scripts/cve_update: add script to update all existing cve entries

Makes it easier when releases happen on older kernels, and for testing.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 files changed, 52 insertions, 0 deletions

diff --git a/scripts/cve_update b/scripts/cve_update
new file mode 100755
index 00000000..5f9655ca
--- /dev/null
+++ b/scripts/cve_update
@@ -0,0 +1,52 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (c) 2024 - Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+#
+# cve_update - Update all existing CVE entries based on the latest information
+#	       pulled from the git tree(s).
+#
+# Will look through the list of all published cve ids and run 'bippy' on them
+# to update the mbox and json files.  It is recommended that after this
+# happens, submit the json files to CVE again, if version numbers have changed.
+#
+# This is good to do after older stable kernels have been released as often
+# CVEs are included in older stable kernels AFTER they show up in newer ones,
+# and this keeps the database at CVE more up to date and friendly for others to
+# rely on.  The mbox files generally shouldn't be resent, as that's just noise
+# that no one wants to see.
+#
+# Usage:
+#	cve_update
+#
+# Requires:
+#  bippy
+
+
+# don't use unset variables
+set -o nounset
+
+# set where the tool was run from,
+# the name of our script,
+# and the git version of it
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+SCRIPT=${0##*/}
+SCRIPT_VERSION=$(cd "${DIR}" && git show -s --abbrev-commit --abbrev=12 --pretty=format:"%h")
+
+help() {
+	echo "${SCRIPT}"
+	exit 1
+}
+
+cd "${DIR}"/../ || exit 1
+
+for id in cve/published/*/*.sha1 ; do
+#for id in $(ls cve/published/*/*.sha1) ; do
+	sha=$(cat "${id}")
+	cve=$(echo "${id}" | cut -f 1 -d '.' | cut -f 4 -d '/')
+	root=$(echo "${id}" | cut -f 1 -d '.')
+	#echo "id=${id} sha=${sha} cve=${cve}"
+	echo "Updating ${cve}..."
+	"${DIR}"/bippy --cve="${cve}" --sha="${sha}" --json="${root}.json" --mbox="${root}.mbox"
+done
+