Bug#737048: udd: import CVE identifiers from secure-testing SVN

[Helmut Grohne <helmut@subdivi.de>]

Package: qa.debian.org
Severity: wishlist
User: qa.debian.org@packages.debian.org
Usertags: udd
X-Debbugs-CC: debian-security@lists.debian.org

It would be nice to have UDD import parts of the secure-testing SVN
repository maintained by the Debian security team. The biggest benefit I
see is that it would help in analyzing and fixing the existing data
leading to more consistency. Let me briefly summarize the source data:

The relevant data is maintained in a SVN repository available at
svn+ssh://svn.debian.org/svn/secure-testing or
svn://anonscm.debian.org/secure-testing in the file data/CVE/list.
This file contains records for CVE-identifiers. Please find a few
selected entries and explanations below:

| CVE-2014-1670 (The Microsoft Bing application before 4.2.1 for Android allows remote ...)
|         NOT-FOR-US: Microsoft Bing application

Each entry starts with an unindented identifier with optional text in
braces. This particular entry does not apply to Debian (NOT-FOR-US,
NFU), because it applies to the named product which is not packaged for
Debian.

| CVE-2014-0412 (Unspecified vulnerability in the MySQL Server component in Oracle ...)
|         {DSA-2848-1 DSA-2845-1}
|         - mariadb-5.5 <unfixed>
|         - mysql-5.5 5.5.35+dfsg-1
|         - mysql-5.1 <removed>

This identifier applies to multiple packages and two DSAs were issued.
It is fixed for mysql-5.5, we do not care about mysql-5.1, because it
got removed, and it is still present in mariadb-5.5.

| CVE-2013-7291 (memcached before 1.4.17, when running in verbose mode, allows remote ...)
|         - memcached <unfixed> (low; bug #735314)
|         [squeeze] - memcached <no-dsa> (Minor issue)
|         [wheezy] - memcached <no-dsa> (Minor issue)

This issue has a bug associated with it and is characterized as "low"
(or "medium" or "high"). No DSAs will be issued for squeeze or wheezy,
because of its low priority.

| CVE-2013-6885 (The microcode on AMD 16h 00h through 0Fh processors does not properly ...)
|         - amd64-microcode <undetermined>
|         NOTE: http://www.openwall.com/lists/oss-security/2013/11/28/1

For this issue it is not yet clear whether it affects the
amd64-microcode package, but that is the only relevant package here.
Notes provide additional free-text information and may appear multiple
times. There can also be "TODO:" items. Other CVE identifiers may be
"RESERVED" (undisclosed) or "REJECTED" (e.g. duplicate).

| CVE-2013-7316 (Cross-site scripting (XSS) vulnerability in GitLab 6.0 allows remote ...)
|         - gitlab <itp> (bug #651606)

This vulnerability applies to a software which is not yet packaged, the
ITP bug is referenced here.

How can this data be mapped into an SQL schema suitable for UDD? I don't
think that it is useful to map every single aspect of the data file to
UDD. To be useful to me, the database should be able to answer at least
the following questions:

 *  Is a given CVE identifier an NFU? And why?
 *  Which packages are associated with a given CVE identifier?
 *  Which bugs are associated with a given CVE identifier?
(*) Which version of a given package was a given CVE identifier fixed
    in?

I'd appreciate if some UDD maintainer could give advice with the
creation of the SQL schema. If you more information about the data
format is needed, please don't hesitate to ask. If desired, I can help
with writing import modules in Python.

Thanks to all the people that made UDD reality.

Helmut