Well... CVEs can occur on any component (even though past issues have been related for most to framework components. So having a particular component just for CVE reference purposes would complicate matters as much as converting JIRA issues into sub-tasks.
Applying a tag to the issue (e.g. CVE) and using a persisted filter in JIRA would be sufficient to link to from the download page (and elsewhere e.g. the 'keeping OFBiz secure' cwiki page. Best regards, Pierre Smits ORRTIZ.COM <http://www.orrtiz.com> OFBiz based solutions & services OFBiz Extensions Marketplace http://oem.ofbizci.net/oci-2/ On Tue, Nov 29, 2016 at 2:04 PM, Jacopo Cappellato < [email protected]> wrote: > Rather than using subtasks I think it would be better to use a component > (named CVE or similar). > > Il 29 Nov 2016 1:50 PM, "Jacques Le Roux" <[email protected]> > ha > scritto: > > > Also it would be better if we can group all security issues in Jira. For > > that I created OFBIZ-1525, please if you create Jira security issues > create > > (or convert) them as subtasks of OFBIZ-1525 > > > > Thanks > > > > Jacques > > > > > > Le 29/11/2016 à 11:05, Pierre Smits a écrit : > > > >> Of course, I implied this policy to be in line with > >> http://www.apache.org/security/ > >> > >> Best regards, > >> > >> Pierre Smits > >> > >> ORRTIZ.COM <http://www.orrtiz.com> > >> OFBiz based solutions & services > >> > >> OFBiz Extensions Marketplace > >> http://oem.ofbizci.net/oci-2/ > >> > >> On Tue, Nov 29, 2016 at 10:59 AM, Nicolas Malin < > [email protected] > >> > > >> wrote: > >> > >> Yes I agree with Jacopo, when can create the issue only when they are > >>> corrected > >>> > >>> Nicolas > >>> > >>> > >>> > >>> Le 29/11/2016 à 10:55, Jacopo Cappellato a écrit : > >>> > >>> We can definitely create one Jira ticket for each CVE number with all > the > >>>> details we want and link them from the "security" section of the OFBiz > >>>> download page. > >>>> This was probably implied in Pierre's proposal, but I prefer to > >>>> explicitly > >>>> state here: these tickets will be created only after the CVE are > >>>> publicly > >>>> disclosed (i.e. the tickets will be created and resolved at the same > >>>> time). > >>>> The good news is that we can create now all the tickets for the CVE > >>>> processed so far in the history of OFBiz, in order to implement what > >>>> Pierre > >>>> has proposed here. > >>>> > >>>> Jacopo > >>>> > >>>> On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits < > [email protected]> > >>>> wrote: > >>>> > >>>> Hi all, > >>>> > >>>>> Recently we have seen some security issues fixed in the code base > >>>>> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated in > >>>>> identifying, analysing and fixing these OFBiz security threats. > >>>>> > >>>>> When I look at how we communicate to our adopters that there are > >>>>> threats > >>>>> and how they can be mitigated [1] I believe we could and we should > do a > >>>>> little bit more. There we merely put a reference to the CVE [2] issue > >>>>> (see > >>>>> [3] for example) there and and advice to upgrade. But on that page we > >>>>> leave > >>>>> out any particulars on how the issue affected OFBiz and what was done > >>>>> to > >>>>> it. Rightly so as it is just a list of notifications. > >>>>> > >>>>> The details about the effect of the issue and the mitigation is in > >>>>> commits. > >>>>> But there is no apparent relation between the notification on [1] and > >>>>> the > >>>>> actual commit that mitigated. Also reporting the CVE in JIRA issues > not > >>>>> optimal. This leads to the fact that details don't appear in release > >>>>> notes > >>>>> very well. > >>>>> > >>>>> I believe we could and should do better. We should *always* have a > JIRA > >>>>> issue explaining the CVE issue and its effect on the OFBiz product, > >>>>> have > >>>>> it > >>>>> enhanced with the proper tags or labels (e.g. CVE/Security), and - > like > >>>>> any > >>>>> other JIRA issue - have it showing with which commit(s) it has been > >>>>> resolved and on which branch it has been implemented. > >>>>> > >>>>> With a proper filter definition on JIRA we can then shorten the > >>>>> vulnerability section in [1] and have that link to that JIRA filter > >>>>> definition. > >>>>> > >>>>> What do you think? > >>>>> > >>>>> References: > >>>>> > >>>>> - [1] http://ofbiz.apache.org/download.html > >>>>> - [2] CVE: Common Vulnerability and Exposure > >>>>> - [3] http://cve.mitre.org/cgi-bin/ > cvename.cgi?name=CVE-2016-6800 > >>>>> > >>>>> > >>>>> Best regards, > >>>>> > >>>>> Pierre Smits > >>>>> > >>>>> ORRTIZ.COM <http://www.orrtiz.com> > >>>>> OFBiz based solutions & services > >>>>> > >>>>> OFBiz Extensions Marketplace > >>>>> http://oem.ofbizci.net/oci-2/ > >>>>> > >>>>> > >>>>> > > >
