The branch master has been updated via 598ab94e8eaa78293e59bad5ea8515168e291fa7 (commit) via 43332d88869015a8e8f0d6fb8ab9ea2961a423e1 (commit) via dabfc9a7ae3a3ae4ab3395b5b6e740defb4b52e0 (commit) from 0be639f38ad327963d1ae0e49abe1c90e0872b5c (commit)
- Log ----------------------------------------------------------------- commit 598ab94e8eaa78293e59bad5ea8515168e291fa7 Author: Mark J. Cox <m...@awe.com> Date: Tue Jan 30 09:43:25 2018 +0000 Make the per-version vulnerability files. We could probably do something clever here to work out all the versions we have releases for. commit 43332d88869015a8e8f0d6fb8ab9ea2961a423e1 Author: Mark J. Cox <m...@awe.com> Date: Tue Jan 30 09:27:28 2018 +0000 Link to all-issues page, better detection of "no vulnerabilities" for a given base version commit dabfc9a7ae3a3ae4ab3395b5b6e740defb4b52e0 Author: Mark J. Cox <m...@awe.com> Date: Tue Jan 30 09:19:21 2018 +0000 Update mk-cvepage to remain backward compatible for now, but allow generation of a "per major version" vuln page. So users of 1.1.0 can if they like just see a page of issues that were fixed in 1.1.0* ----------------------------------------------------------------------- Summary of changes: Makefile | 28 ++++++++++++++++++++++++++++ bin/mk-cvepage | 53 +++++++++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 75 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 3c73ac3..8a41c35 100644 --- a/Makefile +++ b/Makefile @@ -19,6 +19,13 @@ SIMPLE = newsflash.inc sitemap.txt \ news/openssl-1.1.0-notes.inc \ news/newsflash.inc \ news/vulnerabilities.inc \ + news/vulnerabilities-1.1.0.inc \ + news/vulnerabilities-1.0.2.inc \ + news/vulnerabilities-1.0.1.inc \ + news/vulnerabilities-1.0.0.inc \ + news/vulnerabilities-0.9.8.inc \ + news/vulnerabilities-0.9.7.inc \ + news/vulnerabilities-0.9.6.inc \ source/.htaccess \ source/license.txt \ source/index.inc @@ -118,6 +125,27 @@ news/newsflash.inc: news/newsflash.txt news/vulnerabilities.inc: bin/mk-cvepage news/vulnerabilities.xml @rm -f $@ ./bin/mk-cvepage -i news/vulnerabilities.xml > $@ +news/vulnerabilities-1.1.0.inc: bin/mk-cvepage news/vulnerabilities.xml + @rm -f $@ + ./bin/mk-cvepage -i news/vulnerabilities.xml -b 1.1.0 > $@ +news/vulnerabilities-1.0.2.inc: bin/mk-cvepage news/vulnerabilities.xml + @rm -f $@ + ./bin/mk-cvepage -i news/vulnerabilities.xml -b 1.0.2 > $@ +news/vulnerabilities-1.0.1.inc: bin/mk-cvepage news/vulnerabilities.xml + @rm -f $@ + ./bin/mk-cvepage -i news/vulnerabilities.xml -b 1.0.1 > $@ +news/vulnerabilities-1.0.0.inc: bin/mk-cvepage news/vulnerabilities.xml + @rm -f $@ + ./bin/mk-cvepage -i news/vulnerabilities.xml -b 1.0.0 > $@ +news/vulnerabilities-0.9.8.inc: bin/mk-cvepage news/vulnerabilities.xml + @rm -f $@ + ./bin/mk-cvepage -i news/vulnerabilities.xml -b 0.9.8 > $@ +news/vulnerabilities-0.9.7.inc: bin/mk-cvepage news/vulnerabilities.xml + @rm -f $@ + ./bin/mk-cvepage -i news/vulnerabilities.xml -b 0.9.7 > $@ +news/vulnerabilities-0.9.6.inc: bin/mk-cvepage news/vulnerabilities.xml + @rm -f $@ + ./bin/mk-cvepage -i news/vulnerabilities.xml -b 0.9.6 > $@ source/.htaccess: $(wildcard source/openssl-*.tar.gz) bin/mk-latest @rm -f @? ./bin/mk-latest source >$@ diff --git a/bin/mk-cvepage b/bin/mk-cvepage index 57bc798..70e18cc 100755 --- a/bin/mk-cvepage +++ b/bin/mk-cvepage @@ -45,9 +45,20 @@ def merge_affects(issue,base): anext = anext[:-1]+chr(ord(anext[-1])+1) return ",".join(['-'.join(map(str,aff)) for aff in alist]) - + +def allyourbase(issues): + allbase = [] + # find all the major versions of OpenSSL we have vulnerabilities fixed in + for affects in issues.getElementsByTagName('fixed'): + if (affects.getAttribute("base") not in allbase): + if ("fips" not in affects.getAttribute("base")): # temporary