#!/usr/bin/perl -w
# dumps all CVSS scores for all released updates into CSV.
use strict;

my $dn = `dirname $0`;chomp($dn);
my $pwd = `pwd`;chomp($pwd);
if ($dn !~ /^\//) { $dn = $pwd . "/" . $dn; }
push @INC,$dn;

require CanDBReader;

require SMASHData;

delete $SMASHData::state{"0"};
delete $SMASHData::embargoedcves{"0"};

# add the not affected but detected CVEs here:
my %notaffectedcves = (
"CVE-2022-0391" => 1,
"CVE-2021-3601" => 1,
"CVE-2021-3449" => 1,
);

# Add the cves here were we notified salt team
my %notifiedcves = (
"CVE-2022-0778" =>  1,
"CVE-2022-24302" => 1,
"CVE-2021-4189" =>  1,
"CVE-2021-43818" => 1,
"CVE-2021-3711" =>  1,
"CVE-2021-20236" => 1,
"CVE-2021-20237" => 1,
);

my %fixedcves = (
# from salt bundle extracted
"CVE-2006-2937" => 1,
"CVE-2006-2940" => 1,
"CVE-2006-3738" => 1,
"CVE-2006-4339" => 1,
"CVE-2006-4343" => 1,
"CVE-2006-7250" => 1,
"CVE-2007-3108" => 1,
"CVE-2007-4995" => 1,
"CVE-2007-5135" => 1,
"CVE-2008-0891" => 1,
"CVE-2008-1672" => 1,
"CVE-2008-5077" => 1,
"CVE-2009-0590" => 1,
"CVE-2009-0591" => 1,
"CVE-2009-0789" => 1,
"CVE-2009-1377" => 1,
"CVE-2009-1378" => 1,
"CVE-2009-1379" => 1,
"CVE-2009-1386" => 1,
"CVE-2009-1387" => 1,
"CVE-2010-0740" => 1,
"CVE-2010-0742" => 1,
"CVE-2010-1633" => 1,
"CVE-2010-2939" => 1,
"CVE-2010-3864" => 1,
"CVE-2010-5298" => 1,
"CVE-2011-0014" => 1,
"CVE-2011-3207" => 1,
"CVE-2011-3210" => 1,
"CVE-2011-3389" => 1,
"CVE-2011-4108" => 1,
"CVE-2011-4576" => 1,
"CVE-2011-4577" => 1,
"CVE-2011-4619" => 1,
"CVE-2011-4944" => 1,
"CVE-2012-0027" => 1,
"CVE-2012-0050" => 1,
"CVE-2012-0845" => 1,
"CVE-2012-0884" => 1,
"CVE-2012-1150" => 1,
"CVE-2012-1165" => 1,
"CVE-2012-2110" => 1,
"CVE-2012-2686" => 1,
"CVE-2012-4929" => 1,
"CVE-2013-0166" => 1,
"CVE-2013-0169" => 1,
"CVE-2013-1752" => 1,
"CVE-2013-4238" => 1,
"CVE-2013-4314" => 1,
"CVE-2013-4353" => 1,
"CVE-2013-6449" => 1,
"CVE-2013-6450" => 1,
"CVE-2014-0012" => 1,
"CVE-2014-0076" => 1,
"CVE-2014-0160" => 1,
"CVE-2014-0195" => 1,
"CVE-2014-0198" => 1,
"CVE-2014-0221" => 1,
"CVE-2014-0224" => 1,
"CVE-2014-1829" => 1,
"CVE-2014-1830" => 1,
"CVE-2014-2667" => 1,
"CVE-2014-3470" => 1,
"CVE-2014-3505" => 1,
"CVE-2014-3506" => 1,
"CVE-2014-3507" => 1,
"CVE-2014-3508" => 1,
"CVE-2014-3509" => 1,
"CVE-2014-3510" => 1,
"CVE-2014-3511" => 1,
"CVE-2014-3512" => 1,
"CVE-2014-3513" => 1,
"CVE-2014-3566" => 1,
"CVE-2014-3567" => 1,
"CVE-2014-3568" => 1,
"CVE-2014-3570" => 1,
"CVE-2014-3571" => 1,
"CVE-2014-3572" => 1,
"CVE-2014-4650" => 1,
"CVE-2014-5139" => 1,
"CVE-2014-7202" => 1,
"CVE-2014-7203" => 1,
"CVE-2014-8275" => 1,
"CVE-2014-9721" => 1,
