Bug#1001451: marked as done (security-tracker: create tool to ease processing of new uploads that fix CVEs)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 3 Feb 2022 11:07:06 +0000
with message-id <20220203110706.1404efb1@felix.codehelp>
and subject line Merged
has caused the Debian Bug report #1001451,
regarding security-tracker: create tool to ease processing of new uploads that fix CVEs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1001451: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001451
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: security-tracker: create tool to ease processing of new uploads that fix CVEs
• From: Neil Williams <codehelp@debian.org>
• Date: Fri, 10 Dec 2021 10:41:01 +0000
• Message-id: <163913286148.129423.13368997047364584570.reportbug@felix.codehelp>

Package: security-tracker
Severity: wishlist
X-Debbugs-Cc: codehelp@debian.org

This is one of a few bugs arising from discussions with Salvatore & Moritz whilst
triaging CVEs.

When an upload is made to unstable or experimental, triage of
debian-devel-changes will list any CVEs fixed. It would be useful to
have a simple tool (bin/grab-cve-in-fix <package_name>) which:

- queries the latest version of source:<package_name> in unstable
- extracts all mentioned CVE IDs from the change
- creates a correctly formatted CVE snippet with the recorded fixes that
  can be reviewed and merged into the main data/CVE/list

All changes would need manual review.

The email from debian-devel-changes could provide enough information.
Alternatively, tracker.d.o or apt-cache could be used (e.g. relying on
the `make update-packages` support already available in the security
tracker code).

1: Provide an option to parse the email from debian-devel-changes
2: Provide an option to lookup the information using tracker.d.o
3: Fallback to lookup the information in the local apt-cache
data populated by 'make update-packages'

Output a file which can be used with bin/merge-cve-files once the
changes have been reviewed.

Additionally, implement support for a similar process to update all CVEs
whenever a package moves out of NEW and into the archive.

--- End Message ---

--- Begin Message ---

• To: 1001451-done@bugs.debian.org, 1001453-done@bugs.debian.org
• Subject: Merged
• From: Neil Williams <codehelp@debian.org>
• Date: Thu, 3 Feb 2022 11:07:06 +0000
• Message-id: <20220203110706.1404efb1@felix.codehelp>

https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38fc7543c6e8fc4a2d15540fd63b837218361e8f

Incremental work will continue from here for feature requests and to
run tests on the bin/ and lib/ scripts (on branches or possibly on
schedules).

-- 
Neil Williams
=============
https://linux.codehelp.co.uk/

Attachment: pgp6ZVB4w0ylC.pgp
Description: OpenPGP digital signature

--- End Message ---