Summary: | security/vuxml: split vuln.xml by year, use includes to read them, test tools if all is fine | ||
---|---|---|---|
Product: | Ports & Packages | Reporter: | Kurt Jaeger <pi> |
Component: | Individual Port(s) | Assignee: | Ports Security Team <ports-secteam> |
Status: | Closed FIXED | ||
Severity: | Affects Some People | CC: | dvl, joneum, koobs, pi, tommi.pernila |
Priority: | --- | Keywords: | dogfood, needs-patch, needs-qa |
Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(ports-secteam) |
Hardware: | Any | ||
OS: | Any |
Description
Kurt Jaeger
![]() Freshports may parse this in a custom manner, cc Dan accordingly What other tools / people may be affected? FreshPorts reads the file touched in the commit. If the individual files are self-enclosed XML, FreshPorts might not notice. If someone can show me example files / commits, I will verify. Sounds like a very good BSDCan project. (In reply to Dan Langille from comment #2) I scanned the code. There are a few constants referring to * /ports/head/security/vuxml/vuln.xml * security/vuxml/vuln.xml and one bit of code which scans the incoming email via perl for: while (<VUXML>) { next unless m#^\s+\$FreeBSD: head/security/vuxml/vuln.xml (\d+) (\d\d\d\d\-\d\d\-\d\d) (\d\d:\d\d:\d\d\S+) (\S+) .*$#; $ident{Revision} = $1; $ident{Date} = $2; $ident{Time} = $3; $ident{Committer} = $4; } return %ident; Nothing insurmountable. FreshPorts processes the commit, and then queues a job for the vuxml processing (i.e. tagging vuln versions) which is done later. If vuxml processing breaks, it does not upset the website; only the 'skulls' next to version numbers is affected. The problem is "pkg audit foo". We are currently discussing a solution with secteam to make vuxml modern. I am closing here, but of course suggestions are welcome. |