1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
#!/bin/sh
####################
# Copyright (C) 2010 by Raphael Geissert <geissert@debian.org>
#
#
# This file is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This file is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this file. If not, see <https://www.gnu.org/licenses/>.
####################
set -e
export LANG=C
check_list() {
if grep -vE '^CVE-[12][0-9]{3}-[0-9]{4,}$' $1; then
echo "$1 contains garbage (see above), aborting"
exit 1
fi
}
# Discontinued since October 2015, cf. #805079
## Red Hat provides a complete dump of their tracker, which includes
## unfixed issues.
## Note: The downloaded html files are Copyright by Red Hat, Inc.
## or as specified at the individual html files or elsewhere on redhat.com's website
#for year in $(seq 1999 $(date +%Y)); do
# wget -O cve-$year.html https://www.redhat.com/security/data/cve/cve-$year.html
#done
#sed -rn '/CVE-[12][0-9]{2,}-/{s/^.+>(CVE-[12][0-9]{3}-[0-9]{4,})<.+$/\1/;T;p}' cve-*.html |
# sort > cve.list
#check_list cve.list
# Fetch some CVE information directly from Red Hat Bugzilla
# This should be better done via a rewrite and using python-bugzilla
# but it is sufficient for now to get some additional CVE information
# from Red Hat source
# Fetching from RedHat bugzilla via query is unreliable, thus disabled
# on 2023-11-16 for the time beeing.
# wget -O redhat-bugzilla.html 'https://bugzilla.redhat.com/buglist.cgi?classification=Other&component=vulnerability&f1=alias&o1=regexp&product=Security%20Response&query_format=advanced&v1=^CVE-.*&order=priority%2Cbug_severity&limit=0'
# Some extra data is readily available as an xml file (until 2023-11-08)
# discontinued as per https://www.redhat.com/en/blog/future-red-hat-security-data
# last archived version: https://access.redhat.com/security/data/archive/cve-metadata-from-bugzilla_20231108.xml
# Gather data from Red Hat Security Data API instead
# https://access.redhat.com/documentation/en-us/red_hat_security_data_api/1.0/html/red_hat_security_data_api/index
curl -s https://access.redhat.com/hydra/rest/securitydata/cve.json?per_page=1000000 | jq -r '.[] | .CVE' > redhat-security-data-api.list
cat redhat-security-data-api.list |
perl -ne 'print "$1\n" while (s/(CVE-[12][0-9]{3}-[0-9]{4,})//);' | sort -u > cve.list
check_list cve.list
# List of issues fixed by each vendor, according to MITRE. Very
# incomplete, but it doesn't hurt to double check (including our own list)
# Note: The downloaded html files are Copyright by The MITRE Corporation
# or as specified at the individual html files or elsewhere on cve.mitre.org's website
for vendor in SUSE DEBIAN GENTOO FEDORA REDHAT UBUNTU; do
wget -N http://cve.mitre.org/data/refs/refmap/source-$vendor.html
sed -rn "/CVE-[12][0-9]{3}-/{s/^.+>($vendor:)?($vendor Security )?(CVE-[12][0-9]{3}-[0-9]{4,})<.+$/\3/i;p}" source-$vendor.html |
sort -u > $vendor.list
check_list $vendor.list
done
|