hack + allbase.append(affects.getAttribute("base")) + return sorted(allbase, reverse=True) + + parser = OptionParser() parser.add_option("-i", "--input", help="input vulnerability file live openssl-web/news/vulnerabilities.xml", dest="input") +parser.add_option("-b", "--base", help="only include vulnerabilities for this major version (i.e. 1.0.1)", dest="base") (options, args) = parser.parse_args() # We need an output directory not stdout because we might write multiple files @@ -68,6 +79,15 @@ allyears = [] # Display issues latest by date first, if same date then by highest CVE allissues = "" for issue in sorted(issues, key=lambda x: (x.getAttribute('public'), x.getElementsByTagName('cve')[0].getAttribute('name')),reverse=True): + + if options.base: + include = 0 + for affects in issue.getElementsByTagName('fixed'): + if (affects.getAttribute("base") in options.base): + include = 1 + if (include == 0): + continue + date = issue.getAttribute('public') year = date[:-4] if (year != thisyear): @@ -80,7 +100,7 @@ for issue in sorted(issues, key=lambda x: (x.getAttribute('public'), x.getElemen allissues += "<dt>" if cve: - allissues += "<a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-%s\">CVE-%s</a> " %(cve,cve) + allissues += "<a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-%s\" name=\"CVE-%s\">CVE-%s</a> " %(cve,cve,cve) for adv in issue.getElementsByTagName('advisory'): allissues += "<a href=\"%s\">(OpenSSL advisory)</a> " %(adv.getAttribute("url")) for sev in issue.getElementsByTagName('impact'): @@ -94,20 +114,41 @@ for issue in sorted(issues, key=lambda x: (x.getAttribute('public'), x.getElemen allissues += " Reported by %s. " %(reported.getAttribute("source")) allissues += "<ul>" + also = [] for affects in issue.getElementsByTagName('fixed'): + if options.base: + if (affects.getAttribute("base") not in options.base): + also.append("OpenSSL <a href=\"vulnerabilities-%s.html#CVE-%s\">%s</a>" %( affects.getAttribute('base'), cve, affects.getAttribute('version'))) + continue allissues += "<li>Fixed in OpenSSL %s " %(affects.getAttribute('version')) for git in affects.getElementsByTagName('git'): allissues += "<a href=\"https://github.com/openssl/openssl/commit/%s\">(git commit)</a> " %(git.getAttribute('hash')) allissues += "(Affected "+merge_affects(issue,affects.getAttribute("base"))+")" allissues += "</li>" + if also: + allissues += "<li>This issue was also addressed in "+ ", ".join( also) allissues += "</ul></dd>" -allissues += "</dl>" preface = "<!-- do not edit this file it is autogenerated, edit vulnerabilities.xml -->" -preface += "<p><a name=\"toc\">Jump to year: </a>" -preface += ", ".join( "<a href=\"#y%s\">%s</a>" %(year,year) for year in allyears) +if options.base: + # for now don't put the link to the per-base page on main page until it's ready to go live + bases = [] + for base in allyourbase(dom): + if (options.base and base in options.base): + bases.append("%s" %(base)) + else: + bases.append( "<a href=\"vulnerabilities-%s.html\">%s</a>" %(base,base)) + preface += "Show issues fixed only in OpenSSL " + ", ".join(bases) + if (options.base): + preface += ", or <a href=\"vulnerabilities.html\">all versions</a>" + preface += "<h2>Fixed in OpenSSL %s</h2>" %(options.base) +if len(allyears)>1: # If only vulns in this year no need for the year table of contents + preface += "<p><a name=\"toc\">Jump to year: </a>" + ", ".join( "<a href=\"#y%s\">%s</a>" %(year,year) for year in allyears) preface += "</p>" -preface += allissues +if allissues != "": + preface += allissues + "</dl>" +else: + preface += "No vulnerabilities" sys.stdout.write(preface.encode('utf-8')) _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits