Author: geissert
Date: 2012-08-20 01:41:26 +0000 (Mon, 20 Aug 2012)
New Revision: 19983
Modified:
bin/report-vuln
Log:
Allow report-vuln to report issues without CVE ids
USAGE: bin/report-vuln src-pkg CVE-2012-XXXX
Specify as many CVE-less entries as the number of issues to report.
E.g. to report two issues without CVE id against foo:
bin/report-vuln foo CVE-2012-XXXX CVE-2012-XXXX
NOTE: Make sure you add a description to the CVE/list entries!
Modified: bin/report-vuln
==================================================================---
bin/report-vuln 2012-08-20 00:24:02 UTC (rev 19982)
+++ bin/report-vuln 2012-08-20 01:41:26 UTC (rev 19983)
@@ -15,23 +15,41 @@
import sys, re, urllib, os
+temp_id = re.compile(''(?:CVE|cve)\-[0-9]{4}-XXXX'')
+
def setup_path():
dirname = os.path.dirname
base = dirname(dirname(os.path.realpath(sys.argv[0])))
sys.path.insert(0, os.path.join(base, "lib", "python"))
-def description_from_list(id):
+def description_from_list(id, pkg = '''', skip_entries = 0):
setup_path()
import bugs
import debian_support
+ is_temp = temp_id.match(id)
+ skipped = 0
+
for bug in bugs.CVEFile(debian_support.findresource(
*"data CVE list".split())):
- if bug.name == id:
+ if bug.name == id or (is_temp and not bug.isFromCVE()):
+ if pkg != '''':
+ matches = False
+ for n in bug.notes:
+ if n.package == pkg:
+ matches = True
+ break
+ if not matches:
+ continue
+ if skipped < skip_entries:
+ skipped += 1
+ continue
return bug.description
def gen_index(ids):
ret = ''''
for cnt, id in enumerate(ids):
+ if temp_id.match(id):
+ continue
ret += ''\n['' + str(cnt) + '']
http://cve.mitre.org/cgi-bin/cvename.cgi?name='' + id +
''\n''
ret += '' http://security-tracker.debian.org/tracker/'' +
id
@@ -92,6 +110,7 @@
vuln_suff = ''y''
cve_suff = ''''
time_w = ''was''
+ temp_id_cnt = 0
if len(cveid) > 1:
cve_suff = ''s''
@@ -115,12 +134,25 @@
print header
for cnt, cve in enumerate(cveid):
- print cve + ''['' + str(cnt) + '']:''
- print get_cve(cve)
+ if not temp_id.match(cve):
+ print cve + ''['' + str(cnt) + '']:''
+ print get_cve(cve)
+ else:
+ print ''''''Issue without CVE id #%d
[%d]:'''''' % (temp_id_cnt, cnt)
+ desc = description_from_list(cve, pkg, temp_id_cnt)
+ if desc:
+ print desc + ''\n''
+ else:
+ print ''No description has been specified\n''
+ temp_id_cnt += 1
print footer
print gen_index(cveid)
+ if temp_id_cnt > 0:
+ print
''\nhttp://security-tracker.debian.org/tracker/source-package/%s''
% (pkg)
+ print ''(issues without id are assigned a temporary one that may
change over time)\n''
+
def error(msg):
print ''error: '' + msg
sys.exit(1)
@@ -144,7 +176,7 @@
error(pkg + '' does not seem to be a valid source package
name'')
for arg in cve:
- if not c.match(arg):
+ if not c.match(arg) and not temp_id.match(arg):
error(arg + '' does not seem to be a valid CVE id'')
gen_text(pkg, cve)