Hi Salvatore, > > > > > Online - query either the distro-tracker or > > > > > debian-devel-changes mail archive: --email EMAIL URL of > > > > > debian-devel-changes announcement in the list archive > > > > > --tracker TRACKER URL of tracker.debian.org 'Accepted NEWS' > > > > > page for unstable > > > > > > > > > > > > > Nice! I will need (or want) to try to experiment with it a bit > > > > on apparing real cases. > > > > > > Just doing a quick test, while beeing entusiastic about your > > > proposed script: I think it will not work correctly yet wit > > > bin/merge-cve-list. On either side it will need adaption. > > > > OK. I will add that to my tests on next versions of the script. I've renamed the old --email option to --archive to distinguish it from the --input option which is intended to accept the body of an email on STDIN: cat freerdp2.email | ./bin/grab-cve-in-fix --input or indeed: ./bin/grab-cve-in-fix --input < freerdp2.email ./bin/grab-cve-in-fix --archive https://lists.debian.org/debian-devel-changes/2021/12/msg01280.html > > > Taking the example with freerdp2, assuming there won't be the fixed > > > version yet in the data/CVE/list it will produce the following > > > freerdp2.list: > > > > > > CVE-2021-41160 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) > > > - freerdp2 2.4.1+dfsg1-1 (bug #1001062) > > > [bullseye] - freerdp2 <no-dsa> (Minor issue) > > > [buster] - freerdp2 <no-dsa> (Minor issue) > > > - freerdp <removed> > > > > > $ ./bin/merge-cve-list data/CVE/list ./freerdp2.list > > > [...] > > > NotImplementedError: unsupported annotation of type NOTE (line 7) > > > > > > So maybe it's just merge-cve-list which should be better and allow for > > > such situation and handle as well the NOTEs. > > > > I'll work on adding that support - it will be useful for the > > changes for #1001453 which wants to explicitly add a NOTE entry. > > Yes agreed, unter this aspect it makes more sense to fix and expand > merge-cve-list script. https://salsa.debian.org/codehelp/security-tracker/-/compare/master...grabcvefix#4716ef5aa8f2742228ba3b3633215c8b808565e3 contains a change to bin/merge-cve-files to add support for merging StringAnnotations. The grabcvefix branch is (naturally) behind security-tracker/master, so the data/CVE/list file in the branch is old. Also, the update-vuln script is not ready yet. If you are happy with grab-cve-in-fix then I can prepare a commit to add it and the change to merge-cve-files without going through the grabcvefix branch on my fork of security tracker. It's the change to merge-cve-files which needs some review (When testing, if you remove existing NOTE: entries from a CVE for freerdp2 2.4.1+dfsg1-1, the merged file is likely to re-order the NOTE entries.) In "real case use", any NOTE in the file to be merged into data/CVE/list would append to any existing NOTEs - I've tried to preserve the original order from the file being merged, allowing for skipping of duplicate descriptions. -- Neil Williams ============= https://linux.codehelp.co.uk/
Attachment:
pgpCq6rkD7_5f.pgp
Description: OpenPGP digital signature