diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile index 1c5016141eb3..d8305c85191a 100644 --- a/security/vuxml/Makefile +++ b/security/vuxml/Makefile @@ -1,107 +1,107 @@ PORTNAME= vuxml PORTVERSION= 1.1 PORTREVISION= 6 CATEGORIES= security textproc MASTER_SITES= http://www.vuxml.org/dtd/vuxml-1/ DISTFILES= vuxml-10.dtd vuxml-model-10.mod \ vuxml-11.dtd vuxml-model-11.mod \ xml1.dcl catalog catalog.xml DIST_SUBDIR= vuxml MAINTAINER= ports-secteam@FreeBSD.org COMMENT= Vulnerability and eXposure Markup Language DTD WWW= https://vuxml.freebsd.org/ LICENSE= BSD2CLAUSE RUN_DEPENDS= xmlcatmgr:textproc/xmlcatmgr \ xsltproc:textproc/libxslt \ ${LOCALBASE}/share/xml/dtd/xhtml-modularization/VERSION:textproc/xhtml-modularization \ ${LOCALBASE}/share/xml/dtd/xhtml-basic/xhtml-basic10.dtd:textproc/xhtml-basic USES= python:run NO_MTREE= yes NO_ARCH= yes NO_BUILD= yes WRKSRC= ${WRKDIR} dir_DTD= share/xml/dtd/vuxml .include VUXML_FILE?= ${PKGDIR}/vuln.xml VUXML_FLAT_FILE?= ${PKGDIR}/vuln-flat.xml _YEAR!= date +%Y VUXML_CURRENT_FILE?= ${PKGDIR}/vuln/${_YEAR}.xml post-clean: @${RM} "${VUXML_FILE}.tidy" @${RM} "${VUXML_FLAT_FILE}" do-extract: @${RM} -r ${WRKDIR} @${MKDIR} ${WRKDIR} .for f in ${DISTFILES} ${CP} ${_DISTDIR}/${f} ${WRKDIR}/${f} .endfor do-install: @${MKDIR} ${STAGEDIR}${PREFIX}/${dir_DTD} .for f in ${DISTFILES} ${INSTALL_DATA} ${WRKSRC}/${f} ${STAGEDIR}${PREFIX}/${dir_DTD}/${f} .endfor do-test: @${MKDIR} ${WRKDIR}/test @${CP} -R ${.CURDIR}/vuln.xml ${.CURDIR}/vuln ${WRKDIR}/test @cd ${.CURDIR} && make validate PKGDIR=${WRKDIR}/test ${VUXML_FLAT_FILE}: ${VUXML_FILE} vuln/*.xml xmllint -noent ${.ALLSRC:[1]} > ${.TARGET} validate: tidy @${SH} ${FILESDIR}/validate.sh "${VUXML_FLAT_FILE}" @${ECHO_MSG} Checking if tidy differs... @if ${DIFF} -u "${VUXML_FLAT_FILE}" "${VUXML_FILE}.tidy"; \ then \ ${ECHO_MSG} ... seems okay; \ ${RM} "${VUXML_FILE}.tidy"; \ else \ return 1; \ fi @${ECHO_MSG} Checking for space/tab... @unexpand "${VUXML_FLAT_FILE}" | ${SED} -E 's,[[:space:]]*$$,,g' > "${VUXML_FILE}.unexpanded" @if ${DIFF} -u "${VUXML_FLAT_FILE}" "${VUXML_FILE}.unexpanded"; \ then \ ${ECHO_MSG} ... seems okay; \ ${RM} "${VUXML_FILE}.unexpanded"; \ else \ ${ECHO_MSG} ... see above; \ ${ECHO_CMD} Consider using ${VUXML_FILE}.unexpanded for final commit; \ return 1; \ fi ${PYTHON_CMD} ${FILESDIR}/extra-validation.py ${VUXML_FLAT_FILE} tidy: ${VUXML_FLAT_FILE} @if [ ! -e ${LOCALBASE}/share/xml/dtd/vuxml/catalog.xml ]; \ then \ echo "Please install the VuXML port prior to running make validate/tidy."; \ exit 1; \ fi ${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy" newentry: - @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" + @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" ${CVE_ID} .if defined(VID) && !empty(VID) html: work/${VID}.html work/${VID}.html: ${FILESDIR}/html.xsl ${FILESDIR}/common.css ${VUXML_FILE} ${MKDIR} work xsltproc --stringparam vid "${VID}" \ --output ${.TARGET} \ ${FILESDIR}/html.xsl ${VUXML_FILE} ${INSTALL_DATA} ${FILESDIR}/common.css work .endif .include diff --git a/security/vuxml/files/newentry.sh b/security/vuxml/files/newentry.sh index 953d9dcd11e4..6da86b75a65b 100644 --- a/security/vuxml/files/newentry.sh +++ b/security/vuxml/files/newentry.sh @@ -1,63 +1,112 @@ #! /bin/sh +set -eu + vuxml_file="$1" +CVE_ID="${2:-}" + if [ -z "${vuxml_file}" ]; then exec >&2 echo "Usage: newentry.sh /path/to/vuxml/document" exit 1 fi tmp="`mktemp ${TMPDIR:-/tmp}/vuxml.XXXXXXXXXX`" || exit 1 +tmp_mitre="" +tmp_nvd="" + doclean="yes" cleanup() { if [ "${doclean}" = "yes" ]; then - rm -f "${tmp}" + rm -f "${tmp}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null fi } trap cleanup EXIT 1 2 13 15 vid="`uuidgen | tr '[:upper:]' '[:lower:]'`" [ -z "$vid" ] && exit 1 +cvename="INSERT CVE RECORD IF AVAILABLE" +cveurl="INSERT BLOCKQUOTE URL HERE" +details="." discovery="`date -u '+%Y-%m'`-FIXME" || exit 1 entry="`date -u '+%Y-%m-%d'`" || exit 1 +package_name="" +references="INSERT URL HERE" +topic="" +source="SO-AND-SO" +upstream_fix="" + +# Try to retrieve information if a CVE identifier was provided +if [ -n "${CVE_ID}" ]; then + if ! command -v jq > /dev/null; then + echo textproc/jq is needed for CVE automatic entry fill + exit 1 + fi + + # NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT + # cve-2022-39282. + CVE_ID=$(echo "${CVE_ID}" | tr '[:lower:]' '[:upper:]') || exit 1 + + # Get information from the NVD database JSON format + tmp_nvd="`mktemp ${TMPDIR:-/tmp}/nvd_json_data.XXXXXXXXXX`" || exit 1 + fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1 + # Get information from MITRE database (they provide a nice "topic" + tmp_mitre="`mktemp ${TMPDIR:-/tmp}/mitre.XXXXXXXXXX`" || exit 1 + fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}" + + # Create variables from input and online sources + cvename="${CVE_ID}" + cveurl=https://nvd.nist.gov/vuln/detail/${CVE_ID} + pref=.vulnerabilities[0].cve + details=$(jq -r "${pref}.descriptions[0].value|@html" "${tmp_nvd}" | fmt -p -s | sed '1!s/^/\t/') || exit 1 + discovery=$(jq -r "${pref}.published|@html" "${tmp_nvd}" | cut -f1 -dT) || exit 1 + pref=.vulnerabilities[0].cve.configurations[0].nodes[0].cpeMatch[0] + package_name=$(jq -r "${pref}.criteria|@html" "${tmp_nvd}" | cut -f4 -d:) || exit 1 + upstream_fix=$(jq -r "${pref}.versionEndExcluding|@html" "${tmp_nvd}") || exit 1 + pref=.vulnerabilities[0].cve.references[0] + references=$(jq -r "${pref}.url|@html" "${tmp_nvd}" | tr " " "\n") || exit 1 + source=$(jq -r "${pref}.source|@html" "${tmp_nvd}" | tr " " "\n") || exit 1 + topic=$(jq -r ".containers.cna.title|@html" "${tmp_mitre}" ) || exit 1 +fi + awk '/^<\?/,/^> "${tmp}" || exit 1 cat << EOF >> "${tmp}" || exit 1 - -- + ${package_name} -- ${topic} - - + ${package_name} + ${upstream_fix} -

SO-AND-SO reports:

-
-

.

+

${source} reports:

+
+

${details}

- INSERT CVE RECORD IF AVAILABLE - INSERT BLOCKQUOTE URL HERE + ${cvename} + ${cveurl} ${discovery} ${entry} EOF awk '/^[[:space:]]+> "${tmp}" || exit 1 if cp "${tmp}" "${vuxml_file}"; then exec ${EDITOR:-vi} "${vuxml_file}" else doclean="no" exec >&2 echo "Could not overwrite \`${vuxml_file}'." echo "Results are left in \`${tmp}'." exit 1 fi