Data for vulnerabilityhistory.org
Every push and pull request is run against our integrity checkers on GitHub Actions. Click on the above tag to see the status of the build.
Please see your course website for instructions. This README is more for people managing this data.
- You'll need Ruby 2.4+
- Run
gem install bundler(if you don't already have bundler) cdto the root of this repo, runbundle install- Run
bundle exec rake
If the output has no failures, then it checks out!
Use the VHP shepherd tools for this.
Make sure you have the HTTPD repo cloned in tmp/src. From the root of the repo, run:
$ vhp weeklies
For a list of all options do vhp help weeklies.
Use the VHP shepherd tools for this.
When you want to make sure that any commit that's mentioned in a YAML is also in the gitlog, you can run this script.
This will NOT figure out commits between VCC and Fix, however._
Be in the root of this repository, and run:
$ vhp loadcommits
To run this script, you'll need Mechanize installed. We intentionally don't put Mechanize into the Gemfile because that could (has) broken or slowed the build. Instead, you'll need to install locally:
$ gem install mechanize
Then, from the root of the repo, run the HTTPD scraper to get all CVEs, generating skeleton YMLs for ones that already exist. This won't add fixes, just fill in the CVE into the skeleton.
$ ruby scripts/pull_latest_cves.rb
Be sure to inspect this before you commit them.
Use shepherd tools:
$ vhp nofixes
We don't have a very automated process for getting fixes, but fortunately they don't come out with new vulnerabilities so fast that we need automation. Here's some places to look:
- On the CVE database entry, sometimes they mention a commit if you're lucky.
- Sometimes a commit message will mention the CVE. Use
git log --grep="CVE-XXXX-XXXXX"to find your CVE. - Often, a commit will be done BEFORE a CVE is registered, in which case you'll want to do
git log --grepbut looking for key words. - You can also take a look at their CHANGES file for similar key words. Be sure to look at the "affects" versions on the security page (this is 2.4's for example) and make sure the date makes sense.
- In a pinch, you can use GitHub to do a blame on the CHANGES file. HTTPD devs will often edit the CHANGES in the same commit as a vulnerability fix. If not, it's in a nearby commit in time.
- In a real pinch, you can just do
git logaround the dates you've seen and look at all commits - this is tedious and a last resort. Note that the CVE year is not a good indicator of when the vulnerability was fixed - sometimes developers will register a CVE years after they fixed it. Use the original dates from the repo.