Add ability to show things we don't class as vulnerabilites, add a few

author Mark J. Cox <mark@awe.com>

Mon, 7 Mar 2022 11:02:58 +0000 (11:02 +0000)

committer Mark J. Cox <mark@awe.com>

Mon, 7 Mar 2022 11:02:58 +0000 (11:02 +0000)
author Mark J. Cox <mark@awe.com>
Mon, 7 Mar 2022 11:02:58 +0000 (11:02 +0000)
committer Mark J. Cox <mark@awe.com>
Mon, 7 Mar 2022 11:02:58 +0000 (11:02 +0000)
diff --git a/bin/mk-cvepage b/bin/mk-cvepage

index 81be326abefd1d46d9cf2bcb0bd89aaf712fde50..612bc7405d1d3155bce970e9936606a294ba0ecd 100755 (executable)
--- a/bin/mk-cvepage
+++ b/bin/mk-cvepage
@@ -100,7 +100,7 @@ for issue in sorted(issues, key=lambda x: (x.getAttribute('public'), x.getElemen
  
      allissues += "<dt>"
      if cve:
-        allissues += "<a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-%s\" name=\"CVE-%s\">CVE-%s</a> " %(cve,cve,cve)
+        allissues += "<a href=\"https://cve.org/CVERecord?id=CVE-%s\" name=\"CVE-%s\">CVE-%s</a> " %(cve,cve,cve)
      for adv in issue.getElementsByTagName('advisory'):
          allissues += "<a href=\"%s\">(OpenSSL advisory)</a> " %(adv.getAttribute("url"))
      for sev in issue.getElementsByTagName('impact'):
@@ -153,5 +153,18 @@ if allissues != "":
  else:
      preface += "No vulnerabilities fixed"
  
+nonissues = ""
+for nonissue in dom.getElementsByTagName("nonissue"):
+    if (not options.base or nonissue.getAttribute("base") in (options.base or "none")):
+        cve = "CVE-"+nonissue.getAttribute("cve")
+        ref = nonissue.getAttribute("ref")
+        nonissues += "<li><a href=\"https://cve.org/CVERecord?id=%s\" name=\"%s\">%s</a>: " %(cve,cve,cve)        
+        nonissues += nonissue.firstChild.data.strip()
+        if (ref):
+            nonissues += ": <a href=\""+ref+"\">"+ref+"</a>"
+        nonissues +="</li>"
+if (nonissues != ""):
+    preface += "<h3>Not Vulnerabilities</h3><ul>" + nonissues + "</ul>"
+    
  sys.stdout.reconfigure(encoding='utf-8')
  sys.stdout.write(preface)
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml

index 6f3b1e7c72324ca8969ea324ef87c4e655858a38..6062c443efcac29fa67cc3df6191529910526cc6 100644 (file)
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -8056,6 +8056,10 @@ default and not common.</description>
    <advisory url="/news/secadv/20140605.txt"/>
  </issue>
  
+  <nonissue base="0.9.8" cve="2010-0928">This was not treated as a security issue as it is outside of the OpenSSL threat model</nonissue>
+  <nonissue base="0.9.8" cve="2007-6755" ref="https://marc.info/?l=openssl-announce&amp;m=138747119822324">Not an issue</nonissue>
+  <nonissue base="none" cve="2002-20001" ref="https://github.com/openssl/openssl/issues/17374">We do not consider this to be a vulnerability in OpenSSL</nonissue>
+
    <statement base="none">Note: All OpenSSL versions before 1.1.1 are out of support and no longer receiving updates.  Extended support is available for 1.0.2 from OpenSSL Software Services for premium support customers.</statement>
    <statement base="0.9.6">OpenSSL 0.9.6 is out of support and no longer receiving updates.</statement>
    <statement base="0.9.7">OpenSSL 0.9.7 is out of support and no longer receiving updates.</statement>
@@ -8066,5 +8070,3 @@ default and not common.</description>
    <statement base="1.1.0">OpenSSL 1.1.0 is out of support since 12th September 2019 and no longer receiving updates.</statement>
  
  </security>
-
-
author	Mark J. Cox <mark@awe.com>
	Mon, 7 Mar 2022 11:02:58 +0000 (11:02 +0000)
committer	Mark J. Cox <mark@awe.com>
	Mon, 7 Mar 2022 11:02:58 +0000 (11:02 +0000)
bin/mk-cvepage		patch \| blob \| history
news/vulnerabilities.xml		patch \| blob \| history