#!/usr/bin/env python
#
# generate bug report content for a given package name
# and a number of CVE ids
#
# you could use it for example in combination with the
# following shell function:
# report-vuln(){
#     TMPFILE="$HOME/reportbug.tmp"
#     $HOME/debian/svn/secure-testing/bin/report-vuln "$@" > $TMPFILE
#     mutt -i $TMPFILE submit@bugs.debian.org
#     rm $TMPFILE
# }
# export http_proxy if you need to use an http proxy to report bugs

import sys, re, urllib, os

def gen_index(ids):
	ret = ''
	for cnt, id in enumerate(ids):
		ret += '\n[' + str(cnt) + '] http://cve.mitre.org/cgi-bin/cvename.cgi?name=' + id + '\n'
		ret += '    http://security-tracker.debian.net/tracker/' + id

	return ret

def http_get(id):
	param = urllib.urlencode({'name' : id})
	resp = ''
	try:
		f = urllib.urlopen('http://cve.mitre.org/cgi-bin/cvename.cgi?%s' % param)
		resp = f.read()
	except Exception, e:
		error('on doing HTTP request' + str(e))
	
	f.close()

	return resp

# this is a hack that parses the cve id description from mitre
def get_cve(id):
	desc = False
	r = re.compile('.*<th\ colspan=.*>Description<.*')
	tag = re.compile('.*</?tr>.*')
	ret = ''
	resp = http_get(id)

	for line in resp.rsplit('\n'):
		if r.match(line):
			desc = True
			continue

		if tag.match(line) and desc:
			continue

		if desc and '<td colspan="2">' in line:
			ret += '| ' + re.sub('.*<td colspan="2">', '', line)
			continue

		if desc and '</td>' in line:
			break

		if desc and line != '':
			ret = ret + '\n| ' + line

	return ret + '\n'

def gen_text(pkg, cveid):
	vuln_suff = 'y'
	cve_suff = ''
	time_w = 'was'

	if len(cveid) > 1:
		cve_suff = 's'
		vuln_suff = 'ies'
		time_w = 'were'
	
	header = '''Package: %s
Version: FILLINAFFECTEDVERSION
Severity: FILLINSEVERITY
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id%s %s
published for %s.
''' % (pkg, cve_suff, time_w, pkg)

	footer = '''If you fix the vulnerabilit%s please also make sure to include the
CVE id%s in your changelog entry.

For further information see:''' % (vuln_suff, cve_suff)

	print header
	for cnt, cve in enumerate(cveid):
		print cve + '[' + str(cnt) + ']:'
		print get_cve(cve)

	print footer
	print gen_index(cveid)

def error(msg):
	print 'error: ' + msg
	sys.exit(1)

def usage():
	print sys.argv[0], '<pkg> <cve id(s)>'
	sys.exit(0)

def main():
	if len(sys.argv) < 3:
		usage()

	pkg = sys.argv[1]
	cve = sys.argv[2:]

	# check for valid parameters
	p = re.compile('^[a-z].*')
	c = re.compile('(CVE|cve)\-[0-9]{4}-[0-9]{4}')

	if not p.match(pkg):
		error(pkg + ' does not seem to be a valid source package name')

	for arg in cve:
		if not c.match(arg):
			error(arg + ' does not seem to be a valid CVE id')

	gen_text(pkg, cve)

if __name__ == '__main__':
	main()