← Back to branch summary

~ubuntu-security/ubuntu-cve-tracker/master 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257

#!/bin/sh
# Copyright 2009-2013 Canonical, Ltd.
# Authors:
#  Jamie Strandboge <jamie@canonical.com>
#  Kees Cook <kees@ubuntu.com>
#  Marc Deslauriers <marc.deslauriers@canonical.com>
#
# Script to help triage CVEs based on Triage Frequency in $UCT/README
#

set -e

loc=$(readlink -f "$(dirname "$0")/..")

uctconf="$HOME/.ubuntu-cve-tracker.conf"
if [ -s "$uctconf" ]; then
    . "$uctconf"
else
    echo "Could not find '$uctconf'" >&2
    exit 1
fi

is_http_url() {
    url="$1"
    echo "$url" | grep -q "^http"
}

download() {
    url="$1"
    # if http, then download it with wget, otherwise, try to rsync it
    if is_http_url "$url" ; then
        # Force the gzipped XML to be downloaded
        # Required for nvdcve-recent.xml as of 2015-10-16
        url="${url}.gz"
        file=$(basename "$url")

        echo "wget -N \"$url\""
        wget -N "$url" ||:
        gunzip -f "$file"
    else
        echo "rsync -vz --progress \"$url\" ."
        rsync -vz --progress "$url" .
    fi
    echo "---"
}

download_yearly_files() {
    base_url="${nvd_loc:-https://nvd.nist.gov/download}/"
    # if http, download each file sequentially, otherwise, use glob with rsync
    if is_http_url "$base_url" ; then
        current_year=$(date +%Y)
        for year in $(seq 2004 "$current_year"); do
            download "${base_url}nvdcve-${year}.xml"
        done
    else
        # TODO: Make Y3K compliant
        download "${base_url}nvdcve-2*.xml"
    fi
}

update_debian() {
    # Update Debian SVN
    if [ -n "$secure_testing_path" ] && [ -d "${secure_testing_path}/.git" ] ; then
        echo "Updating '$secure_testing_path'"
        cd "$secure_testing_path"
        git fetch --all -p -t && git pull --ff-only || echo "Error updating Debian tree"
        cd "$loc"
    fi
}

update_files() {
    download "${mitre_loc:-https://cve.mitre.org/data/downloads}/allitems.xml"
    download_yearly_files
    download "https://nvd.nist.gov/download/nvdcve-recent.xml"
}

full_refresh() {
    # get PubDate
    echo "update PubDate (check-cves --refresh nvdcve-*.xml) ..."
    ./scripts/check-cves --refresh nvdcve-*.xml

    # get authoritative descriptions
    echo "get authoritative descriptions (check-cves --refresh ./allitems.xml) ..."
    ./scripts/check-cves --refresh ./allitems.xml
}

kernel_team_merge() {
    echo "Merging with kernel team CVE tracker"
    kernelteam='lp:~canonical-kernel-team/ubuntu-cve-tracker/kernel-team'

    if ! bzr missing --theirs-only $kernelteam ; then
        # Find their most recent merge point
        lastmerge=$(bzr missing --mine-only $kernelteam | grep revno | cut -d' ' -f2 | tail -n1)
        if [ -n "$lastmerge" ]; then
            lastmerge=$((lastmerge - 1))
        else
            lastmerge=$(bzr log | head -n10 | grep revno | head -n1 | cut -d' ' -f2)
        fi
        # Pull their changes
        if ! bzr merge $kernelteam ; then
            echo "Merge failed! Please fix, and then 'exit 0' to continue..."
            bash
        fi
        # Extract a diff of what they changed, relative to the merge point
        diff=$(mktemp -t kernel-team-diff-XXXXXX)
        bzr diff "-r$lastmerge" --new=$kernelteam >> "$diff" || true
        if [ -s "$diff" ]; then
            # Look it over
            ${EDITOR:-vi} "$diff"
        fi
        rm -f "$diff"
    fi
}

