Created attachment 207171 [details] FreeBSD SA entries As noted on https://vuxml.freebsd.org/freebsd/ "Security issues that affect the FreeBSD operating system or applications in the FreeBSD Ports Collection are documented using the Vulnerabilities and Exposures Markup Language (VuXML)." But they are not. Security issues in base system a.k.a Security Advisories are not being added by Security Team. In my not so humble opinion they should be added in to vuln.xml at the same time as they are published on web https://www.freebsd.org/security/advisories.html Anyway I created patch to add last entries from August 2019. Please commit it soon so other users can use vuxml entries to check theirs systems by security/base-audit
Thank you for the report and patch Miroslav
(In reply to Kubilay Kocak from comment #1) Maybe this PR is not the best place to discuss it but what is the current process of publishing new SA on web https://www.freebsd.org/security/advisories.html? Is there some template system where Security Officer fills in all the textual data and the file with right format is created or is it all manual work to write the plain text files published on the web? I am asking if there is any way to automates the process of pushing it to vuln.xml too. If the final plain text file is the only source of information for new SA I can send you my quick shell script as prototype to ease the conversion of text SA in to XML format for vuln.xml. (the attached patch was create by this script) I really would like to see vuxml entries published at the same time as plain text SAs in the future.
ping Can you commit it, please?
Another week passed. Can somebody commit this really simple patch to finally add known SAs to VuXML, please?
Can somebody be so kind and explain me what is the problem with this patch? What is so hard to get it committed? I really don't understand it.
I'll handle this.
ping
Still wondering what's so hard on this patch.
@miwi : maybe we can start to catching up the unreported items. BTW, I don't know if the task can be automated, since SA aren't in a strict structured format we can convert easily in xml.
(In reply to Rodrigo Osorio from comment #9) You can also reasign the PR to me :D
(In reply to Rodrigo Osorio from comment #9) Maybe there are some exceptions but most of the SAs are using the same format and can be easily converted by shell script. The submitted patch was created by shell script.
(In reply to Miroslav Lachman from comment #11) Agree, but exceptions matter, specially if they can automatically break the vuln.xml file. To be honest, I don't trust that much tools that handle non formate inputs (let's call it human readable inputs) without supervision. But, we can probably agree on a script who can live in Tools/script/ and generate patches for vuln.xml file with the missing SA.
(In reply to Rodrigo Osorio from comment #12) 100% agree on this. Use the tool to create patch but commit it manually after human validation. (until there is some official tool to write SAs in semantic language)
Created attachment 208587 [details] freebsdsa.sh I have a script that automates the SA into vuxml and the only issue it ever has is correctly identifying if the issue should be for FreeBSD or FreeBSD-kernel. Attaching here if anyone is interested. I've also passed it on to secteam and ports-secteam.
(In reply to Mark Felder from comment #14) Thank you Mark!