summaryrefslogtreecommitdiffstats
path: root/check-external/lookup.sh
blob: 69ad61c46f7c0d71c0dc3f382895f312128ec54f (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/bin/bash

####################
#    Copyright (C) 2010 by Raphael Geissert <geissert@debian.org>
#
#
#    This file is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This file is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this file.  If not, see <https://www.gnu.org/licenses/>.
####################

set -e

regex=
after=
source=cve

while [ $# -ge 1 ]; do
    case $1 in
	--after|-a)
	    [ $# -gt 1 ] || {
		echo "Missing argument for --after" >&2
		exit 1
	    }
	    shift
	    after="$1"
	;;
	--source|-s)
	    [ $# -gt 1 ] || {
		echo "Missing argument for --source" >&2
		exit 1
	    }
	    shift
	    source="$1"
	;;
	--help|-h)
	    echo "Usage: $(basename "$0") [--source|-s vendor] [--after|-a per-year-id] [regex]"
	    echo ; echo "Look for NFUs/TODOs/RESERVED in our tracker"
	    echo "which are recognised or fixed by another vendor"
	    echo "(requires you to run ./update.sh every now and then)"
	    echo ; echo "Possible vendors:"
	    echo -e "\tcve (for checking against Red Hat's tracker)"
	    echo "fixed issues only:"
	    echo -e "\tUBUNTU\n\tFEDORA\n\tetc (uppercase vendor name; check ./update)"
	    echo ; year="$(date +%Y)"
	    echo "Example (check ids of $year):"
	    echo -e "\t$(basename "$0") CVE-$year"
	    echo "Example (check ids after CVE-$year-0100):"
	    echo -e "\t$(basename "$0") --after 0100 CVE-$year"
	    echo "Example (check ids of $year fixed at Fedora):"
	    echo -e "\t$(basename "$0") --source FEDORA CVE-$year"
	    echo ; echo "Note: this is a hackish and slow implementation."
	    exit
	;;
	*)
	    regex="$1"
	;;
    esac
    shift
done

source+=.list
[ -f "$source" ] || {
    echo "CVE source list $source doesn't exist" >&2
    exit 1
}

for cve in $(< $source); do

    [[ $cve ]] || continue

    if [[ $regex ]]; then
	[[ $cve =~ $regex ]] || continue
    fi

    if [[ $after ]]; then
	[ "${cve#CVE-*-}" '>' "$after" ] || continue
    fi

    # Permanent exclusions can be added below
    o="$(grep -m1 -A2 -w ^$cve ../data/CVE/list | sed '1{d;q}')" || continue

    if [ -z "$o" ]; then
	echo "$cve: missing from list"
    fi

    extra=empty
    while read line; do
	if [[ $extra = empty ]]; then
	    [[ $line =~ TODO|NOT-FOR-US|RESERVED ]] || continue 2
	    o="$line"
	    extra=
	else
	    extra="$line"
	fi
    done <<< "$o"

    case $o in
	*NOT-FOR-US*)
	    tr "[:upper:]" "[:lower:]" <<< "${o#*NOT-FOR-US:}" |
	    grep -v redhat | grep -v 'red hat' | grep -v pre-dating |
	    grep -v realplayer | grep -v acroread |
	    grep -v adobe | grep -v acrobat | grep -vw opera |
	    grep -v 'real player' >/dev/null && echo "$cve: $o" || :
	;;
	*TODO:*)
	    echo "$cve: $o"
	;;
	*RESERVED*)
	    [[ $extra ]] && grep -qv ^CVE <<< "$extra" || \
	    echo "$cve: $o"
	;;
	*)
	    echo "Unrecognised match: $o" >&2
	;;
    esac
done

© 2014-2024 Faster IT GmbH | imprint | privacy policy