Hi all, Using JIRA is a good idea, and we need to be able to find them. But a security issue is not a subtask and not a component. I think a tag will work fine.
Thanks Paul On 30 November 2016 at 00:42, Jacopo Cappellato < [email protected]> wrote: > Tags or components are fine to me (you can specify more than one component > to each ticket); I agree that a tag may be more appropriate for this use > case. My preference is just to not use subtasks. > > Jacopo > > On Tue, Nov 29, 2016 at 2:13 PM, Pierre Smits <[email protected]> > wrote: > > > Well... > > > > CVEs can occur on any component (even though past issues have been > related > > for most to framework components. So having a particular component just > for > > CVE reference purposes would complicate matters as much as converting > JIRA > > issues into sub-tasks. > > > > Applying a tag to the issue (e.g. CVE) and using a persisted filter in > JIRA > > would be sufficient to link to from the download page (and elsewhere e.g. > > the 'keeping OFBiz secure' cwiki page. > > > > Best regards, > > > > > > > > > > Pierre Smits > > > > ORRTIZ.COM <http://www.orrtiz.com> > > OFBiz based solutions & services > > > > OFBiz Extensions Marketplace > > http://oem.ofbizci.net/oci-2/ > > > > On Tue, Nov 29, 2016 at 2:04 PM, Jacopo Cappellato < > > [email protected]> wrote: > > > > > Rather than using subtasks I think it would be better to use a > component > > > (named CVE or similar). > > > > > > Il 29 Nov 2016 1:50 PM, "Jacques Le Roux" < > [email protected]> > > > ha > > > scritto: > > > > > > > Also it would be better if we can group all security issues in Jira. > > For > > > > that I created OFBIZ-1525, please if you create Jira security issues > > > create > > > > (or convert) them as subtasks of OFBIZ-1525 > > > > > > > > Thanks > > > > > > > > Jacques > > > > > > > > > > > > Le 29/11/2016 à 11:05, Pierre Smits a écrit : > > > > > > > >> Of course, I implied this policy to be in line with > > > >> http://www.apache.org/security/ > > > >> > > > >> Best regards, > > > >> > > > >> Pierre Smits > > > >> > > > >> ORRTIZ.COM <http://www.orrtiz.com> > > > >> OFBiz based solutions & services > > > >> > > > >> OFBiz Extensions Marketplace > > > >> http://oem.ofbizci.net/oci-2/ > > > >> > > > >> On Tue, Nov 29, 2016 at 10:59 AM, Nicolas Malin < > > > [email protected] > > > >> > > > > >> wrote: > > > >> > > > >> Yes I agree with Jacopo, when can create the issue only when they > are > > > >>> corrected > > > >>> > > > >>> Nicolas > > > >>> > > > >>> > > > >>> > > > >>> Le 29/11/2016 à 10:55, Jacopo Cappellato a écrit : > > > >>> > > > >>> We can definitely create one Jira ticket for each CVE number with > all > > > the > > > >>>> details we want and link them from the "security" section of the > > OFBiz > > > >>>> download page. > > > >>>> This was probably implied in Pierre's proposal, but I prefer to > > > >>>> explicitly > > > >>>> state here: these tickets will be created only after the CVE are > > > >>>> publicly > > > >>>> disclosed (i.e. the tickets will be created and resolved at the > same > > > >>>> time). > > > >>>> The good news is that we can create now all the tickets for the > CVE > > > >>>> processed so far in the history of OFBiz, in order to implement > what > > > >>>> Pierre > > > >>>> has proposed here. > > > >>>> > > > >>>> Jacopo > > > >>>> > > > >>>> On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits < > > > [email protected]> > > > >>>> wrote: > > > >>>> > > > >>>> Hi all, > > > >>>> > > > >>>>> Recently we have seen some security issues fixed in the code base > > > >>>>> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated > > in > > > >>>>> identifying, analysing and fixing these OFBiz security threats. > > > >>>>> > > > >>>>> When I look at how we communicate to our adopters that there are > > > >>>>> threats > > > >>>>> and how they can be mitigated [1] I believe we could and we > should > > > do a > > > >>>>> little bit more. There we merely put a reference to the CVE [2] > > issue > > > >>>>> (see > > > >>>>> [3] for example) there and and advice to upgrade. But on that > page > > we > > > >>>>> leave > > > >>>>> out any particulars on how the issue affected OFBiz and what was > > done > > > >>>>> to > > > >>>>> it. Rightly so as it is just a list of notifications. > > > >>>>> > > > >>>>> The details about the effect of the issue and the mitigation is > in > > > >>>>> commits. > > > >>>>> But there is no apparent relation between the notification on [1] > > and > > > >>>>> the > > > >>>>> actual commit that mitigated. Also reporting the CVE in JIRA > issues > > > not > > > >>>>> optimal. This leads to the fact that details don't appear in > > release > > > >>>>> notes > > > >>>>> very well. > > > >>>>> > > > >>>>> I believe we could and should do better. We should *always* have > a > > > JIRA > > > >>>>> issue explaining the CVE issue and its effect on the OFBiz > product, > > > >>>>> have > > > >>>>> it > > > >>>>> enhanced with the proper tags or labels (e.g. CVE/Security), and > - > > > like > > > >>>>> any > > > >>>>> other JIRA issue - have it showing with which commit(s) it has > been > > > >>>>> resolved and on which branch it has been implemented. > > > >>>>> > > > >>>>> With a proper filter definition on JIRA we can then shorten the > > > >>>>> vulnerability section in [1] and have that link to that JIRA > filter > > > >>>>> definition. > > > >>>>> > > > >>>>> What do you think? > > > >>>>> > > > >>>>> References: > > > >>>>> > > > >>>>> - [1] http://ofbiz.apache.org/download.html > > > >>>>> - [2] CVE: Common Vulnerability and Exposure > > > >>>>> - [3] http://cve.mitre.org/cgi-bin/ > > > cvename.cgi?name=CVE-2016-6800 > > > >>>>> > > > >>>>> > > > >>>>> Best regards, > > > >>>>> > > > >>>>> Pierre Smits > > > >>>>> > > > >>>>> ORRTIZ.COM <http://www.orrtiz.com> > > > >>>>> OFBiz based solutions & services > > > >>>>> > > > >>>>> OFBiz Extensions Marketplace > > > >>>>> http://oem.ofbizci.net/oci-2/ > > > >>>>> > > > >>>>> > > > >>>>> > > > > > > > > > > -- Coherent Software Australia Pty Ltd PO Box 2773 Cheltenham Vic 3192 Australia Phone: +61 3 9585 6788 Web: http://www.coherentsoftware.com.au/ Email: [email protected]
