Add some scripts to check our CVE list against Red Hat's

Try with: cd check-external && ./update.sh && ./lookup.sh CVE-2010


git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@15701 e39458fd-73e7-0310-bf30-c45bca0a0e42

2 files changed, 100 insertions, 0 deletions

diff --git a/check-external/lookup.sh b/check-external/lookup.sh
new file mode 100755
index 0000000000..c33f4f5cd6
--- /dev/null
+++ b/check-external/lookup.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+####################
+#    Copyright (C) 2010 by Raphael Geissert <geissert@debian.org>
+#
+#
+#    This file is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This file is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this file.  If not, see <http://www.gnu.org/licenses/>.
+####################
+
+set -e
+
+regex=
+after=
+
+while [ $# -ge 1 ]; do
+    case $1 in
+	--after|-a)
+	    [ $# -gt 1 ] || {
+		echo "Missing argument for --after" >&2
+		exit 1
+	    }
+	    shift
+	    after="$1"
+	;;
+	--help|-h)
+	    echo "Usage: $(basename "$0") [--after|-a per-year-id] [regex]"
+	    echo ; echo "Look for NFUs in our tracker but recognised by RH (for now)"
+	    echo "(requires you to run ./update.sh every now and then)"
+	    echo ; year="$(date +%Y)"
+	    echo "Example (check ids of $year):"
+	    echo -e "\t$(basename "$0") CVE-$year"
+	    echo "Example (check ids after CVE-$year-0100):"
+	    echo -e "\t$(basename "$0") --after 0100 CVE-$year"
+	    echo ; echo "Note: this is a hackish and slow implementation."
+	    exit
+	;;
+	*)
+	    regex="$1"
+	;;
+    esac
+    shift
+done
+
+for cve in $(< cve.list); do
+
+    if [[ $regex ]]; then
+	[[ $cve =~ $regex ]] || continue
+    fi
+
+    if [[ $after ]]; then
+	[ "${cve#CVE-*-}" '>' "$after" ] || continue
+    fi
+
+    # Permanent exclusions can be added below
+    o=$(grep -m1 -A1 $cve ../data/CVE/list | grep NOT-FOR-US |
+	grep -vi redhat | grep -vi 'red hat' | grep -vi pre-dating |
+	grep -vi realplayer | grep -vi acroread | grep -vi acrobat |
+	grep -vi adobe | grep -vi 'real player') && echo "$cve: $o" || :
+done
diff --git a/check-external/update.sh b/check-external/update.sh
new file mode 100755
index 0000000000..cf75051fba
--- /dev/null
+++ b/check-external/update.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+####################
+#    Copyright (C) 2010 by Raphael Geissert <geissert@debian.org>
+#
+#
+#    This file is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This file is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this file.  If not, see <http://www.gnu.org/licenses/>.
+####################
+
+# Note: The downloaded html files are Copyright by Red Hat, Inc.
+# or as specified at the individual html files or elsewhere on redhat.com's website
+
+set -e
+
+for year in $(seq 1999 $(date +%Y)); do
+    wget -N https://www.redhat.com/security/data/cve/cve-$year.html
+done
+
+sed -rn '/CVE-[12][0-9]{3}-/{s/^.+>(CVE-[12][0-9]{3}-[0-9]{4})<.+$/\1/;p}' cve-*.html > cve.list