Bug 240322 - security/vuxml: Add August FreeBSD Security Advisories
Summary: security/vuxml: Add August FreeBSD Security Advisories
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Mark Felder
Keywords: easy, needs-qa, security
Depends on:
Reported: 2019-09-03 22:47 UTC by Miroslav Lachman
Modified: 2019-10-24 22:16 UTC (History)
8 users (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)
koobs: maintainer-feedback? (secteam)

FreeBSD SA entries (9.53 KB, patch)
2019-09-03 22:47 UTC, Miroslav Lachman
no flags Details | Diff
freebsdsa.sh (2.67 KB, application/x-sh)
2019-10-24 21:56 UTC, Mark Felder
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Miroslav Lachman 2019-09-03 22:47:10 UTC
Created attachment 207171 [details]
FreeBSD SA entries

As noted on https://vuxml.freebsd.org/freebsd/ 
"Security issues that affect the FreeBSD operating system or applications in the FreeBSD Ports Collection are documented using the Vulnerabilities and Exposures Markup Language (VuXML)."

But they are not. Security issues in base system a.k.a Security Advisories are not being added by Security Team.

In my not so humble opinion they should be added in to vuln.xml at the same time as they are published on web https://www.freebsd.org/security/advisories.html

Anyway I created patch to add last entries from August 2019.

Please commit it soon so other users can use vuxml entries to check theirs systems by security/base-audit
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2019-09-05 12:23:17 UTC
Thank you for the report and patch Miroslav
Comment 2 Miroslav Lachman 2019-09-05 16:15:14 UTC
(In reply to Kubilay Kocak from comment #1)
Maybe this PR is not the best place to discuss it but what is the current process of publishing new SA on web https://www.freebsd.org/security/advisories.html?
Is there some template system where Security Officer fills in all the textual data and the file with right format is created or is it all manual work to write the plain text files published on the web?

I am asking if there is any way to automates the process of pushing it to vuln.xml too.

If the final plain text file is the only source of information for new SA I can send you my quick shell script as prototype to ease the conversion of text SA in to XML format for vuln.xml. (the attached patch was create by this script)

I really would like to see vuxml entries published at the same time as plain text SAs in the future.
Comment 3 Miroslav Lachman 2019-09-09 17:56:37 UTC

Can you commit it, please?
Comment 4 Miroslav Lachman 2019-09-17 20:34:05 UTC
Another week passed. 
Can somebody commit this really simple patch to finally add known SAs to VuXML, please?
Comment 5 Miroslav Lachman 2019-09-30 09:26:34 UTC
Can somebody be so kind and explain me what is the problem with this patch? What is so hard to get it committed?
I really don't understand it.
Comment 6 Martin Wilke freebsd_committer 2019-09-30 15:38:05 UTC
I'll handle this.
Comment 7 Miroslav Lachman 2019-10-09 19:32:44 UTC
Comment 8 Miroslav Lachman 2019-10-22 12:33:35 UTC
Still wondering what's so hard on this patch.
Comment 9 Rodrigo Osorio freebsd_committer 2019-10-24 12:51:10 UTC
@miwi : maybe we can start to catching up the unreported items.

        BTW, I don't know if the task can be automated, since
        SA aren't in a strict structured format we can convert
        easily in xml.
Comment 10 Rodrigo Osorio freebsd_committer 2019-10-24 12:54:08 UTC
(In reply to Rodrigo Osorio from comment #9)

You can also reasign the PR to me :D
Comment 11 Miroslav Lachman 2019-10-24 13:59:07 UTC
(In reply to Rodrigo Osorio from comment #9)
Maybe there are some exceptions but most of the SAs are using the same format and can be easily converted by shell script.
The submitted patch was created by shell script.
Comment 12 Rodrigo Osorio freebsd_committer 2019-10-24 14:56:10 UTC
(In reply to Miroslav Lachman from comment #11)

Agree, but exceptions matter, specially if they can
automatically break the vuln.xml file.

To be honest, I don't trust that much tools that
handle non formate inputs (let's call it human
readable inputs) without supervision.

But, we can probably agree on a script who can live in
Tools/script/ and generate patches for vuln.xml file
with the missing SA.
Comment 13 Miroslav Lachman 2019-10-24 17:12:06 UTC
(In reply to Rodrigo Osorio from comment #12)
100% agree on this. Use the tool to create patch but commit it manually after human validation.
(until there is some official tool to write SAs in semantic language)
Comment 14 Mark Felder freebsd_committer 2019-10-24 21:56:18 UTC
Created attachment 208587 [details]

I have a script that automates the SA into vuxml and the only issue it ever has is correctly identifying if the issue should be for FreeBSD or FreeBSD-kernel.

Attaching here if anyone is interested. I've also passed it on to secteam and ports-secteam.
Comment 15 Miroslav Lachman 2019-10-24 22:16:42 UTC
(In reply to Mark Felder from comment #14)
Thank you Mark!