process_missing_debian() {
    echo "check-cves --import-missing-debian"
    ./scripts/check-cves --import-missing-debian
}

download_missing_redhat() {
    tmpdir="$1"
    archive="$2.txt"
    fn="$tmpdir/$archive"
    url="https://www.redhat.com/archives/rhsa-announce/$archive.gz"

    echo "Downloading $url..."
    # curl and wget fail with redhat's web proxy
    w3m -dump_source "$url" > "$fn.gz"
    echo "Unzipping $fn.gz..."
    gzip -d "$fn.gz" || {
        # This can happen at the start of a new month and RedHat has provided
        # any advisories yet
        echo "(skipping '$fn.gz')"
        rm -f "$fn.gz"
        return
    }

    echo "locate_cves.py $fn..."
    ./scripts/locate_cves.py "$fn" >> "$tmpdir/redhat.mbox"
}

process_missing_redhat() {
    tmpdir=$(mktemp -d)
    download_missing_redhat "$tmpdir" "$(date +%Y-%B)"
    download_missing_redhat "$tmpdir" "$(date --date="$(date +%Y-%m-15) -1 month" +%Y-%B)"
    ./scripts/check-cves --untriaged "$tmpdir/redhat.mbox"
    rm -rf "$tmpdir"
}

check_syntax() {
    echo "Running check-syntax"
    if ! ./scripts/check-syntax; then
        cat <<EOM

*** IMPORTANT ***
There were check-syntax failures that need to be addressed. Please make the
appropriate modifications before checking in your work.
EOM
    else
        echo "No syntax issues found"
    fi
}

nag_about_mailing_lists() {
    cat <<EOM

*** IMPORTANT ***
Mitre and NVD are no longer updated in a timely fashion. Please review
oss-security, linux-distros, nd vendor mailing lists for any new CVEs after
doing triage. This script pulls in RHSAs on Wednesdays and DSAs daily.

Eg, to triage oss-security (assumes in the UCT directory):
 <save last month to mbox file, ~/oss-sec.mbox>
 $ ./scripts/check-cves --mbox ~/oss-sec.mbox
EOM
}

prev_dir=$(pwd)
trap "cd '$prev_dir'" EXIT HUP INT QUIT TERM

# Determine mode
action=$(LC_TIME=C date +%a)
if [ ! -z "$1" ]; then
    action="$1"
fi

case "$action" in
    Mon)
        update_debian
        update_files

        # kernel_team_merge
        echo "Skipping merge from kernel team"
        echo "check-cves nvdcve-*.xml"
        ./scripts/check-cves nvdcve-*.xml
        process_missing_debian

        check_syntax
        nag_about_mailing_lists
        ;;
    Wed)
        update_debian
        update_files
        # kernel_team_merge
        echo "Skipping merge from kernel team"

        # process new ones
        echo "check-cves ./nvdcve-recent.xml"
        ./scripts/check-cves ./nvdcve-recent.xml
        echo "check-cves ./allitems.xml"
        ./scripts/check-cves ./allitems.xml

        process_missing_debian
        process_missing_redhat

        full_refresh
        check_syntax
        nag_about_mailing_lists
        ;;
    redhat)
        process_missing_redhat
        ;;
    debian)
        update_debian
        process_missing_debian
        ;;
    update)
        # Do no triage
        update_debian
        update_files
        ;;
    refresh)
        # Do no triage
        update_debian
        update_files
        full_refresh
        ;;
    merge)
        # Do no triage
        update_debian
        update_files
        kernel_team_merge
        ;;
    *)
        update_debian
        update_files
        # kernel_team_merge
        echo "Skipping merge from kernel team"
        echo "check-cves ./nvdcve-recent.xml"
        ./scripts/check-cves ./nvdcve-recent.xml
        process_missing_debian
        check_syntax
        nag_about_mailing_lists
        ;;
esac

exit 0