security/vuxml: Add SA_ID to make newentry

Automate registration of FreeBSD Security Advisories. It adds a new parameter for the newentry subcommand accepting a SA ID as present in the FreeBSD Security Advisories web page (https://www.freebsd.org/security/advisories/) Fills an entry following the common structure for FreeBSD SAs and leaves some "FIXME" strings in those places that need special care. Developers should NOT blindly trust the output of the script. `make newentry SA_ID=FreeBSD-SA-23:11.wifi.asc` `make newentry SA_ID=FreeBSD-SA-22:01.vt` Reviewed by: philip@ Differential Revision: https://reviews.freebsd.org/D41966
2023-09-22 20:17:13 +02:00 · 2023-09-22 20:17:13 +02:00 · e90a0b117f
commit e90a0b117f
parent c41955fd12
2 changed files with 82 additions and 13 deletions
--- a/security/vuxml/Makefile
+++ b/security/vuxml/Makefile
@ -92,7 +92,7 @@ tidy: ${VUXML_FLAT_FILE}
 	${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy"

 newentry:
-	@${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" ${CVE_ID}
+	@${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" "CVE_ID=${CVE_ID}" "SA_ID=${SA_ID}"

 .if defined(VID) && !empty(VID)
 html: work/${VID}.html
--- a/security/vuxml/files/newentry.sh
+++ b/security/vuxml/files/newentry.sh
@ -2,22 +2,47 @@
 set -eu

 vuxml_file="$1"
-CVE_ID="${2:-}"
+CVE_ID=""
+SA_ID=""
+
+show_usage() {
+  exec >&2
+  echo "Usage: newentry.sh /path/to/vuxml/document [CVE_ID|SA_ID]"
+  exit 1
+}

 if [ -z "${vuxml_file}" ]; then
-  exec >&2
-  echo "Usage: newentry.sh /path/to/vuxml/document"
-  exit 1
+	show_usage
 fi

+shift
+while [ $# -gt 0 ]; do
+case "$1" in
+  CVE_ID=*)
+    CVE_ID="${1#CVE_ID=}"
+    shift
+    ;;
+  SA_ID=*)
+    SA_ID="${1#SA_ID=}"
+    shift
+    ;;
+  *)
+    echo "Invalid argument: $1"
+    show_usage
+    exit 1
+    ;;
+esac
+done
+
 tmp="`mktemp ${TMPDIR:-/tmp}/vuxml.XXXXXXXXXX`" || exit 1
+tmp_fbsd_sa=""
 tmp_mitre=""
 tmp_nvd=""

 doclean="yes"
 cleanup() {
  if [ "${doclean}" = "yes" ]; then
-    rm -f "${tmp}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null
+	rm -f "${tmp}" "${tmp_fbsd_sa}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null
  fi
 }
 trap cleanup EXIT 1 2 13 15
@ -34,6 +59,14 @@ references="INSERT URL HERE"
 topic=""
 source="SO-AND-SO"
 upstream_fix=""
+impact=""
+DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\">
+	<p>${source} reports:</p>
+	<blockquote cite=\"${references}\">
+	  <p>${details}</p>
+	</blockquote>
+	</body>"
+

 # Try to retrieve information if a CVE identifier was provided
 if [ -n "${CVE_ID}" ]; then
@ -49,7 +82,7 @@ if [ -n "${CVE_ID}" ]; then
 	# Get information from the NVD database JSON format
 	tmp_nvd="`mktemp ${TMPDIR:-/tmp}/nvd_json_data.XXXXXXXXXX`" || exit 1
 	fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1
-	# Get information from MITRE database (they provide a nice "topic"
+	# Get information from MITRE database (they provide a nice "topic")
 	tmp_mitre="`mktemp ${TMPDIR:-/tmp}/mitre.XXXXXXXXXX`" || exit 1
 	fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}"

@ -68,6 +101,47 @@ if [ -n "${CVE_ID}" ]; then
 	topic=$(jq -r ".containers.cna.title|@html" "${tmp_mitre}" ) || exit 1
 fi

+if [ -n "${SA_ID}" ]; then
+	SA_URL_BASE=https://www.freebsd.org/security/advisories/
+
+	# Get information from the Project's SA site
+	tmp_fbsd_sa="$(mktemp ${TMPDIR:-/tmp}/fbsd_sa_data.XXXXXXXXXX)" || exit 1
+	fetch -q -o "${tmp_fbsd_sa}" ${SA_URL_BASE}${SA_ID} || exit 1
+
+	# Create variables from SA note
+	if grep -q 'CVE Name' "${tmp_fbsd_sa}"; then
+		cve_tmp=$(grep 'CVE Name' "${tmp_fbsd_sa}" | cut -f2 -d:) || exit 1
+		cvename="${cve_tmp#"${cve_tmp%%[![:space:]]*}"}"
+
+		# NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT
+		# cve-2022-39282.
+		cvename=$(echo "${cvename}" | tr '[:lower:]' '[:upper:]') || exit 1
+		cveurl="https://nvd.nist.gov/vuln/detail/${cvename}"
+	fi
+
+	details=$(awk '/II.  Problem Description/ {f=1;next;next} /III. Impact/ {f=0} (f==1) {print}' "${tmp_fbsd_sa}" ) || exit 1
+	details=$(echo "<p>${details}</p>" | fmt -p -s | sed -e 's/<p> /<p>/' | sed '1!s/^/\t/')
+	impact=$(awk '/III. Impact/ {f=1;next;next} /IV.  Workaround/ {f=0} (f==1) {print}' "${tmp_fbsd_sa}") || exit 1
+	impact=$(echo "<p>${impact}</p>" | fmt -p -s | sed -e 's/<p> /<p>/' | sed '1!s/^/\t/')
+
+	package_name="FreeBSD"
+	if grep -Eq 'Module:.*kernel' "${tmp_fbsd_sa}"; then
+		package_name="${package_name}-kernel"
+	fi
+
+	upstream_fix="FIXME"
+	references="${SA_URL_BASE}${SA_ID}"
+	source="The FreeBSD Project"
+	topic_tmp=$(grep 'Topic:' "${tmp_fbsd_sa}" | cut -f2 -d:) || exit 1
+	topic="${topic_tmp#"${topic_tmp%%[![:space:]]*}"}"
+
+DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\">
+	<h1>Problem Description:</h1>
+	  ${details}
+	<h1>Impact:</h1>
+	  ${impact}
+      </body>"
+fi

 awk '/^<\?/,/^<vuxml/ { print }' "${vuxml_file}" >> "${tmp}" || exit 1
 cat << EOF >> "${tmp}" || exit 1
@ -80,12 +154,7 @@ cat << EOF >> "${tmp}" || exit 1
      </package>
    </affects>
    <description>
-      <body xmlns="http://www.w3.org/1999/xhtml">
-	<p>${source} reports:</p>
-	<blockquote cite="${references}">
-	  <p>${details}</p>
-	</blockquote>
-      </body>
+	${DESC_BODY}
    </description>
    <references>
      <cvename>${cvename}</cvename>