diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile --- a/security/vuxml/Makefile +++ b/security/vuxml/Makefile @@ -92,7 +92,7 @@ ${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy" newentry: - @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" ${CVE_ID} + @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" "CVE_ID=${CVE_ID}" "SA_ID=${SA_ID}" .if defined(VID) && !empty(VID) html: work/${VID}.html diff --git a/security/vuxml/files/newentry.sh b/security/vuxml/files/newentry.sh --- a/security/vuxml/files/newentry.sh +++ b/security/vuxml/files/newentry.sh @@ -2,22 +2,47 @@ set -eu vuxml_file="$1" -CVE_ID="${2:-}" +CVE_ID="" +SA_ID="" -if [ -z "${vuxml_file}" ]; then +show_usage() { exec >&2 - echo "Usage: newentry.sh /path/to/vuxml/document" + echo "Usage: newentry.sh /path/to/vuxml/document [CVE_ID|SA_ID]" exit 1 +} + +if [ -z "${vuxml_file}" ]; then + show_usage fi +shift +while [ $# -gt 0 ]; do +case "$1" in + CVE_ID=*) + CVE_ID="${1#CVE_ID=}" + shift + ;; + SA_ID=*) + SA_ID="${1#SA_ID=}" + shift + ;; + *) + echo "Invalid argument: $1" + show_usage + exit 1 + ;; +esac +done + tmp="`mktemp ${TMPDIR:-/tmp}/vuxml.XXXXXXXXXX`" || exit 1 +tmp_fbsd_sa="" tmp_mitre="" tmp_nvd="" doclean="yes" cleanup() { if [ "${doclean}" = "yes" ]; then - rm -f "${tmp}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null + rm -f "${tmp}" "${tmp_fbsd_sa}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null fi } trap cleanup EXIT 1 2 13 15 @@ -34,6 +59,14 @@ topic="" source="SO-AND-SO" upstream_fix="" +impact="" +DESC_BODY=" +

${source} reports:

+
${details}
+

+ " + # Try to retrieve information if a CVE identifier was provided if [ -n "${CVE_ID}" ]; then @@ -49,7 +82,7 @@ # Get information from the NVD database JSON format tmp_nvd="`mktemp ${TMPDIR:-/tmp}/nvd_json_data.XXXXXXXXXX`" || exit 1 fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1 - # Get information from MITRE database (they provide a nice "topic" + # Get information from MITRE database (they provide a nice "topic") tmp_mitre="`mktemp ${TMPDIR:-/tmp}/mitre.XXXXXXXXXX`" || exit 1 fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}" @@ -68,6 +101,47 @@ topic=$(jq -r ".containers.cna.title|@html" "${tmp_mitre}" ) || exit 1 fi +if [ -n "${SA_ID}" ]; then + SA_URL_BASE=https://www.freebsd.org/security/advisories/ + + # Get information from the Project's SA site + tmp_fbsd_sa="$(mktemp ${TMPDIR:-/tmp}/fbsd_sa_data.XXXXXXXXXX)" || exit 1 + fetch -q -o "${tmp_fbsd_sa}" ${SA_URL_BASE}${SA_ID} || exit 1 + + # Create variables from SA note + if grep -q 'CVE Name' "${tmp_fbsd_sa}"; then + cve_tmp=$(grep 'CVE Name' "${tmp_fbsd_sa}" | cut -f2 -d:) || exit 1 + cvename="${cve_tmp#"${cve_tmp%%[![:space:]]*}"}" + + # NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT + # cve-2022-39282. + cvename=$(echo "${cvename}" | tr '[:lower:]' '[:upper:]') || exit 1 + cveurl="https://nvd.nist.gov/vuln/detail/${cvename}" + fi + + details=$(awk '/II. Problem Description/ {f=1;next;next} /III. Impact/ {f=0} (f==1) {print}' "${tmp_fbsd_sa}" ) || exit 1 + details=$(echo "

${details}

" | fmt -p -s | sed -e 's/

/' | sed '1!s/^/\t/') + impact=$(awk '/III. Impact/ {f=1;next;next} /IV. Workaround/ {f=0} (f==1) {print}' "${tmp_fbsd_sa}") || exit 1 + impact=$(echo "

${impact}

" | fmt -p -s | sed -e 's/

/' | sed '1!s/^/\t/') + + package_name="FreeBSD" + if grep -Eq 'Module:.*kernel' "${tmp_fbsd_sa}"; then + package_name="${package_name}-kernel" + fi + + upstream_fix="FIXME" + references="${SA_URL_BASE}${SA_ID}" + source="The FreeBSD Project" + topic_tmp=$(grep 'Topic:' "${tmp_fbsd_sa}" | cut -f2 -d:) || exit 1 + topic="${topic_tmp#"${topic_tmp%%[![:space:]]*}"}" + +DESC_BODY=" +

Problem Description:

+ ${details} +

Impact:

+ ${impact} + " +fi awk '/^<\?/,/^> "${tmp}" || exit 1 cat << EOF >> "${tmp}" || exit 1 @@ -80,12 +154,7 @@ - -

${source} reports:

-
${details}
-

- + ${DESC_BODY} ${cvename}