Page MenuHomeFreeBSD
Files F144304637

D38894.id118268.diff
No OneTemporary
Actions

D38894.id118268.diff
View Options

Index: security/vuxml/Makefile
===================================================================
--- security/vuxml/Makefile
+++ security/vuxml/Makefile
@@ -92,7 +92,7 @@
${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy"
newentry:
- @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}"
+ @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" ${CVE_ID}
.if defined(VID) && !empty(VID)
html: work/${VID}.html
Index: security/vuxml/files/newentry.sh
===================================================================
--- security/vuxml/files/newentry.sh
+++ security/vuxml/files/newentry.sh
@@ -1,5 +1,7 @@
#! /bin/sh
vuxml_file="$1"
+CVE_ID="$2"
+
if [ -z "${vuxml_file}" ]; then
exec >&2
echo "Usage: newentry.sh /path/to/vuxml/document"
@@ -19,28 +21,62 @@
[ -z "$vid" ] && exit 1
discovery="`date -u '+%Y-%m'`-FIXME" || exit 1
entry="`date -u '+%Y-%m-%d'`" || exit 1
+cvename="INSERT CVE RECORD IF AVAILABLE"
+cveurl="INSERT BLOCKQUOTE URL HERE"
+references="INSERT URL HERE"
+
+# Try to retrieve information if a CVE identifier was provided
+if [ -n "${CVE_ID}" ]; then
+ if ! command -v jq > /dev/null; then
+ echo textproc/jq is needed for CVE automatic entry fill
+ exit 1
+ fi
+
+ # NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT
+ # cve-2022-39282.
+ CVE_ID=$(echo "${CVE_ID}" | tr '[:lower:]' '[:upper:]') || exit 1
+
+ # Get information from the NVD database JSON format
+ nvd_json_data=$(fetch -q -o - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}") || exit 1
+ # Get information from MITRE database (they provide a nice "topic"
+ mitre_json_data=$(fetch -q -o - https://cveawg.mitre.org/api/cve/"${CVE_ID}")
+
+ # How many references we want to retrieve
+ MAX_REFERENCES=1
+
+ # Create variables from input and online sources
+ cvename="${CVE_ID}"
+ cveurl=https://nvd.nist.gov/vuln/detail/${CVE_ID}
+ details=$(echo "${nvd_json_data}" | jq -r .vulnerabilities[0].cve.descriptions[0].value | fmt -p -s | sed '1!s/^/\t/') || exit 1
+ discovery=$(echo "${nvd_json_data}" | jq -r .vulnerabilities[0].cve.published | cut -f1 -dT) || exit 1
+ package_name=$(echo "${nvd_json_data}" | jq -r .vulnerabilities[0].cve.configurations[0].nodes[0].cpeMatch[0].criteria | cut -f4 -d:) || exit 1
+ references=$(echo "${nvd_json_data}" | jq -r .vulnerabilities[0].cve.references[].url | tr ' ' '\n' | head -n${MAX_REFERENCES}) || exit 1
+ topic=$(echo "${mitre_json_data}" | jq -r .containers.cna.title) || exit 1
+ upstream_fix=$(echo "${nvd_json_data}" | jq -r .vulnerabilities[0].cve.configurations[0].nodes[0].cpeMatch[0].versionEndExcluding) || exit 1
+fi
+
awk '/^<\?/,/^<vuxml/ { print }' "${vuxml_file}" >> "${tmp}" || exit 1
cat << EOF >> "${tmp}" || exit 1
<vuln vid="${vid}">
- <topic> -- </topic>
+ <topic>${package_name} -- ${topic}</topic>
<affects>
<package>
- <name></name>
- <range><lt></lt></range>
+ <name>${package_name}</name>
+ <range><lt>${upstream_fix}</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SO-AND-SO reports:</p>
- <blockquote cite="INSERT URL HERE">
- <p>.</p>
+ <blockquote cite="${references}">
+ <p>${details}.</p>
</blockquote>
</body>
</description>
<references>
- <cvename>INSERT CVE RECORD IF AVAILABLE</cvename>
- <url>INSERT BLOCKQUOTE URL HERE</url>
+ <cvename>${cvename}</cvename>
+ <url>${cveurl}</url>
</references>
<dates>
<discovery>${discovery}</discovery>

File Metadata

Mime Type
text/plain
Expires
Sun, Feb 8, 6:17 PM (13 h, 2 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
28482480
Default Alt Text
D38894.id118268.diff (3 KB)

Event Timeline