"CVE-2015-0204" => 1,
"CVE-2015-0205" => 1,
"CVE-2015-0206" => 1,
"CVE-2015-0209" => 1,
"CVE-2015-0286" => 1,
"CVE-2015-0287" => 1,
"CVE-2015-0288" => 1,
"CVE-2015-0289" => 1,
"CVE-2015-0293" => 1,
"CVE-2015-1788" => 1,
"CVE-2015-1789" => 1,
"CVE-2015-1790" => 1,
"CVE-2015-1791" => 1,
"CVE-2015-1792" => 1,
"CVE-2015-2296" => 1,
"CVE-2015-3194" => 1,
"CVE-2015-3195" => 1,
"CVE-2015-3196" => 1,
"CVE-2015-3197" => 1,
"CVE-2015-3216" => 1,
"CVE-2015-4000" => 1,
"CVE-2016-0702" => 1,
"CVE-2016-0705" => 1,
"CVE-2016-0797" => 1,
"CVE-2016-0798" => 1,
"CVE-2016-0799" => 1,
"CVE-2016-0800" => 1,
"CVE-2016-10745" => 1,
"CVE-2016-2105" => 1,
"CVE-2016-2106" => 1,
"CVE-2016-2107" => 1,
"CVE-2016-2109" => 1,
"CVE-2016-2176" => 1,
"CVE-2016-2177" => 1,
"CVE-2016-2178" => 1,
"CVE-2016-2179" => 1,
"CVE-2016-2180" => 1,
"CVE-2016-2181" => 1,
"CVE-2016-2182" => 1,
"CVE-2016-2183" => 1,
"CVE-2016-6302" => 1,
"CVE-2016-6303" => 1,
"CVE-2016-6304" => 1,
"CVE-2016-6306" => 1,
"CVE-2016-7052" => 1,
"CVE-2016-7055" => 1,
"CVE-2016-9015" => 1,
"CVE-2017-18342" => 1,
"CVE-2017-3731" => 1,
"CVE-2017-3732" => 1,
"CVE-2017-3735" => 1,
"CVE-2017-3736" => 1,
"CVE-2017-3737" => 1,
"CVE-2017-3738" => 1,
"CVE-2018-0732" => 1,
"CVE-2018-0734" => 1,
"CVE-2018-0737" => 1,
"CVE-2018-0739" => 1,
"CVE-2018-15750" => 1,
"CVE-2018-15751" => 1,
"CVE-2018-18074" => 1,
"CVE-2018-20060" => 1,
"CVE-2018-5407" => 1,
"CVE-2018-7750" => 1,
"CVE-2019-10906" => 1,
"CVE-2019-11236" => 1,
"CVE-2019-11324" => 1,
"CVE-2019-13132" => 1,
"CVE-2019-1547" => 1,
"CVE-2019-1551" => 1,
"CVE-2019-1559" => 1,
"CVE-2019-1563" => 1,
"CVE-2019-20907" => 1,
"CVE-2019-20916" => 1,
"CVE-2019-5010" => 1,
"CVE-2019-6250" => 1,
"CVE-2019-8341" => 1,
"CVE-2019-9740" => 1,
"CVE-2019-9947" => 1,
"CVE-2020-14343" => 1,
"CVE-2020-15166" => 1,
"CVE-2020-15523" => 1,
"CVE-2020-15801" => 1,
"CVE-2020-16846" => 1,
"CVE-2020-17490" => 1,
"CVE-2020-1971" => 1,
"CVE-2020-25592" => 1,
"CVE-2020-25659" => 1,
"CVE-2020-26137" => 1,
"CVE-2020-27783" => 1,
"CVE-2020-28243" => 1,
"CVE-2020-28493" => 1,
"CVE-2020-28972" => 1,
"CVE-2020-29651" => 1,
"CVE-2020-35662" => 1,
"CVE-2020-36242" => 1,
"CVE-2020-8492" => 1,
"CVE-2021-21996" => 1,
"CVE-2021-23336" => 1,
"CVE-2021-23840" => 1,
"CVE-2021-23841" => 1,
"CVE-2021-25281" => 1,
"CVE-2021-25282" => 1,
"CVE-2021-25283" => 1,
"CVE-2021-25284" => 1,
"CVE-2021-28957" => 1,
"CVE-2021-29921" => 1,
"CVE-2021-3144" => 1,
"CVE-2021-3148" => 1,
"CVE-2021-31607" => 1,
"CVE-2021-3177" => 1,
"CVE-2021-3197" => 1,
"CVE-2021-33503" => 1,
"CVE-2021-3426" => 1,
"CVE-2021-3712" => 1,
"CVE-2020-1747" => 1,

