Re: [PATCH] report-vuln: allow to invoke mailer
Hi,
On Thu, Nov 30, 2017 at 10:36:13AM +0100, Guido Günther wrote:
> This allows to invoke the mailer directly like
>
> bin/report-vuln -M <pkg> <cve>...
>
> the default behaviour is unchanged.
> ---
> Helps at least me to get out bug mails quicker.
I went ahead and committed this. If it causes any problems please ping
me or plain revert it.
Cheers,
-- Guido
>
> bin/report-vuln | 95 ++++++++++++++++++++++++++++++++-------------------------
> 1 file changed, 54 insertions(+), 41 deletions(-)
>
> diff --git a/bin/report-vuln b/bin/report-vuln
> index 5e053f88ea..9e20f4778b 100755
> --- a/bin/report-vuln
> +++ b/bin/report-vuln
> @@ -1,25 +1,18 @@
> #!/usr/bin/env python
> #
> -# generate bug report content for a given package name
> -# and a number of CVE ids
> +# generate bug report content/mail for a given package name and a
> +# number of CVE ids
> #
> -# you could use it for example in combination with the
> -# following shell function:
> +# To invoke the mailer right away:
> #
> -# report-vuln(){
> -# TMPFILE="$HOME/reportbug.tmp"
> -# $HOME/debian/svn/secure-testing/bin/report-vuln -m "$@" > $TMPFILE
> -# mutt -H $TMPFILE
> -# rm $TMPFILE
> -# }
> -#
> -# in bash, this can be simply:
> -#
> -# mutt -H <($HOME/debian/svn/secure-testing/bin/report-vuln -m <pkg> <CVE>)
> +# $HOME/debian/svn/secure-testing/bin/report-vuln -M <pkg> <CVE>
> #
> # export http_proxy if you need to use an http proxy to report bugs
>
> +from __future__ import print_function
> +
> import argparse
> +from tempfile import NamedTemporaryFile
> import sys, re, urllib, os
>
> temp_id = re.compile('(?:CVE|cve)\-[0-9]{4}-XXXX')
> @@ -118,10 +111,11 @@ def gen_text(pkg, cveid, blanks=False, severity=None, affected=None, cc=False, c
> cve_suff = ''
> time_w = 'was'
> temp_id_cnt = 0
> - header = ''
> + ret = ''
> +
>
> if mh:
> - header += '''To: submit@bugs.debian.org
> + ret += '''To: submit@bugs.debian.org
> Subject: %s: %s
>
> ''' % (pkg, ' '.join(cveid))
> @@ -132,56 +126,55 @@ Subject: %s: %s
> time_w = 'were'
>
> if src:
> - header += '''Source: %s\n''' % (pkg)
> + ret += 'Source: %s\n' % (pkg)
> else:
> - header += '''Package: %s\n''' % (pkg)
> + ret += 'Package: %s\n' % (pkg)
>
> if affected is None:
> if blanks:
> - header += "Version: FILLINAFFECTEDVERSION\n"
> + ret += "Version: FILLINAFFECTEDVERSION\n"
> else:
> - header += "Version: %s\n" % affected
> + ret += "Version: %s\n" % affected
> if cc and len(cclist) > 0:
> - header += "X-Debbugs-CC: %s\n" % " ".join(cclist)
> - header += '''Severity: %s
> + ret += "X-Debbugs-CC: %s\n" % " ".join(cclist)
> + ret += '''Severity: %s
> Tags: security
>
> Hi,
>
> -the following vulnerabilit%s %s published for %s.
> +the following vulnerabilit%s %s published for %s.\n
> ''' % (severity, vuln_suff, time_w, pkg)
>
> - footer = '''If you fix the vulnerabilit%s please also make sure to include the
> -CVE (Common Vulnerabilities & Exposures) id%s in your changelog entry.
> -
> -For further information see:''' % (vuln_suff, cve_suff)
> -
> - print header
> for cnt, cve in enumerate(cveid):
> if not temp_id.match(cve):
> - print cve + '[' + str(cnt) + ']:'
> - print get_cve(cve)
> + ret += cve + '[' + str(cnt) + ']:\n'
> + ret += get_cve(cve) + '\n'
> else:
> - print '''Issue without CVE id #%d [%d]:''' % (temp_id_cnt, cnt)
> + ret += 'Issue without CVE id #%d [%d]:\n' % (temp_id_cnt, cnt)
> desc = description_from_list(cve, pkg, temp_id_cnt)
> if desc:
> - print desc + '\n'
> + ret += desc + '\n\n'
> else:
> - print 'No description has been specified\n'
> + ret += 'No description has been specified\n\n'
> temp_id_cnt += 1
>
> - print footer
> - print gen_index(cveid)
> + ret += '''If you fix the vulnerabilit%s please also make sure to include the
> +CVE (Common Vulnerabilities & Exposures) id%s in your changelog entry.
> +
> +For further information see:\n''' % (vuln_suff, cve_suff)
> + ret += gen_index(cveid) + '\n'
>
> if temp_id_cnt > 0:
> - print '\nhttps://security-tracker.debian.org/tracker/source-package/%s' % (pkg)
> - print '(issues without CVE id are assigned a TEMP one, but it may change over time)\n'
> + ret += '\nhttps://security-tracker.debian.org/tracker/source-package/%s\n' % (pkg)
> + ret += '(issues without CVE id are assigned a TEMP one, but it may change over time)\n'
>
> if not blanks:
> - print '''\nPlease adjust the affected versions in the BTS as needed.\n'''
> + ret += '\nPlease adjust the affected versions in the BTS as needed.\n'
> +
> + return ret
>
> def error(msg):
> - print 'error: ' + msg
> + print ('error: ' + msg, file=sys.stderr)
> sys.exit(1)
>
> class NegateAction(argparse.Action):
> @@ -220,6 +213,10 @@ def main():
> help='list of addresses to add in CC (default: %(default)s)')
> parser.add_argument('--src', action="store_true", help='report against source package')
> parser.add_argument('-m', '--mail-header', action="store_true", help='generate a mail header')
> + parser.add_argument('-M', '--mail', action="store_true", help='invoke mailer right aways')
> + parser.add_argument('--mailer', action='store', default='mutt -H {}',
> + help='Command executed. Must contain {} to be replaced '
> + 'by the filename of the draft bugreport')
> parser.add_argument('pkg', help='affected package')
> parser.add_argument('cve', nargs='+', help='relevant CVE for this source package, may be used multiple time if the issue has multiple CVEs')
> args = parser.parse_args()
> @@ -239,7 +236,23 @@ def main():
> if not c.match(arg) and not temp_id.match(arg):
> error(arg + ' does not seem to be a valid CVE id')
>
> - gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src, mh=args.mail_header)
> + text = gen_text(pkg, cve,
> + affected=args.affected,
> + blanks=args.blanks,
> + severity=args.severity,
> + cc=args.cc,
> + cclist=args.cclist,
> + src=args.src,
> + mh=args.mail_header or args.mail)
> +
> + if args.mail:
> + with NamedTemporaryFile(prefix='report-vuln', suffix='.txt') as bugmail:
> + bugmail.write(text)
> + bugmail.flush()
> + os.system(args.mailer.format(bugmail.name))
> + else:
> + print(text)
> +
>
> if __name__ == '__main__':
> main()
> --
> 2.15.0
>
Reply to: