From 34f56c0800a5e640a9af18bd945366b83ff05b59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Guido=20G=C3=BCnther?= Date: Wed, 29 Nov 2017 15:21:40 +0000 Subject: report-vuln: Use spaces instead of tabs git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@58118 e39458fd-73e7-0310-bf30-c45bca0a0e42 --- bin/report-vuln | 292 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 146 insertions(+), 146 deletions(-) (limited to 'bin/report-vuln') diff --git a/bin/report-vuln b/bin/report-vuln index b6293da846..3e176e182f 100755 --- a/bin/report-vuln +++ b/bin/report-vuln @@ -25,118 +25,118 @@ import sys, re, urllib, os temp_id = re.compile('(?:CVE|cve)\-[0-9]{4}-XXXX') def setup_path(): - dirname = os.path.dirname - base = dirname(dirname(os.path.realpath(sys.argv[0]))) - sys.path.insert(0, os.path.join(base, "lib", "python")) + dirname = os.path.dirname + base = dirname(dirname(os.path.realpath(sys.argv[0]))) + sys.path.insert(0, os.path.join(base, "lib", "python")) def description_from_list(id, pkg='', skip_entries=0): - setup_path() - import bugs - import debian_support - is_temp = temp_id.match(id) - skipped = 0 - - for bug in bugs.CVEFile(debian_support.findresource( - *"data CVE list".split())): - if bug.name == id or (is_temp and not bug.isFromCVE()): - if pkg != '': - matches = False - for n in bug.notes: - if n.package == pkg and str(n.urgency) != 'unimportant': - matches = True - break - if not matches: - continue - if skipped < skip_entries: - skipped += 1 - continue - return bug.description + setup_path() + import bugs + import debian_support + is_temp = temp_id.match(id) + skipped = 0 + + for bug in bugs.CVEFile(debian_support.findresource( + *"data CVE list".split())): + if bug.name == id or (is_temp and not bug.isFromCVE()): + if pkg != '': + matches = False + for n in bug.notes: + if n.package == pkg and str(n.urgency) != 'unimportant': + matches = True + break + if not matches: + continue + if skipped < skip_entries: + skipped += 1 + continue + return bug.description def gen_index(ids): - ret = '' - for cnt, id in enumerate(ids): - if temp_id.match(id): - continue - ret += '\n[' + str(cnt) + '] https://security-tracker.debian.org/tracker/' + id + '\n' - ret += ' https://cve.mitre.org/cgi-bin/cvename.cgi?name=' + id + ret = '' + for cnt, id in enumerate(ids): + if temp_id.match(id): + continue + ret += '\n[' + str(cnt) + '] https://security-tracker.debian.org/tracker/' + id + '\n' + ret += ' https://cve.mitre.org/cgi-bin/cvename.cgi?name=' + id - return ret + return ret def http_get(id): - param = urllib.urlencode({'name' : id}) - resp = '' - try: - f = urllib.urlopen('https://cve.mitre.org/cgi-bin/cvename.cgi?%s' % param) - resp = f.read() - except Exception, e: - error('on doing HTTP request' + str(e)) - - f.close() - - return resp + param = urllib.urlencode({'name' : id}) + resp = '' + try: + f = urllib.urlopen('https://cve.mitre.org/cgi-bin/cvename.cgi?%s' % param) + resp = f.read() + except Exception, e: + error('on doing HTTP request' + str(e)) + + f.close() + + return resp # this is a hack that parses the cve id description from mitre def get_cve(id): - desc = False - r = re.compile('.*Description<.*') - tag = re.compile('.*.*') - reserved = re.compile(r'\*+\s+()?RESERVED()?\s+\*+') - ret = '' - resp = http_get(id) + desc = False + r = re.compile('.*Description<.*') + tag = re.compile('.*.*') + reserved = re.compile(r'\*+\s+()?RESERVED()?\s+\*+') + ret = '' + resp = http_get(id) - for line in resp.rsplit('\n'): - if r.match(line): - desc = True - continue + for line in resp.rsplit('\n'): + if r.match(line): + desc = True + continue - if desc and reserved.search(line): - break + if desc and reserved.search(line): + break - if tag.match(line) and desc: - continue + if tag.match(line) and desc: + continue - if desc and '' in line: - ret += '| ' + re.sub('.*', '', line) - continue + if desc and '' in line: + ret += '| ' + re.sub('.*', '', line) + continue - if desc and '' in line: - break + if desc and '' in line: + break - if desc and line != '': - ret = ret + '\n| ' + line + if desc and line != '': + ret = ret + '\n| ' + line - if ret == '': - ret = description_from_list(id) + if ret == '': + ret = description_from_list(id) - if ret == '': - ret = 'No description was found (try on a search engine)' + if ret == '': + ret = 'No description was found (try on a search engine)' - return ret + '\n' + return ret + '\n' def gen_text(pkg, cveid, blanks=False, severity=None, affected=None, cc=False, cclist=None, src=False): - vuln_suff = 'y' - cve_suff = '' - time_w = 'was' - temp_id_cnt = 0 - - if len(cveid) > 1: - cve_suff = 's' - vuln_suff = 'ies' - time_w = 'were' - - if src: - header = '''Source: %s\n''' % (pkg) - else: - header = '''Package: %s\n''' % (pkg) - - if affected is None: - if blanks: - header += "Version: FILLINAFFECTEDVERSION\n" + vuln_suff = 'y' + cve_suff = '' + time_w = 'was' + temp_id_cnt = 0 + + if len(cveid) > 1: + cve_suff = 's' + vuln_suff = 'ies' + time_w = 'were' + + if src: + header = '''Source: %s\n''' % (pkg) + else: + header = '''Package: %s\n''' % (pkg) + + if affected is None: + if blanks: + header += "Version: FILLINAFFECTEDVERSION\n" else: - header += "Version: %s\n" % affected + header += "Version: %s\n" % affected if cc and len(cclist) > 0: - header += "X-Debbugs-CC: %s\n" % " ".join(cclist) - header += '''Severity: %s + header += "X-Debbugs-CC: %s\n" % " ".join(cclist) + header += '''Severity: %s Tags: security Hi, @@ -144,38 +144,38 @@ Hi, the following vulnerabilit%s %s published for %s. ''' % (severity, vuln_suff, time_w, pkg) - footer = '''If you fix the vulnerabilit%s please also make sure to include the + footer = '''If you fix the vulnerabilit%s please also make sure to include the CVE (Common Vulnerabilities & Exposures) id%s in your changelog entry. For further information see:''' % (vuln_suff, cve_suff) - print header - for cnt, cve in enumerate(cveid): - if not temp_id.match(cve): - print cve + '[' + str(cnt) + ']:' - print get_cve(cve) - else: - print '''Issue without CVE id #%d [%d]:''' % (temp_id_cnt, cnt) - desc = description_from_list(cve, pkg, temp_id_cnt) - if desc: - print desc + '\n' - else: - print 'No description has been specified\n' - temp_id_cnt += 1 - - print footer - print gen_index(cveid) - - if temp_id_cnt > 0: - print '\nhttps://security-tracker.debian.org/tracker/source-package/%s' % (pkg) - print '(issues without CVE id are assigned a TEMP one, but it may change over time)\n' - - if not blanks: - print '''\nPlease adjust the affected versions in the BTS as needed.\n''' + print header + for cnt, cve in enumerate(cveid): + if not temp_id.match(cve): + print cve + '[' + str(cnt) + ']:' + print get_cve(cve) + else: + print '''Issue without CVE id #%d [%d]:''' % (temp_id_cnt, cnt) + desc = description_from_list(cve, pkg, temp_id_cnt) + if desc: + print desc + '\n' + else: + print 'No description has been specified\n' + temp_id_cnt += 1 + + print footer + print gen_index(cveid) + + if temp_id_cnt > 0: + print '\nhttps://security-tracker.debian.org/tracker/source-package/%s' % (pkg) + print '(issues without CVE id are assigned a TEMP one, but it may change over time)\n' + + if not blanks: + print '''\nPlease adjust the affected versions in the BTS as needed.\n''' def error(msg): - print 'error: ' + msg - sys.exit(1) + print 'error: ' + msg + sys.exit(1) class NegateAction(argparse.Action): '''add a toggle flag to argparse @@ -202,36 +202,36 @@ class NegateAction(argparse.Action): def main(): - parser = argparse.ArgumentParser() - parser.add_argument('--no-blanks', '--blanks', dest='blanks', action=NegateAction, - help='include blank fields to be filled (default: %(default)s)') - parser.add_argument('--affected', help='affected version (default: unspecified)') - parser.add_argument('--severity', default='grave', help='severity (default: %(default)s)') - parser.add_argument('--cc', '--no-cc', dest='cc', action=NegateAction, - help='add X-Debbugs-CC header to') - parser.add_argument('--cc-list', dest='cclist', default=['team@security.debian.org', 'secure-testing-team@lists.alioth.debian.org'], - help='list of addresses to add in CC (default: %(default)s)') - parser.add_argument('--src', action="store_true", help='report against source package') - parser.add_argument('pkg', help='affected package') - parser.add_argument('cve', nargs='+', help='relevant CVE for this source package, may be used multiple time if the issue has multiple CVEs') - args = parser.parse_args() - - blanks = args.blanks - pkg = args.pkg - cve = args.cve - - # check for valid parameters - p = re.compile('^[0-9a-z].*') - c = re.compile('(CVE|cve)\-[0-9]{4}-[0-9]{4,}') - - if not p.match(pkg): - error(pkg + ' does not seem to be a valid source package name') - - for arg in cve: - if not c.match(arg) and not temp_id.match(arg): - error(arg + ' does not seem to be a valid CVE id') - - gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src) + parser = argparse.ArgumentParser() + parser.add_argument('--no-blanks', '--blanks', dest='blanks', action=NegateAction, + help='include blank fields to be filled (default: %(default)s)') + parser.add_argument('--affected', help='affected version (default: unspecified)') + parser.add_argument('--severity', default='grave', help='severity (default: %(default)s)') + parser.add_argument('--cc', '--no-cc', dest='cc', action=NegateAction, + help='add X-Debbugs-CC header to') + parser.add_argument('--cc-list', dest='cclist', default=['team@security.debian.org', 'secure-testing-team@lists.alioth.debian.org'], + help='list of addresses to add in CC (default: %(default)s)') + parser.add_argument('--src', action="store_true", help='report against source package') + parser.add_argument('pkg', help='affected package') + parser.add_argument('cve', nargs='+', help='relevant CVE for this source package, may be used multiple time if the issue has multiple CVEs') + args = parser.parse_args() + + blanks = args.blanks + pkg = args.pkg + cve = args.cve + + # check for valid parameters + p = re.compile('^[0-9a-z].*') + c = re.compile('(CVE|cve)\-[0-9]{4}-[0-9]{4,}') + + if not p.match(pkg): + error(pkg + ' does not seem to be a valid source package name') + + for arg in cve: + if not c.match(arg) and not temp_id.match(arg): + error(arg + ' does not seem to be a valid CVE id') + + gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src) if __name__ == '__main__': - main() + main() -- cgit v1.2.3