security/vuxml: Add SA_ID to make newentry

Automate registration of FreeBSD Security Advisories. It adds a new parameter for the newentry subcommand accepting a SA ID as present in the FreeBSD Security Advisories web page (https://www.freebsd.org/security/advisories/) Fills an entry following the common structure for FreeBSD SAs and leaves some "FIXME" strings in those places that need special care. Developers should NOT blindly trust the output of the script. `make newentry SA_ID=FreeBSD-SA-23:11.wifi.asc` `make newentry SA_ID=FreeBSD-SA-22:01.vt` Reviewed by: philip@ Differential Revision: https://reviews.freebsd.org/D41966
freebsd · Sep 25, 2023 · e90a0b1 · e90a0b1
1 parent c41955f
commit e90a0b1
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 12 deletions.
diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile
@@ -92,7 +92,7 @@ tidy: ${VUXML_FLAT_FILE}
 	${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy"
 
 newentry:
-	@${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" ${CVE_ID}
+	@${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" "CVE_ID=${CVE_ID}" "SA_ID=${SA_ID}"
 
 .if defined(VID) && !empty(VID)
 html: work/${VID}.html

diff --git a/security/vuxml/files/newentry.sh b/security/vuxml/files/newentry.sh
@@ -2,22 +2,47 @@
 set -eu
 
 vuxml_file="$1"
-CVE_ID="${2:-}"
+CVE_ID=""
+SA_ID=""
 
-if [ -z "${vuxml_file}" ]; then
+show_usage() {
   exec >&2
-  echo "Usage: newentry.sh /path/to/vuxml/document"
+  echo "Usage: newentry.sh /path/to/vuxml/document [CVE_ID|SA_ID]"
   exit 1
+}
+
+if [ -z "${vuxml_file}" ]; then
+	show_usage
 fi
 
+shift
+while [ $# -gt 0 ]; do
+case "$1" in
+  CVE_ID=*)
+    CVE_ID="${1#CVE_ID=}"
+    shift
+    ;;
+  SA_ID=*)
+    SA_ID="${1#SA_ID=}"
+    shift
+    ;;
+  *)
+    echo "Invalid argument: $1"
+    show_usage
+    exit 1
+    ;;
+esac
+done
+
 tmp="`mktemp ${TMPDIR:-/tmp}/vuxml.XXXXXXXXXX`" || exit 1
+tmp_fbsd_sa=""
 tmp_mitre=""
 tmp_nvd=""
 
 doclean="yes"
 cleanup() {
   if [ "${doclean}" = "yes" ]; then
-    rm -f "${tmp}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null
+	rm -f "${tmp}" "${tmp_fbsd_sa}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null
   fi
 }
 trap cleanup EXIT 1 2 13 15
@@ -34,6 +59,14 @@ references="INSERT URL HERE"
 topic=""
 source="SO-AND-SO"
 upstream_fix=""
+impact=""
+DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\">
+	<p>${source} reports:</p>
+	<blockquote cite=\"${references}\">
+	  <p>${details}</p>
+	</blockquote>
+	</body>"
+
 
 # Try to retrieve information if a CVE identifier was provided
 if [ -n "${CVE_ID}" ]; then
@@ -49,7 +82,7 @@ if [ -n "${CVE_ID}" ]; then
 	# Get information from the NVD database JSON format
 	tmp_nvd="`mktemp ${TMPDIR:-/tmp}/nvd_json_data.XXXXXXXXXX`" || exit 1
 	fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1
-	# Get information from MITRE database (they provide a nice "topic"
+	# Get information from MITRE database (they provide a nice "topic")
 	tmp_mitre="`mktemp ${TMPDIR:-/tmp}/mitre.XXXXXXXXXX`" || exit 1
 	fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}"
 
@@ -68,6 +101,47 @@ if [ -n "${CVE_ID}" ]; then
 	topic=$(jq -r ".containers.cna.title|@html" "${tmp_mitre}" ) || exit 1
 fi
 
+if [ -n "${SA_ID}" ]; then
+	SA_URL_BASE=https://www.freebsd.org/security/advisories/
+
+	# Get information from the Project's SA site
+	tmp_fbsd_sa="$(mktemp ${TMPDIR:-/tmp}/fbsd_sa_data.XXXXXXXXXX)" || exit 1
+	fetch -q -o "${tmp_fbsd_sa}" ${SA_URL_BASE}${SA_ID} || exit 1
+
+	# Create variables from SA note
+	if grep -q 'CVE Name' "${tmp_fbsd_sa}"; then
+		cve_tmp=$(grep 'CVE Name' "${tmp_fbsd_sa}" | cut -f2 -d:) || exit 1
+		cvename="${cve_tmp#"${cve_tmp%%[![:space:]]*}"}"
+
+		# NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT
+		# cve-2022-39282.
+		cvename=$(echo "${cvename}" | tr '[:lower:]' '[:upper:]') || exit 1
+		cveurl="https://nvd.nist.gov/vuln/detail/${cvename}"
+	fi
+
+	details=$(awk '/II.  Problem Description/ {f=1;next;next} /III. Impact/ {f=0} (f==1) {print}' "${tmp_fbsd_sa}" ) || exit 1
+	details=$(echo "<p>${details}</p>" | fmt -p -s | sed -e 's/<p> /<p>/' | sed '1!s/^/\t/')
+	impact=$(awk '/III. Impact/ {f=1;next;next} /IV.  Workaround/ {f=0} (f==1) {print}' "${tmp_fbsd_sa}") || exit 1
+	impact=$(echo "<p>${impact}</p>" | fmt -p -s | sed -e 's/<p> /<p>/' | sed '1!s/^/\t/')
+
+	package_name="FreeBSD"
+	if grep -Eq 'Module:.*kernel' "${tmp_fbsd_sa}"; then
+		package_name="${package_name}-kernel"
+	fi
+
+	upstream_fix="FIXME"
+	references="${SA_URL_BASE}${SA_ID}"
+	source="The FreeBSD Project"
+	topic_tmp=$(grep 'Topic:' "${tmp_fbsd_sa}" | cut -f2 -d:) || exit 1
+	topic="${topic_tmp#"${topic_tmp%%[![:space:]]*}"}"
+
+DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\">
+	<h1>Problem Description:</h1>
+	  ${details}
+	<h1>Impact:</h1>
+	  ${impact}
+      </body>"
+fi
 
 awk '/^<\?/,/^<vuxml/ { print }' "${vuxml_file}" >> "${tmp}" || exit 1
 cat << EOF >> "${tmp}" || exit 1
@@ -80,12 +154,7 @@ cat << EOF >> "${tmp}" || exit 1
       </package>
     </affects>
     <description>
-      <body xmlns="http://www.w3.org/1999/xhtml">
-	<p>${source} reports:</p>
-	<blockquote cite="${references}">
-	  <p>${details}</p>
-	</blockquote>
-      </body>
+	${DESC_BODY}
     </description>
     <references>
       <cvename>${cvename}</cvename>