feat(debian/tracker): add TEMP entry instead of CVE-yyyy-XXXX (#254)

2023-11-14 11:59:53 +09:00 · 2023-11-14 11:59:53 +09:00 · f022b19a87
commit f022b19a87
parent 93697e4740
3 changed files with 99 additions and 2 deletions
--- a/debian/tracker/debian.go
+++ b/debian/tracker/debian.go
@ -4,6 +4,7 @@ import (
 	"bufio"
 	"bytes"
 	"context"
+	"crypto/md5"
 	"encoding/json"
 	"fmt"
 	"log"
@ -158,8 +159,26 @@ func (c Client) update(dirname string, bugs []Bug) error {
 	for _, bug := range bugs {
 		dir := filepath.Join(c.vulnListDir, trackerDir, dirname)
 		if dirname == "CVE" {
-			if err := utils.SaveCVEPerYear(dir, bug.Header.ID, bug); err != nil {
-				return xerrors.Errorf("debian: failed to save CVE per year: %w", err)
+			if strings.HasSuffix(bug.Header.ID, "-XXXX") {
+				var bugno int
+				for _, ann := range bug.Annotations {
+					if ann.Type == "package" && ann.BugNo != 0 {
+						bugno = ann.BugNo
+						break
+					}
+				}
+
+				bug.Header.ID = tempBugName(bugno, bug.Header.Description)
+
+				fileName := fmt.Sprintf("%s.json", bug.Header.ID)
+				filePath := filepath.Join(dir, "TEMP", fileName)
+				if err := utils.Write(filePath, bug); err != nil {
+					return xerrors.Errorf("debian: write error (%s): %w", filePath, err)
+				}
+			} else {
+				if err := utils.SaveCVEPerYear(dir, bug.Header.ID, bug); err != nil {
+					return xerrors.Errorf("debian: failed to save CVE per year: %w", err)
+				}
 			}
 		} else {
 			fileName := fmt.Sprintf("%s.json", bug.Header.ID)
@ -351,3 +370,15 @@ func (c Client) parseSources(sourcePath string) ([]textproto.MIMEHeader, error)

 	return headers, nil
 }
+
+// ref. https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/50ca55fb66ec7592f9bc1053a11dbf0bd50ee425/lib/python/bugs.py#L402
+func tempBugName(bugNumber int, description string) string {
+	switch {
+	case strings.HasPrefix(description, "["):
+		description = strings.TrimPrefix(strings.TrimSuffix(description, "]"), "[")
+	case strings.HasPrefix(description, "("):
+		description = strings.TrimPrefix(strings.TrimSuffix(description, ")"), "(")
+	}
+	hash := fmt.Sprintf("%x", md5.Sum([]byte(description)))
+	return fmt.Sprintf("TEMP-%07d-%s", bugNumber, strings.ToUpper(hash[:6]))
+}
--- a/debian/tracker/debian_test.go
+++ b/debian/tracker/debian_test.go
@ -154,6 +154,64 @@ func TestClient_Update(t *testing.T) {
 						},
 					},
 				},
+				filepath.Join("CVE", "TEMP", "TEMP-1053115-9454E3.json"): {
+					Header: &tracker.Header{
+						Original:    "CVE-2023-XXXX [code execution via malformed XTGETTCAP]",
+						ID:          "TEMP-1053115-9454E3",
+						Description: "[code execution via malformed XTGETTCAP]",
+					},
+					Annotations: []*tracker.Annotation{
+						{
+							Original: "- foot 1.15.3-2 (bug #1053115)",
+							Type:     "package",
+							Package:  "foot",
+							Kind:     "fixed",
+							Version:  "1.15.3-2",
+							BugNo:    1053115,
+						},
+						{
+							Original: "[bookworm] - foot 1.13.1-2+deb12u1",
+							Type:     "package",
+							Release:  "bookworm",
+							Package:  "foot",
+							Kind:     "fixed",
+							Version:  "1.13.1-2+deb12u1",
+						},
+						{
+							Original:    "[bullseye] - foot <no-dsa> (Minor issue)",
+							Type:        "package",
+							Release:     "bullseye",
+							Package:     "foot",
+							Kind:        "no-dsa",
+							Description: "Minor issue",
+						},
+						{
+							Original:    "NOTE: https://codeberg.org/dnkl/foot/commit/8a5f2915e9d327d1517d1da49ce7e2303fe61d36",
+							Type:        "NOTE",
+							Description: "https://codeberg.org/dnkl/foot/commit/8a5f2915e9d327d1517d1da49ce7e2303fe61d36",
+						},
+					},
+				},
+				filepath.Join("CVE", "TEMP", "TEMP-0000000-556898.json"): {
+					Header: &tracker.Header{
+						Original:    "CVE-2023-XXXX [Other security issues from wordpress 6.3.2]",
+						ID:          "TEMP-0000000-556898",
+						Description: "[Other security issues from wordpress 6.3.2]",
+					},
+					Annotations: []*tracker.Annotation{
+						{
+							Original: "- wordpress <unfixed>",
+							Type:     "package",
+							Package:  "wordpress",
+							Kind:     "unfixed",
+						},
+						{
+							Original:    "NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/",
+							Type:        "NOTE",
+							Description: "https://wordpress.org/documentation/wordpress-version/version-6-3-2/",
+						},
+					},
+				},
 			},
 			wantDists: map[string]tracker.Distribution{
 				"stretch": {
--- a/debian/tracker/testdata/happy/data/CVE/list
+++ b/debian/tracker/testdata/happy/data/CVE/list
@ -1,3 +1,11 @@
+CVE-2023-XXXX [code execution via malformed XTGETTCAP]
+	- foot 1.15.3-2 (bug #1053115)
+	[bookworm] - foot 1.13.1-2+deb12u1
+	[bullseye] - foot <no-dsa> (Minor issue)
+	NOTE: https://codeberg.org/dnkl/foot/commit/8a5f2915e9d327d1517d1da49ce7e2303fe61d36
+CVE-2023-XXXX [Other security issues from wordpress 6.3.2]
+	- wordpress <unfixed>
+	NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/
 CVE-2021-36980 (Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-f ...)
        TODO: check
 CVE-2021-36383 (Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0 ...)