Author: stef-guest
Date: 2006-11-08 22:35:50 +0100 (Wed, 08 Nov 2006)
New Revision: 4941
Added:
bin/check-new-issues
Log:
check-new-issues
downloads allitems.txt from cve.mitre.org and shows full decription for each
"TODO: check" item. It then tries to guess name and/or script file
names and
does apt-cache or apt-file search and allows to directly replace the TODO by a
NFU. This is good for weeding out all those trivial PHP NFUs issues.
check-new-issues -l
will just list the issues with with a longer description than in CVE/list
itself.
This helps when looking for interesting new issues.
check-new-issues -h
will give some help
All in all nothing fancy but saves some time. Currently it want''s to be
called
from the parent dir as:
secure-testing/bin/check-new-issues
Added: bin/check-new-issues
==================================================================---
bin/check-new-issues 2006-11-08 20:53:57 UTC (rev 4940)
+++ bin/check-new-issues 2006-11-08 21:35:50 UTC (rev 4941)
@@ -0,0 +1,253 @@
+#!/usr/bin/perl
+
+use strict;
+use File::Temp;
+use Getopt::Std;
+#use Smart::Comments;
+
+my %opts;
+getopts(''ln:fh'', \%opts);
+
+if ($opts{h}) {
+ print <<"EOF";
+downloads allitems.txt from cve.mitre.org and shows full decription for each
+"TODO: check" item (2003 and newer). Then
+
+- tries to guess product name and php filename and does
+ apt-cache and apt-file search
+- waits for input:
+ * blank line to skip to next issue
+ * .fname to do "apt-file search name"
+ * .cname to do "apt-cache search name"
+ * v or e to launch an editor with the current item
+ * q to save and quit
+ * CTRL-C to quit without saving
+ * everything else is inserted as product name for a NOT-FOR-US
+
+Use "svn diff" and "svn revert" as needed ;-)
+
+OPTIONS: [ -l [-n <n>] [-f] ]
+-l : just list issues
+-n <n>: show max n lines of each description (default 2)
+-f : show full CVE/list entry as well
+
+EOF
+
+ exit(0);
+}
+
+# TODO/BUGS:
+# - go back to previous issue / undo
+# - handle entries with several TODO lines
+# - handle other TODOs than "check"
+# - allow setting the regexp to search for
+# - handle claimed-by
+# - look for ITPs?
+
+my $datafile="./secure-testing/data/CVE/list";
+my $allitemsfile="gunzip -c allitems.txt.gz|";
+my $allitemsurl="http://cve.mitre.org/cve/downloads/allitems.txt.gz";
+
+my $editor=$ENV{EDITOR} || $ENV{VISUAL} || "vi";
+
+system "wget -N $allitemsurl";
+
+
+print "Reading data...\n";
+
+my $entries=read_file($datafile, qr/^CVE/ );
+my $CVEs=read_file($allitemsfile, qr/^=+$/ );
+my $data;
+my @todos;
+my %afcache;
+
+foreach my $cve (@{$CVEs}) {
+ $cve =~ /^Name:\s*(CVE\S+)/m or next;
+ $data->{$1}->{CVE}=\$cve;
+}
+
+
+foreach my $entry (@{$entries}) {
+ my $name;
+ if ( $entry =~ /^(CVE-....-\d\d\d\d)/ ) {
+ $name=$1;
+ }
+ elsif ( $entry =~ /^(CVE-....-XXXX.*)\n/ ){
+ $name=$1;
+ }
+ else {
+ die "invlid entry:\n$entry";
+ }
+ $data->{$name}->{entry}=\$entry;
+ if ( $entry =~ /^\s+TODO: check/m
+ and $name =~ /CVE-200[3-9]/ ) {
+ push @todos, $name;
+ }
+}
+
+print scalar(@{$CVEs}), "/", scalar(@{$entries}), "/",
scalar(@todos), "\n";
+
+if ($opts{l}) {
+ #list only
+ foreach my $todo (reverse sort @todos) {
+ my $desc=description($todo);
+ if ($desc) {
+ my $lines=$opts{n} || 2;
+ if ($desc =~ /((?:.*\n){1,$lines})/) {
+ $desc = $1;
+ $desc =~ s/^/ /mg;
+ if ($opts{f}) {
+ print ${$data->{$todo}->{entry}}, $desc;
+ }
+ else {
+ print "$todo:\n$desc";
+ }
+ }
+ }
+ else {
+ print "${$data->{$todo}->{entry}}";
+ }
+ }
+ exit 0;
+}
+
+TODO: foreach my $todo (reverse sort @todos) {
+ print ${$data->{$todo}->{CVE}} if $data->{$todo}->{CVE};
+ print ${$data->{$todo}->{entry}};
+
+ auto_search($todo);
+
+ READ: while (my $r=<STDIN>) {
+ chomp $r;
+ if ($r =~ /^\s*$/) {
+ next TODO;
+ }
+ elsif ($r=~ /^\.c(.*)$/ ) {
+ my $s = $1;
+ $s =~ tr{a-zA-Z0-9_@-}{ }cs;
+ print "=== apt-cache search $s :\n";
+ system("apt-cache search $s|less -FX");
+ print "===\n";
+ next READ;
+ }
+ elsif ($r=~ /^\.f(.*)$/ ) {
+ my $s = $1;
+ $s =~ s/^\s*(.*?)\s*$/$1/;
+ print "=== apt-file search ''$s'':\n";
+ system("apt-file search ''$s''|less -FX");
+ print "===\n";
+ next READ;
+ }
+ elsif ($r=~ /^q$/i ) {
+ last TODO;
+ }
+ elsif ($r=~ /^[ve]$/i ) {
+ my $newentry=edit_entry(${$data->{$todo}->{entry}});
+ if ( $newentry eq ${$data->{$todo}->{entry}} ) {
+ print "Not changed.\n";
+ next READ;
+ }
+ else {
+ ${$data->{$todo}->{entry}}=$newentry;
+ print "New entry set to:\n$newentry";
+ next TODO;
+ }
+ }
+ else {
+ ${$data->{$todo}->{entry}} =~
+ s/^\s*TODO: check/\tNOT-FOR-US: $r/m ;
+ print "New entry set to:\n${$data->{$todo}->{entry}}";
+ next TODO;
+ }
+ }
+}
+
+open(my $fh, ">", $datafile);
+print $fh @{$entries};
+close($fh);
+
+sub description {
+ my $name=shift;
+
+ defined $data->{$name}->{CVE} or return "";
+
+ ${$data->{$name}->{CVE}} =~ /\n\n(.*)^Current Votes:/ms;
+ my $desc = $1;
+ $desc =~ s/\n\n+/\n/;
+
+ return $desc;
+}
+
+sub read_file
+{
+ my $file=shift;
+ my $re=shift;
+
+
+ open(my $fh, $file) or die "could not open $file";
+
+ my @data;
+ my $cur="";
+ while (my $line=<$fh>) {
+ if ($line =~ $re and $cur) {
+ push @data, $cur;
+ $cur = "";
+ }
+ $cur.=$line;
+ }
+ push @data, $cur if $cur;
+
+ close($fh);
+
+
+ return \@data;
+}
+
+
+sub edit_entry {
+ my $entry=shift;
+ my $tmp=new File::Temp();
+ my $tmpname=$tmp->filename;
+ print $tmp $entry;
+ close $tmp;
+ system "$editor $tmpname";
+
+ local $/; #slurp
+ open($tmp, $tmpname);
+ return <$tmp>;
+
+}
+
+sub auto_search {
+ my $name=shift;
+
+ my $desc=description($name);
+ $desc =~ s/[\s\n]+/ /g;
+
+ my $file;
+ my $prog;
+ if ( $desc =~ / in (\S+\.\S+) in (\S+) / ) {
+ $file = $1;
+ $prog = $2;
+ }
+ elsif ( $desc =~ / in (?:the )?(\S+) / ) {
+ $prog = $1;
+ }
+ if ($prog) {
+ print "doing apt-cache search...";
+ my $ac=`apt-cache search ''$prog'' |wc -l`;
+ chomp $ac;
+ print "\r$ac results from apt-cache search $prog\n";
+ }
+ if ( $file eq ''index.php'' ) {
+ return;
+ }
+ if ( $file =~ /(php3?|asp|cgi)$/ ) {
+ if (! exists $afcache{$file}) {
+ print "doing apt-file search...";
+ $afcache{$file}=`apt-file -i search ''$file'' |wc -l`;
+ chomp $afcache{$file};
+ }
+ print "\r$afcache{$file} results from apt-file -i search $file\n";
+ }
+}
Property changes on: bin/check-new-issues
___________________________________________________________________
Name: svn:executable
+ *