[Secure-testing-commits] r15704 - check-external
Raphael Geissert
geissert at alioth.debian.org
Tue Dec 14 17:56:28 UTC 2010
Author: geissert
Date: 2010-12-14 17:56:22 +0000 (Tue, 14 Dec 2010)
New Revision: 15704
Modified:
check-external/lookup.sh
check-external/update.sh
Log:
Add support for other CVE sources
Example: ./lookup -s UBUNTU
Modified: check-external/lookup.sh
===================================================================
--- check-external/lookup.sh 2010-12-14 16:48:06 UTC (rev 15703)
+++ check-external/lookup.sh 2010-12-14 17:56:22 UTC (rev 15704)
@@ -22,6 +22,7 @@
regex=
after=
+source=cve
while [ $# -ge 1 ]; do
case $1 in
@@ -33,15 +34,29 @@
shift
after="$1"
;;
+ --source|-s)
+ [ $# -gt 1 ] || {
+ echo "Missing argument for --source" >&2
+ exit 1
+ }
+ shift
+ source="$1"
+ ;;
--help|-h)
- echo "Usage: $(basename "$0") [--after|-a per-year-id] [regex]"
- echo ; echo "Look for NFUs in our tracker but recognised by RH (for now)"
+ echo "Usage: $(basename "$0") [--source|-s vendor] [--after|-a per-year-id] [regex]"
+ echo ; echo "Look for NFUs in our tracker but recognised or fixed by a vendor"
echo "(requires you to run ./update.sh every now and then)"
+ echo ; echo "Possible vendors:"
+ echo -e "\tcve (for checking against Red Hat's tracker)"
+ echo "fixed issues only:"
+ echo -e "\tUBUNTU\n\tFEDORA\n\tetc (uppercase vendor name; check ./update)"
echo ; year="$(date +%Y)"
echo "Example (check ids of $year):"
echo -e "\t$(basename "$0") CVE-$year"
echo "Example (check ids after CVE-$year-0100):"
echo -e "\t$(basename "$0") --after 0100 CVE-$year"
+ echo "Example (check ids of $year fixed at Fedora):"
+ echo -e "\t$(basename "$0") --source FEDORA CVE-$year"
echo ; echo "Note: this is a hackish and slow implementation."
exit
;;
@@ -52,8 +67,16 @@
shift
done
-for cve in $(< cve.list); do
+source+=.list
+[ -f "$source" ] || {
+ echo "CVE source list $source doesn't exist" >&2
+ exit 1
+}
+for cve in $(< $source); do
+
+ [[ $cve ]] || continue
+
if [[ $regex ]]; then
[[ $cve =~ $regex ]] || continue
fi
@@ -66,5 +89,6 @@
o=$(grep -m1 -A1 $cve ../data/CVE/list | grep NOT-FOR-US |
grep -vi redhat | grep -vi 'red hat' | grep -vi pre-dating |
grep -vi realplayer | grep -vi acroread | grep -vi acrobat |
- grep -vi adobe | grep -vi 'real player') && echo "$cve: $o" || :
+ grep -viw opera | grep -vi adobe |
+ grep -vi 'real player') && echo "$cve: $o" || :
done
Modified: check-external/update.sh
===================================================================
--- check-external/update.sh 2010-12-14 16:48:06 UTC (rev 15703)
+++ check-external/update.sh 2010-12-14 17:56:22 UTC (rev 15704)
@@ -18,13 +18,27 @@
# along with this file. If not, see <http://www.gnu.org/licenses/>.
####################
+set -e
+
+export LANG=C
+
+# Red Hat provides a complete dump of their tracker, which includes
+# unfixed issues.
# Note: The downloaded html files are Copyright by Red Hat, Inc.
# or as specified at the individual html files or elsewhere on redhat.com's website
-
-set -e
-
for year in $(seq 1999 $(date +%Y)); do
wget -N https://www.redhat.com/security/data/cve/cve-$year.html
done
+sed -rn '/CVE-[12][0-9]{3}-/{s/^.+>(CVE-[12][0-9]{3}-[0-9]{4})<.+$/\1/;p}' cve-*.html |
+ sort > cve.list
-sed -rn '/CVE-[12][0-9]{3}-/{s/^.+>(CVE-[12][0-9]{3}-[0-9]{4})<.+$/\1/;p}' cve-*.html > cve.list
+
+# List of issues fixed by each vendor, according to MITRE. Very
+# incomplete, but it doesn't hurt to double check (including our own list)
+# Note: The downloaded html files are Copyright by The MITRE Corporation
+# or as specified at the individual html files or elsewhere on cve.mitre.org's website
+for vendor in SUSE DEBIAN GENTOO FEDORA REDHAT UBUNTU; do
+ wget -N http://cve.mitre.org/data/refs/refmap/source-$vendor.html
+ sed -rn '/CVE-[12][0-9]{3}-/{s/^.+>(CVE-[12][0-9]{3}-[0-9]{4})<.+$/\1/;p}' source-$vendor.html |
+ sort > $vendor.list
+done
More information about the Secure-testing-commits
mailing list