Hi, On Tue, Jan 11, 2022 at 05:21:40PM +0100, Salvatore Bonaccorso wrote: > Hi Neil, > > On Tue, Jan 11, 2022 at 11:20:16AM +0000, Neil Williams wrote: > > Hi Salvatore, > > > > On Mon, 10 Jan 2022 17:10:15 +0100 > > Salvatore Bonaccorso <car...@debian.org> wrote: > > > > > > So for that epiphany tracker, there is a typo in the d.changelog - > > > > the automated link for CVE-2021-4508 is a 404. > > > > > > > > I've updated the script to catch this and report the error. From the > > > > security-tracker source-package page for epiphany, it looks like the > > > > d.changelog entry should be CVE-2021-45088 - a simple typo to omit > > > > the final repeated digit. > > > > > > > > Currently, I'm handling this by advising that the script is re-run > > > > using the offline support and a corrected list of CVE IDs. > > > > > > > > This also adds a --force-version option to the offline support, in > > > > case sid has moved ahead of the fixed version by the time the CVE > > > > list is updated. > > > > > > Ack, this works indeed in this case as the CVE-2021-4508 does not > > > exist (yet). But in other cases typos are e.g. just wapping a number > > > or misstype the year, or other typos, which lead to an existing CVE. > > > So basically this all really boils down to, people working on > > > security-tracker trying as much as possible, in the human limits :), > > > to do a diligent work as possible. > > > > The script also prints out the CVE description and then tries to > > identify any existing package link by checking the PackageAnnotation of > > each CVE. It prints a warning if the source package of the CVE from the > > changes input doesn't match the source package of the changes itself or > > the source package(s) of other CVEs in the list. It can't always be an > > error as the situation with embedded copies & removed|reintroduced > > packages makes it hard for the script. However, it should be obvious > > from the output if a typo has been made. > > > > I've also added output if a typo matches a CVE that is an NFU as > > there are lot more of those in data/CVE/list e.g. > > > > $ cat test.changes| ./bin/grab-cve-in-fix --input > > grab-cve-in-fix - INFO - Retrieving data STDIN ... > > grab-cve-in-fix - INFO - CVE-2021-45085: (XSS can occur in GNOME Web > > (aka Epiphany) before 40.4 and 41.x before ...) > > grab-cve-in-fix - INFO - CVE-2021-45086: (XSS can occur in GNOME Web > > (aka Epiphany) before 40.4 and 41.x before ...) > > grab-cve-in-fix - INFO - CVE-2021-45087: (XSS can occur in GNOME Web > > (aka Epiphany) before 40.4 and 41.x before ...) > > grab-cve-in-fix - INFO - CVE-2021-3757: (immer is vulnerable to > > Improperly Controlled Modification of Object Pr ...) > > grab-cve-in-fix - ERROR - CVE CVE-2021-3757 is not attributed to a > > Debian package: ['NOT-FOR-US', 'NOTE'] > > > > (test.changes in this case was edited to change the typo to > > CVE-2021-3757 to demonstrate the output). > > Thanks! > > I noted another case which triggers an error but in this case should > not (I think the same issue might be present in merge-cve-list, but > need to double check): > > ../gragcvefix/bin/grab-cve-in-fix --tracker > https://tracker.debian.org/news/1294112/accepted-systemd-2502-1-source-into-unstable/ > grab-cve-in-fix - INFO - Retrieving data from distro-tracker... > grab-cve-in-fix - INFO - CVE-2021-3997: > grab-cve-in-fix - ERROR - CVE CVE-2021-3997 is not attributed to a Debian > package: ['RESERVED']
nevermind, the problem here was PEBKAC. merge-cve-list will later on stuble still over RESERVED, but I need to respin my tests with the scripts first before I can give sensible feedback. The above was nonsense. Regards, Salvatore