Bug 240322 - security/vuxml: Add August FreeBSD Security Advisories
Summary: security/vuxml: Add August FreeBSD Security Advisories
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ports Security Team
Keywords: easy, needs-qa, security
Depends on:
Reported: 2019-09-03 22:47 UTC by Miroslav Lachman
Modified: 2019-09-17 20:34 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)
koobs: maintainer-feedback? (secteam)

FreeBSD SA entries (9.53 KB, patch)
2019-09-03 22:47 UTC, Miroslav Lachman
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Miroslav Lachman 2019-09-03 22:47:10 UTC
Created attachment 207171 [details]
FreeBSD SA entries

As noted on https://vuxml.freebsd.org/freebsd/ 
"Security issues that affect the FreeBSD operating system or applications in the FreeBSD Ports Collection are documented using the Vulnerabilities and Exposures Markup Language (VuXML)."

But they are not. Security issues in base system a.k.a Security Advisories are not being added by Security Team.

In my not so humble opinion they should be added in to vuln.xml at the same time as they are published on web https://www.freebsd.org/security/advisories.html

Anyway I created patch to add last entries from August 2019.

Please commit it soon so other users can use vuxml entries to check theirs systems by security/base-audit
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2019-09-05 12:23:17 UTC
Thank you for the report and patch Miroslav
Comment 2 Miroslav Lachman 2019-09-05 16:15:14 UTC
(In reply to Kubilay Kocak from comment #1)
Maybe this PR is not the best place to discuss it but what is the current process of publishing new SA on web https://www.freebsd.org/security/advisories.html?
Is there some template system where Security Officer fills in all the textual data and the file with right format is created or is it all manual work to write the plain text files published on the web?

I am asking if there is any way to automates the process of pushing it to vuln.xml too.

If the final plain text file is the only source of information for new SA I can send you my quick shell script as prototype to ease the conversion of text SA in to XML format for vuln.xml. (the attached patch was create by this script)

I really would like to see vuxml entries published at the same time as plain text SAs in the future.
Comment 3 Miroslav Lachman 2019-09-09 17:56:37 UTC

Can you commit it, please?
Comment 4 Miroslav Lachman 2019-09-17 20:34:05 UTC
Another week passed. 
Can somebody commit this really simple patch to finally add known SAs to VuXML, please?