[Secure-testing-commits] r19983 - bin

[Raphael Geissert]

Author: geissert
Date: 2012-08-20 01:41:26 +0000 (Mon, 20 Aug 2012)
New Revision: 19983

Modified:
   bin/report-vuln
Log:
Allow report-vuln to report issues without CVE ids

USAGE: bin/report-vuln src-pkg CVE-2012-XXXX

Specify as many CVE-less entries as the number of issues to report.
E.g. to report two issues without CVE id against foo:
bin/report-vuln foo CVE-2012-XXXX CVE-2012-XXXX

NOTE: Make sure you add a description to the CVE/list entries!



Modified: bin/report-vuln
===================================================================
--- bin/report-vuln	2012-08-20 00:24:02 UTC (rev 19982)
+++ bin/report-vuln	2012-08-20 01:41:26 UTC (rev 19983)
@@ -15,23 +15,41 @@
 
 import sys, re, urllib, os
 
+temp_id = re.compile('(?:CVE|cve)\-[0-9]{4}-XXXX')
+
 def setup_path():
 	dirname = os.path.dirname
 	base = dirname(dirname(os.path.realpath(sys.argv[0])))
 	sys.path.insert(0, os.path.join(base, "lib", "python"))
 
-def description_from_list(id):
+def description_from_list(id, pkg = '', skip_entries = 0):
 	setup_path()
 	import bugs
 	import debian_support
+	is_temp = temp_id.match(id)
+	skipped = 0
+
 	for bug in bugs.CVEFile(debian_support.findresource(
 			    *"data CVE list".split())):
-		if bug.name == id:
+		if bug.name == id or (is_temp and not bug.isFromCVE()):
+			if pkg != '':
+				matches = False
+				for n in bug.notes:
+					if n.package == pkg:
+						matches = True
+						break
+				if not matches:
+					continue
+			if skipped < skip_entries:
+				skipped += 1
+				continue
 			return bug.description
 
 def gen_index(ids):
 	ret = ''
 	for cnt, id in enumerate(ids):
+		if temp_id.match(id):
+			continue
 		ret += '\n[' + str(cnt) + '] http://cve.mitre.org/cgi-bin/cvename.cgi?name=' + id + '\n'
 		ret += '    http://security-tracker.debian.org/tracker/' + id
 
@@ -92,6 +110,7 @@
 	vuln_suff = 'y'
 	cve_suff = ''
 	time_w = 'was'
+	temp_id_cnt = 0
 
 	if len(cveid) > 1:
 		cve_suff = 's'
@@ -115,12 +134,25 @@
 
 	print header
 	for cnt, cve in enumerate(cveid):
-		print cve + '[' + str(cnt) + ']:'
-		print get_cve(cve)
+		if not temp_id.match(cve):
+			print cve + '[' + str(cnt) + ']:'
+			print get_cve(cve)
+		else:
+			print '''Issue without CVE id #%d [%d]:''' % (temp_id_cnt, cnt)
+			desc = description_from_list(cve, pkg, temp_id_cnt)
+			if desc:
+				print desc + '\n'
+			else:
+				print 'No description has been specified\n'
+			temp_id_cnt += 1
 
 	print footer
 	print gen_index(cveid)
 
+	if temp_id_cnt > 0:
+		print '\nhttp://security-tracker.debian.org/tracker/source-package/%s' % (pkg)
+		print '(issues without id are assigned a temporary one that may change over time)\n'
+
 def error(msg):
 	print 'error: ' + msg
 	sys.exit(1)
@@ -144,7 +176,7 @@
 		error(pkg + ' does not seem to be a valid source package name')
 
 	for arg in cve:
-		if not c.match(arg):
+		if not c.match(arg) and not temp_id.match(arg):
 			error(arg + ' does not seem to be a valid CVE id')
 
 	gen_text(pkg, cve)