usage
 fi
 
+shift
+while [ $# -gt 0 ]; do
+case "$1" in
+  CVE_ID=*)
+    CVE_ID="${1#CVE_ID=}"
+    shift
+    ;;
+  SA_ID=*)
+    SA_ID="${1#SA_ID=}"
+    shift
+    ;;
+  *)
+    echo "Invalid argument: $1"
+    show_usage
+    exit 1
+    ;;
+esac
+done
+
 tmp="`mktemp ${TMPDIR:-/tmp}/vuxml.XXXXXXXXXX`" || exit 1
+tmp_fbsd_sa=""
 tmp_mitre=""
 tmp_nvd=""
 
 doclean="yes"
 cleanup() {
   if [ "${doclean}" = "yes" ]; then
-    rm -f "${tmp}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null
+	rm -f "${tmp}" "${tmp_fbsd_sa}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null
   fi
 }
 trap cleanup EXIT 1 2 13 15
@@ -34,6 +59,14 @@ references="INSERT URL HERE"
 topic=""
 source="SO-AND-SO"
 upstream_fix=""
+impact=""
+DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\">
+	<p>${source} reports:</p>
+	<blockquote cite=\"${references}\">
+	  <p>${details}</p>
+	</blockquote>
+	</body>"
+
 
 # Try to retrieve information if a CVE identifier was provided
 if [ -n "${CVE_ID}" ]; then
@@ -49,7 +82,7 @@ if [ -n "${CVE_ID}" ]; then
 	# Get information from the NVD database JSON format
 	tmp_nvd="`mktemp ${TMPDIR:-/tmp}/nvd_json_data.XXXXXXXXXX`" || exit 1
 	fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1
-	# Get information from MITRE database (they provide a nice "topic"
+	# Get information from MITRE database (they provide a nice "topic")
 	tmp_mitre="`mktemp ${TMPDIR:-/tmp}/mitre.XXXXXXXXXX`" || exit 1
 	fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}"
 
@@ -68,6 +101,47 @@ if [ -n "${CVE_ID}" ]; then
 	topic=$(jq -r ".containers.cna.title|@html" "${tmp_mitre}" ) || exit 1
 fi
 
+if [ -n "${SA_ID}" ]; then
+	SA_URL_BASE=https://www.freebsd.org/security/advisories/
+
+	# Get information from the Project's SA site
+	tmp_fbsd_sa="$(mktemp ${TMPDIR:-/tmp}/fbsd_sa_data.XXXXXXXXXX)" || exit 1
+	fetch -q -o "${tmp_fbsd_sa}" ${SA_URL_BASE}${SA_ID} || exit 1
+
+	# Create variables from SA note
+	if grep -q 'CVE Name' "${tmp_fbsd_sa}"; then
+		cve_tmp=$(grep 'CVE Name' "${tmp_fbsd_sa}" | cut -f2 -d:) || exit 1
+		cvename="${cve_tmp#"${cve_tmp%%[![:space:]]*}"}"
+
+		# NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT
+		# cve-2022-39282.
+		cvename=$(echo "${cvename}" | tr '[:lower:]' '[:upper:]') || exit 1
+		cveurl="https://nvd.nist.gov/vuln/detail/${cvename}"
+	fi
+
+	details=$(awk '/II.  Problem Description/ {f=1;next;next} /III. Impact/ {f=0} (f==1) {print}' "${tmp_fbsd_sa}" ) || exit 1
+	details=$(echo "<p>${details}</p>" | fmt -p -s | sed -e 's/<p> /<p>/' | sed '1!s/^/\t/')
+	impact=$(awk '/III. Impact/ {f=1;next;next} /IV.  Workaround/ {f=0} (f==1) {print}' "${tmp_fbsd_sa}") || exit 1
+	impact=$(echo "<p>${impact}</p>" | fmt -p -s | sed -e 's/<p> /<p>/' | sed '1!s/^/\t/')
+
+	package_name="FreeBSD"
+	if grep -Eq 'Module:.*kernel' "${tmp_fbsd_sa}"; then
+		package_name="${package_name}-kernel"
+	fi
+
+	upstream_fix="FIXME"
+	references="${SA_URL_BASE}${SA_ID}"
+	source="The FreeBSD Project"
+	topic_tmp=$(grep 'Topic:' "${tmp_fbsd_sa}" | cut -f2 -d:) || exit 1
+	topic="${topic_tmp#"${topic_tmp%%[![:space:]]*}"}"
+
+DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\">
+	<h1>Problem Description:</h1>
+	  ${details}
+	<h1>Impact:</h1>
+	  ${impact}
+      </body>"
+fi
 
 awk '/^<\?/,/^<vuxml/ { print }' "${vuxml_file}" >> "${tmp}" || exit 1
 cat << EOF >> "${tmp}" || exit 1
@@ -80,12 +154,7 @@ cat << EOF >> "${tmp}" || exit 1
       </package>
     </affects>
     <description>
-      <body xmlns="http://www.w3.org/1999/xhtml">
-	<p>${source} reports:</p>
-	<blockquote cite="${references}">
-	  <p>${details}</p>
-	</blockquote>
-      </body>
+	${DESC_BODY}
     </description>
     <references>
       <cvename>${cvename}</cvename>