2
# Copyright (C) 2008-2011 Canonical, Ltd.
3
# Author: Kees Cook <kees@ubuntu.com>
4
# Author: Jamie Strandboge <jamie@ubuntu.com>
7
# This script attempts to build up statistics for a monthly report on
8
# security update activity on USNs, triage, and outstanding tasks.
9
# It is designed to be run on the month _following_ the month one wants
10
# a report for. e.g. run this script in April if you want the March report.
12
# By default, report in a more prose-style. E.g.:
13
# The security team had a busy month. We published 29 Ubuntu Security
14
# Notices which fixed 63 security issues (CVEs) across 30 supported
15
# packages. Additionally, we triaged 487 public security vulnerability
16
# reports, retaining only those that applied to Ubuntu.
18
# For all the supported packages in Ubuntu, there are 67 medium-priority
19
# issues and 206 low issues that need to be fixed in 142 packages.
21
# For all partner packages in Ubuntu, there is 1 medium-priority issue
22
# that needs to be fixed in 1 package.
24
# For all community-supported packages in Ubuntu, there are 7 high-priority
25
# issues, 721 medium-priority, and 1005 low-priority issues that need to be
26
# fixed in 686 packages.
32
This script attempts to build up statistics for a monthly report on
33
security update activity on USNs, triage, and outstanding tasks.
34
It is designed to be run on the month _following_ the month one wants
35
a report for. e.g. run this script in April if you want the March report.
38
$ $UCT/scripts/`basename $0`
40
Can also specify different months with:
41
$ $UCT/scripts/`basename $0` <first> <second>
44
$ $UCT/scripts/`basename $0` March April
49
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
52
elif [ "$1" = "--cache" ]; then
53
use_cached_usndb="yes"
57
# Make sure we won't destroy any pending commits
58
bzr diff >/dev/null || {
59
echo "Aborting: uncommitted changes. Please use 'bzr commit' before proceeding" >&2
63
REP_MON=$(date +%B -d 'last month')
64
REP_MONN=$(date +%m -d 'last month')
65
REP_YEAR=$(date +%Y -d 'last month')
70
if [ -n "$1" ] && [ -n "$2" ]; then
71
REP_MON=$(date +%B -d "$1 01")
72
REP_MONN=$(date +%m -d "$1 01")
73
REP_YEAR=$(date +%Y -d "$1 01")
75
THIS_MONN=$(date +%m -d "$2 01")
76
THIS_YEAR=$(date +%Y -d "$2 01")
77
if [ "$THIS_MONN" -lt "$REP_MONN" ]; then
78
THIS_YEAR=$(($THIS_YEAR + 1))
82
echo "Fetching USN publication list..." >&2
83
USNS=$(echo $(curl -s https://lists.ubuntu.com/archives/ubuntu-security-announce/$REP_YEAR-$REP_MON/date.html | fgrep '">[USN-' | cut -d- -f2,3 | cut -d\] -f1))
85
echo "Fetching USN database..." >&2
86
if [ "$use_cached_usndb" = "yes" ] && [ -f "./database.pickle" ]; then
87
echo "(skipped-- using cached ./database.pickle)"
89
if grep -q people ~/.ssh/config; then
90
rsync -q -e ssh people.canonical.com:~ubuntu-security/public_html/usn/database.pickle ./database.pickle
92
./scripts/fetch-db database.pickle.bz2
95
PUBLISHED=$(./scripts/report-usn-numbers.py --prose database.pickle $USNS)
97
# We depend on a script to perform output while the tree is reverted, so
98
# copy the script out of the tree for later use.
99
SCRIPTS=$(mktemp -d -t monthly-report-XXXXXX)
100
for i in report-todo-numbers check-cves cache_urllib.py cve_lib.py source_map.py usn_lib.py
102
cp -a scripts/$i "$SCRIPTS"/$i
105
TMP1=$(mktemp -t work1-XXXXXX)
106
TMP2=$(mktemp -t work2-XXXXXX)
107
TMP1_UBUNTU=$(mktemp -t work1u-XXXXXX)
108
TMP2_UBUNTU=$(mktemp -t work2u-XXXXXX)
109
if [ ! -x "scripts/monthly-report" ]; then
110
echo "Please run this from the top-level directory of Ubuntu CVE Tracker"
121
bzr revert -r date:"$changed" >/dev/null 2>&1 && break
122
changed=$(date +%Y-%m-%d -d "$changed - 1 day")
123
count=$(( count + 1 ))
124
if [ "$count" -gt 32 ]; then
125
echo "Eeek, rewound from $1 past $changed. Something is wrong."
129
#echo "rewound to $changed"
133
echo "Rewinding bzr tree for stats..." >&2
134
# Locate the last day something changed
135
bzr_rewind $(date +%Y-%m-%d -d "$REP_YEAR-$REP_MONN-01 - 1 day")
136
# Gather stats at the time
137
$SCRIPTS/check-cves --known > "$TMP1"
138
$SCRIPTS/check-cves --known --skip-nfu > "$TMP1_UBUNTU"
140
echo "Fast-forwarding bzr tree for stats..." >&2
141
# Fast-forward to end of month
142
bzr revert >/dev/null 2>&1
143
last_month_end=`date +%Y-%m-%d -d "$THIS_YEAR-$THIS_MONN-01 - 1 day"`
144
last_month_fn=`date +%B -d "$THIS_YEAR-$THIS_MONN-01 - 1 day"`
145
bzr_rewind "$last_month_end"
146
$SCRIPTS/check-cves --known > "$TMP2"
147
$SCRIPTS/check-cves --known --skip-nfu > "$TMP2_UBUNTU"
148
WORK=$($SCRIPTS/report-todo-numbers --prose --show-unique-sources --skip-low -E -- -S)
150
echo "Returning bzr tree to present-day..." >&2
152
bzr revert >/dev/null 2>&1
154
# Calculate difference
155
TRIAGED=$(diff -u "$TMP1" "$TMP2" | grep '^+CVE' | wc -l)
156
rm -f "$TMP1" "$TMP2"
157
FOR_US=$(diff -u "$TMP1_UBUNTU" "$TMP2_UBUNTU" | grep '^+CVE' | wc -l)
158
rm -f "$TMP1_UBUNTU" "$TMP2_UBUNTU"
163
echo "Add the following template text to https://wiki.canonical.com/UbuntuEngineering/MonthlyReport:"
165
echo "=== Development ==="
166
echo " * TO BE FILLED IN (eg, look at statuses from team)"
168
echo "== Security =="
169
echo "=== Reactive ==="
170
echo "In the month of $last_month_fn, the Ubuntu Security team:"
172
echo " * Triaged $TRIAGED public security vulnerability reports, retaining the $FOR_US that applied to Ubuntu."
175
echo "As of the end of $last_month_fn (${last_month_end}):"