[Secure-testing-commits] r167 - in sarge-checks: . CAN CVE
Joey Hess
joeyh@haydn.debian.org
Fri, 03 Dec 2004 13:25:48 -0700
Author: joeyh
Date: 2004-12-03 13:25:41 -0700 (Fri, 03 Dec 2004)
New Revision: 167
Added:
sarge-checks/updatelist
Removed:
sarge-checks/update.pl
Modified:
sarge-checks/CAN/Makefile
sarge-checks/CVE/Makefile
sarge-checks/README
Log:
update
Modified: sarge-checks/CAN/Makefile
===================================================================
--- sarge-checks/CAN/Makefile 2004-12-03 20:22:58 UTC (rev 166)
+++ sarge-checks/CAN/Makefile 2004-12-03 20:25:41 UTC (rev 167)
@@ -1,5 +1,5 @@
update:
rm -f full-can.html
wget --quiet http://www.cve.mitre.org/cve/candidates/downloads/full-can.html
- ../update.pl full-can.html ../DSA/list list > list.new
+ ../updatelist full-can.html ../DSA/list list > list.new
mv -f list.new list
Modified: sarge-checks/CVE/Makefile
===================================================================
--- sarge-checks/CVE/Makefile 2004-12-03 20:22:58 UTC (rev 166)
+++ sarge-checks/CVE/Makefile 2004-12-03 20:25:41 UTC (rev 167)
@@ -1,5 +1,5 @@
update:
rm -f full-cve.html
wget --quiet http://www.cve.mitre.org/cve/downloads/full-cve.html
- ../update.pl full-cve.html ../DSA/list list > list.new
+ ../updatelist full-cve.html ../DSA/list list > list.new
mv -f list.new list
Modified: sarge-checks/README
===================================================================
--- sarge-checks/README 2004-12-03 20:22:58 UTC (rev 166)
+++ sarge-checks/README 2004-12-03 20:25:41 UTC (rev 167)
@@ -1,13 +1,19 @@
The checklist program can be run on a system with madison available to
check vulnerability info from the list files against what packages are in
-testing. So the various list files need a common, machine parsable format.
-That format is:
+testing. Also the updatelist is used by the Makefile to update the lists
+with new info from Mitre. So the various list files need a common, machine
+parsable format. That format is:
+begin claimed by foo
+
[date] id description
{id id id}
UPCASE: test
- package version
+end claimed by foo
+
+
Without writing a format grammar, because this is really rather ad-hoc and
probably will be replaced with something better:
@@ -18,13 +24,17 @@
DSA-nnn-n, CAN-YYY-nnnn, CVE-YYY-nnnn, etc
description
Pretty much freeform description of the problem. Short and optional.
- Generally only used for DSAs right now.
{id id id}
This is used to link to other ids that describe the same hole.
- Generally used to link DSAs to CAN's and CVEs
+ Generally used to link DSAs to CAN's and CVEs and back.
UPCASE
Any word in upper case, typically NOTE, HELP, TODO.
May be repeated for each entry.
- package version
Indicates that the problem is fixed in the given version of the
package. May repeat for other packages.
+
+begin claimed by foo
+end claimed by foo
+ Marks a set of items that are being checked by someone.
+ Used to avoid duplicate work.
Deleted: sarge-checks/update.pl
===================================================================
--- sarge-checks/update.pl 2004-12-03 20:22:58 UTC (rev 166)
+++ sarge-checks/update.pl 2004-12-03 20:25:41 UTC (rev 167)
@@ -1,137 +0,0 @@
-#!/usr/bin/perl
-my $full_can_html=shift;
-my $dsa_list=shift;
-my $our_list=shift;
-
-my %cans;
-
-open (DSA, "<$dsa_list") || die "$dsa_list: $!\n";
-my $dsa;
-while (<DSA>) {
- if (/^\[/) {
- ($dsa)=m/(DSA-.*?) /;
- }
- if (/\{(CAN|CVE)/) {
- my ($canlist)=m/\{(.*)\}/;
- foreach my $can (split ' ', $canlist) {
- $can=~s/CVE-/CAN-/g;
- next unless $can=~/^CAN-\d+/;
- $cans{$can}{can}=$can;
- push @{$cans{$can}{dsa}}, $dsa;
- $can=~s/CAN-/CVE-/g;
- $cans{$can}{can}=$can;
- push @{$cans{$can}{dsa}}, $dsa;
- }
- }
-}
-close DSA;
-
-my %listedcans;
-
-open (FULL_CAN, "<$full_can_html") || die "$full_can_html: $!\n";
-my $can;
-while (<FULL_CAN>) {
- if (m!<b>(CAN-\d+-\d+)</b>!) {
- $can=$1;
- $cans{$can}{can}=$can;
- $listedcans{$can}=1;
- }
- elsif (m!<b>(CVE-\d+-\d+)</b>!) {
- $can=$1;
- $cans{$can}{can}=$can;
- $listedcans{$can}=1;
- }
- if (m!\*\*\s+RESERVED\s+\*\*!) {
- $cans{$can}{reserved}=1;
-
- }
- if (m!\*\*\s+REJECT\s+\*\*!) {
- $cans{$can}{rejected}=1;
- }
-}
-close FULL_CAN;
-
-my $stopped=0;
-my @out;
-
-sub docan {
- my $can=shift;
-
- push @out, "$can".(length $cans{$can}{description} ? " ".$cans{$can}{description} : "")."\n";
- if ($cans{$can}{reserved}) {
- push @out, "\tNOTE: reserved\n";
- }
- if ($cans{$can}{rejected}) {
- push @out, "\tNOTE: rejected\n";
- }
- if ($cans{$can}{dsa}) {
- push @out, "\t{".join(" ", @{$cans{$can}{dsa}})."}\n";
- }
- if ($cans{$can}{notes}) {
- foreach (@{$cans{$can}{notes}}) {
- push @out, "\t$_\n";
- }
- }
- if (! $cans{$can}{reserved} && ! $cans{$can}{rejected} &&
- ! $cans{$can}{dsa} && ! $cans{$can}{notes} &&
- ! $stopped) {
- push @out, "\tTODO: check\n";
- }
-
- delete $cans{$can};
-}
-
-open (IN, "<$our_list") || die "$our_list: $!\n";
-my $can;
-while (<IN>) {
- chomp;
- if (/^((?:CAN|CVE)-[-0-9]*)\s*(.*)/) {
- docan($can) if $can;
- $can=$1;
- $cans{$can}{description}=$2 if length $2;
- }
- elsif (/^\s+NOTE:\s*(reserved|rejected)\s*$/) {
- # skip it
- }
- elsif (/^\s+NOTE: covered by DSA.*/) {
- # skip it (old form)
- }
- elsif (/^\s+{DSA.*/) {
- # skip
- }
- elsif (/^\s+(.*)/ && $can) {
- push @{$cans{$can}{notes}}, $1;
- }
- elsif (/^STOP/) {
- docan($can) if $can;
- push @out, "$_\n";
- $stopped=1;
- $can='';
- }
- else {
- docan($can) if $can;
- push @out, "$_\n" if length $_;
- $can='';
- }
-}
-close IN;
-docan($can) if $can;
-
-foreach my $can (reverse sort { $cans{$a}{can} cmp $cans{$b}{can} } keys %cans) {
- next unless $listedcans{$can};
- print "$can\n";
- if ($cans{$can}{reserved}) {
- print "\tNOTE: reserved\n";
- }
- if ($cans{$can}{rejected}) {
- print "\tNOTE: rejected\n";
- }
- if ($cans{$can}{dsa}) {
- print "\t{".join(" ", @{$cans{$can}{dsa}})."}\n";
- }
- if (!$cans{$can}{reserved} || $cans{$can}{rejected} || $cans{$can}{dsa}) {
- print "\tTODO: check\n";
- }
-}
-
-print @out;
Copied: sarge-checks/updatelist (from rev 166, sarge-checks/update.pl)