# manual reviewed
"CVE-2021-20234" => 1,
"CVE-2021-20236" => 1,

);

my @bundledpackages = (
	'libsodium',
	'libvirt',
	'openssl-1_0_0',
	'python3',
	'python39',
	'python-appdirs',
	'python-asn1crypto',
	'python-atomicswrites',
	'python-attrs',
	'python-bcrypt',
	'python-certifi',
	'python-cffi',
	'python-chardet',
	'python-cryptography',
	'python-cryptography-vectors',
	'python-cssselect',
	'python-cython',
	'python-dateutil',
	'python-distro',
	'python-docker',
	'python-docker-pycreds',
	'python-docopt',
	'python-editables',
	'python-exceptiongroup',
	'python-flit-core',
	'python-hatch-fancy-pypi-readme',
	'python-hatchling',
	'python-hatch-vcs',
	'python-idna',
	'python-importlib-metadata',
	'python-iniconfig',
	'python-Jinja2',
	'python-jmespath',
	'python-kiwi',
	'python-libvirt',
	'python-looseversion',
	'python-lxml',
	'python-m2crypto',
	'python-markupsafe',
	'python-more-itertools',
	'python-msgpack',
	'python-netaddr',
	'python-packaging',
	'python-paramiko',
	'python-pathspec',
	'python-pip',
	'python-pluggy',
	'python-ply',
	'python-psutil',
	'python-ptyprocess',
	'python-py',
	'python-pyasn1',
	'python-pyasn1-modules',
	'python-pycparser',
	'python-pycurl',
	'python-pyinotify',
	'python-pynacl',
	'python-pyopenssl',
	'python-pyparsing',
	'python-pysocks',
	'python-pytest',
	'python-pytz',
	'python-pyxattr',
	'python-pyyaml',
	'python-pyzmq',
	'python-requests',
#	'python-rpm-macros',
	'python-rpm-vercmp',
	'python-setuptools',
	'python-setuptools-scm',
	'python-simplejson',
	'python-six',
	'python-tornado',
	'python-typing-extensions',
	'python-urllib3',
	'python-venvjail',
	'python-wcwidth',
	'python-websocket-client',
	'python-wheel',
	'python-zipp',
	'python-zypp-plugin',
	'swig',
	'zeromq'
);


my $regexp = "salt|";
foreach my $pkg (@bundledpackages) {
	if ($pkg =~ /^python-(.*)/) {
		$regexp .= "python(|3|36|39|311)-$1|"
	} else {
		$regexp .= "$pkg|";
	}
}
$regexp .= "salt";

print "SALT Bundled packages ... for newly added CVEs, please NEEDINFO salt-maintainers\@suse.de to the bug.\n";
print "Then mark it notified or notaffected in $0 at gitlab\@gitlab.suse.de:security/cve-database.git.\n";
#print "regexp is $regexp\n";

# CVE -> PKG
my %foundcves = ( );

my %havevenvsaltminion = ();

foreach my $cve (sort keys %CanDBReader::bugzillas) {
	&SMASHData::read_smash_issue($cve);

	if (!defined($SMASHData::state{$cve})) {
		# print STDERR "no smash state for $cve?\n" if -t STDERR;
		next;
	}

	$cve =~ /CVE-(\d*)-/;
	my $year = $1;
	next if ($year < 2020);

	if (!defined($SMASHData::pkgstate{$cve})) {
		next;
	}
	my %prods = %{$SMASHData::pkgstate{$cve}};

	# { PROD -> { PKG -> STATE } }


	foreach my $prod (keys %prods) {
		my %pkgstates = %{$prods{$prod}};

		foreach my $pkg (sort keys %pkgstates) {
			my $state = $pkgstates{$pkg};

			$havevenvsaltminion{$cve} = 1 if ($pkg eq "venv-salt-minion");

			next if ($state eq "Not affected");
			next if ($state eq "Analysis");

			if ($pkg =~ /^($regexp)$/) {
				# print "found $pkg\n";
				$foundcves{$cve} = $pkg;
			}
		}
	}
}

foreach my $cve (sort keys %foundcves) {
	next if ($fixedcves{$cve});
	next if ($notifiedcves{$cve});
	next if ($notaffectedcves{$cve});

	next if ($havevenvsaltminion{$cve});

	my $embargoed = "";
	if ($SMASHData::embargoedcves{$cve}) {
		$embargoed = "EMBARGOED! ";
	}


	print "$embargoed $cve - $CanDBReader::bugzillas{$cve} - $foundcves{$cve}\n";
}