Bug#1001451: security-tracker: create tool to ease processing of new uploads that fix CVEs

[Neil Williams <codehelp@debian.org>]

Package: security-tracker
Severity: wishlist
X-Debbugs-Cc: codehelp@debian.org

This is one of a few bugs arising from discussions with Salvatore & Moritz whilst
triaging CVEs.

When an upload is made to unstable or experimental, triage of
debian-devel-changes will list any CVEs fixed. It would be useful to
have a simple tool (bin/grab-cve-in-fix <package_name>) which:

- queries the latest version of source:<package_name> in unstable
- extracts all mentioned CVE IDs from the change
- creates a correctly formatted CVE snippet with the recorded fixes that
  can be reviewed and merged into the main data/CVE/list

All changes would need manual review.

The email from debian-devel-changes could provide enough information.
Alternatively, tracker.d.o or apt-cache could be used (e.g. relying on
the `make update-packages` support already available in the security
tracker code).

1: Provide an option to parse the email from debian-devel-changes
2: Provide an option to lookup the information using tracker.d.o
3: Fallback to lookup the information in the local apt-cache
data populated by 'make update-packages'

Output a file which can be used with bin/merge-cve-files once the
changes have been reviewed.

Additionally, implement support for a similar process to update all CVEs
whenever a package moves out of NEW and into the archive.