From 3116267f38fcaeb79cc00ef4521342140c616c83 Mon Sep 17 00:00:00 2001
From: Raphael Geissert <geissert@debian.org>
Date: Mon, 20 Aug 2012 01:41:26 +0000
Subject: Allow report-vuln to report issues without CVE ids

USAGE: bin/report-vuln src-pkg CVE-2012-XXXX

Specify as many CVE-less entries as the number of issues to report.
E.g. to report two issues without CVE id against foo:
bin/report-vuln foo CVE-2012-XXXX CVE-2012-XXXX

NOTE: Make sure you add a description to the CVE/list entries!



git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@19983 e39458fd-73e7-0310-bf30-c45bca0a0e42
---
 bin/report-vuln | 42 +++++++++++++++++++++++++++++++++++++-----
 1 file changed, 37 insertions(+), 5 deletions(-)

(limited to 'bin/report-vuln')

diff --git a/bin/report-vuln b/bin/report-vuln
index e7fea38daa..675e20fa2b 100755
--- a/bin/report-vuln
+++ b/bin/report-vuln
@@ -15,23 +15,41 @@
 
 import sys, re, urllib, os
 
+temp_id = re.compile('(?:CVE|cve)\-[0-9]{4}-XXXX')
+
 def setup_path():
 	dirname = os.path.dirname
 	base = dirname(dirname(os.path.realpath(sys.argv[0])))
 	sys.path.insert(0, os.path.join(base, "lib", "python"))
 
-def description_from_list(id):
+def description_from_list(id, pkg = '', skip_entries = 0):
 	setup_path()
 	import bugs
 	import debian_support
+	is_temp = temp_id.match(id)
+	skipped = 0
+
 	for bug in bugs.CVEFile(debian_support.findresource(
 			    *"data CVE list".split())):
-		if bug.name == id:
+		if bug.name == id or (is_temp and not bug.isFromCVE()):
+			if pkg != '':
+				matches = False
+				for n in bug.notes:
+					if n.package == pkg:
+						matches = True
+						break
+				if not matches:
+					continue
+			if skipped < skip_entries:
+				skipped += 1
+				continue
 			return bug.description
 
 def gen_index(ids):
 	ret = ''
 	for cnt, id in enumerate(ids):
+		if temp_id.match(id):
+			continue
 		ret += '\n[' + str(cnt) + '] http://cve.mitre.org/cgi-bin/cvename.cgi?name=' + id + '\n'
 		ret += '    http://security-tracker.debian.org/tracker/' + id
 
@@ -92,6 +110,7 @@ def gen_text(pkg, cveid):
 	vuln_suff = 'y'
 	cve_suff = ''
 	time_w = 'was'
+	temp_id_cnt = 0
 
 	if len(cveid) > 1:
 		cve_suff = 's'
@@ -115,12 +134,25 @@ For further information see:''' % (vuln_suff, cve_suff)
 
 	print header
 	for cnt, cve in enumerate(cveid):
-		print cve + '[' + str(cnt) + ']:'
-		print get_cve(cve)
+		if not temp_id.match(cve):
+			print cve + '[' + str(cnt) + ']:'
+			print get_cve(cve)
+		else:
+			print '''Issue without CVE id #%d [%d]:''' % (temp_id_cnt, cnt)
+			desc = description_from_list(cve, pkg, temp_id_cnt)
+			if desc:
+				print desc + '\n'
+			else:
+				print 'No description has been specified\n'
+			temp_id_cnt += 1
 
 	print footer
 	print gen_index(cveid)
 
+	if temp_id_cnt > 0:
+		print '\nhttp://security-tracker.debian.org/tracker/source-package/%s' % (pkg)
+		print '(issues without id are assigned a temporary one that may change over time)\n'
+
 def error(msg):
 	print 'error: ' + msg
 	sys.exit(1)
@@ -144,7 +176,7 @@ def main():
 		error(pkg + ' does not seem to be a valid source package name')
 
 	for arg in cve:
-		if not c.match(arg):
+		if not c.match(arg) and not temp_id.match(arg):
 			error(arg + ' does not seem to be a valid CVE id')
 
 	gen_text(pkg, cve)
-- 
cgit v1.2.3