Security/Firefox/Security Bug Life Cycle/Security Advisories: Difference between revisions

Jump to navigation Jump to search

Security/Firefox/Security Bug Life Cycle/Security Advisories (view source)

Revision as of 12:53, 1 March 2024

3 bytes removed ,  1 March 2024
Fix typos
(Update "Assign CVEs" section to explain the new assignment process)
(Fix typos)
 
Line 73: Line 73:
=== Assign CVEs ===
=== Assign CVEs ===


Typically done a day or two before the release, assign CVEs to the bugs in bugzilla, and in the yml file. This needs to be done by a person with CVE Services credentials and Bugzilla security access, and can be automated with the '''assign_cve_ids''' script in the [https://github.com/mozilla/foundation-security-advisories foundation-security-advisories] repository.
Typically done a day or two before the release, assign CVEs to the bugs in bugzilla and in the yml file. This needs to be done by a person with CVE Services credentials and Bugzilla security access, and can be automated with the '''assign_cve_ids''' script in the [https://github.com/mozilla/foundation-security-advisories foundation-security-advisories] repository.


That script will automatically reserve a new CVEs, insert them into the yml file, and set the CVE IDs as aliases on Bugzilla. You can use it by running <tt>pip i && assign_cve_ids</tt> in the root of the repository. You can provide the required credentials through the '''CVE_USER''', '''CVE_ORG''', '''CVE_API_KEY''', '''CVE_ENV''', and '''BUGZILLA_API_KEY''' environment variables. Before running the script, make sure to set the names of the advisories that should get a CVE ID to '''MFSA-RESERVE-{YEAR}-{BUG_ID}''', where '''{YEAR}''' is the year that should be associated with the CVE, and '''{BUG_ID}''' is the id of a Bugzilla bug that should get the CVE ID as an alias. If you do not want to have a alias set for the advisory, use a small unique number instead. If you have used the [[#Generate_and_edit_the_YML_File|'''gen_yml.py''' script from the previous step]] to generate your yml file, the advisories should already have this format.
That script will automatically reserve new CVEs, insert them into the yml file, and set the CVE IDs as aliases on Bugzilla. You can use it by running <tt>pip i && assign_cve_ids</tt> in the root of the repository. You can provide the required credentials through the '''CVE_USER''', '''CVE_ORG''', '''CVE_API_KEY''', '''CVE_ENV''', and '''BUGZILLA_API_KEY''' environment variables. Before running the script, make sure to set the names of the advisories that should get a CVE ID to '''MFSA-RESERVE-{YEAR}-{BUG_ID}''', where '''{YEAR}''' is the year that should be associated with the CVE, and '''{BUG_ID}''' is the id of a Bugzilla bug that should get the CVE ID as an alias. If you do not want to have a alias set for the advisory, use a small unique number instead. If you have used the [[#Generate_and_edit_the_YML_File|'''gen_yml.py''' script from the previous step]] to generate your yml file, the advisories should already have this format.


A noteworthy item is that '''issues that already have had a CVE assigned''' - for example because it's an upstream bug - should get a '''feed: false''' in the advisory, after reporter.  This is very important.  It is common (usually several times a year) for us to request Google to assign a CVE for an issue in an upstream library.  The Googler to contact for this is Adrian Taylor, and Tom Ritter (among others) can put you in touch.
A noteworthy item is that '''issues that already have had a CVE assigned''' - for example because it's an upstream bug - should get a '''feed: false''' in the advisory, after reporter.  This is very important.  It is common (usually several times a year) for us to request Google to assign a CVE for an issue in an upstream library.  The Googler to contact for this is Adrian Taylor, and Tom Ritter (among others) can put you in touch.
Mjurgens
3

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1250107"

Navigation menu