From bf79ecf9cf9ebb19587ac2c40f1cb4c9fab77fbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fernando=20Apestegu=C3=ADa?= Date: Thu, 11 Mar 2021 15:47:12 +0100 Subject: [PATCH] [phb:security] Fix vuln.xml testing procedure Summary: In [[https://svnweb.freebsd.org/ports?view=revision&revision=562203|r562203]] and [[https://svnweb.freebsd.org/ports?view=revision&revision=562203|r562204]] the vuln.xml file was splitted by year. As stated in the commit message, `pkg(8) audit` does not support entities and hence, we need to use the vuln-flat.xml file to test changes to the port. Test Plan: * Try something like this: ``` $ pkg audit -f ./vuln.xml gitea-1.13.4 pkg: Syntax error while parsing vulnxml pkg: cannot process vulnxml ``` and then: ``` $ pkg audit -f ./vuln-flat.xml gitea-1.13.4 0 problem(s) in 0 installed package(s) found. ``` After the patch: * `igor` clean * The documentation is rendered properly. Reviewers: 0mp, gbe Differential Revision: https://reviews.freebsd.org/D29219 --- .../en/books/porters-handbook/security/chapter.adoc | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/documentation/content/en/books/porters-handbook/security/chapter.adoc b/documentation/content/en/books/porters-handbook/security/chapter.adoc index bdb03952e3..3a3d5b9b26 100644 --- a/documentation/content/en/books/porters-handbook/security/chapter.adoc +++ b/documentation/content/en/books/porters-handbook/security/chapter.adoc @@ -198,6 +198,14 @@ Verify its syntax and formatting: % make validate .... +The previous command generates the [.filename]#vuln-flat.xml# file. It can also +be generated with: + +[source,bash] +.... +% make vuln-flat.xml +.... + [NOTE] ==== At least one of these packages needs to be installed: package:textproc/libxml2[], package:textproc/jade[]. @@ -207,7 +215,7 @@ Verify that the `` section of the entry will match the correct package [source,bash] .... -% pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58 +% pkg audit -f ${PORTSDIR}/security/vuxml/vuln-flat.xml dropbear-2013.58 .... Make sure that the entry produces no spurious matches in the output. @@ -216,7 +224,7 @@ Now check whether the right package versions are matched by the entry: [source,bash] .... -% pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58 dropbear-2013.59 +% pkg audit -f ${PORTSDIR}/security/vuxml/vuln-flat.xml dropbear-2013.58 dropbear-2013.59 dropbear-2012.58 is vulnerable: dropbear -- exposure of sensitive information, DoS CVE: CVE-2013-4434