+1 for tags

Tthere are only few OFBIZ-1525 subtasks which are related to a CVE. I can add 
the CVE tags in them and in future we can just create tasks with the CVE tag

Agreed?

Jacques


Le 30/11/2016 à 00:02, Paul Foxworthy a écrit :
Hi all,

Using JIRA is a good idea, and we need to be able to find them. But a
security issue is not a subtask and not a component. I think a tag will
work fine.

Thanks

Paul


On 30 November 2016 at 00:42, Jacopo Cappellato <
jacopo.cappell...@hotwaxsystems.com> wrote:

Tags or components are fine to me (you can specify more than one component
to each ticket); I agree that a tag may be more appropriate for this use
case. My preference is just to not use subtasks.

Jacopo

On Tue, Nov 29, 2016 at 2:13 PM, Pierre Smits <pierre.sm...@gmail.com>
wrote:

Well...

CVEs can occur on any component (even though past issues have been
related
for most to framework components. So having a particular component just
for
CVE reference purposes would complicate matters as much as converting
JIRA
issues into sub-tasks.

Applying a tag to the issue (e.g. CVE) and using a persisted filter in
JIRA
would be sufficient to link to from the download page (and elsewhere e.g.
the 'keeping OFBiz secure' cwiki page.

Best regards,




Pierre Smits

ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services

OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/

On Tue, Nov 29, 2016 at 2:04 PM, Jacopo Cappellato <
jacopo.cappell...@hotwaxsystems.com> wrote:

Rather than using subtasks I think it would be better to use a
component
(named CVE or similar).

Il 29 Nov 2016 1:50 PM, "Jacques Le Roux" <
jacques.le.r...@les7arts.com>
ha
scritto:

Also it would be better if we can group all security issues in Jira.
For
that I created OFBIZ-1525, please if you create Jira security issues
create
(or convert) them as subtasks of OFBIZ-1525

Thanks

Jacques


Le 29/11/2016 à 11:05, Pierre Smits a écrit :

Of course, I implied this policy to be in line with
http://www.apache.org/security/

Best regards,

Pierre Smits

ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services

OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/

On Tue, Nov 29, 2016 at 10:59 AM, Nicolas Malin <
nicolas.ma...@nereide.fr
wrote:

Yes I agree with Jacopo, when can create the issue only when they
are
corrected

Nicolas



Le 29/11/2016 à 10:55, Jacopo Cappellato a écrit :

We can definitely create one Jira ticket for each CVE number with
all
the
details we want and link them from the "security" section of the
OFBiz
download page.
This was probably implied in Pierre's proposal, but I prefer to
explicitly
state here: these tickets will be created only after the CVE are
publicly
disclosed (i.e. the tickets will be created and resolved at the
same
time).
The good news is that we can create now all the tickets for the
CVE
processed so far in the history of OFBiz, in order to implement
what
Pierre
has proposed here.

Jacopo

On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits <
pierre.sm...@gmail.com>
wrote:

Hi all,

Recently we have seen some security issues fixed in the code base
(CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated
in
identifying, analysing and fixing these OFBiz security threats.

When I look at how we communicate to our adopters that there are
threats
and how they can be mitigated [1] I believe we could and we
should
do a
little bit more. There we merely put a reference to the CVE [2]
issue
(see
[3] for example) there and and advice to upgrade. But on that
page
we
leave
out any particulars on how the issue affected OFBiz and what was
done
to
it. Rightly so as it is just a list of notifications.

The details about the effect of the issue and the mitigation is
in
commits.
But there is no apparent relation between the notification on [1]
and
the
actual commit that mitigated. Also reporting the CVE in JIRA
issues
not
optimal. This leads to the fact that details don't appear in
release
notes
very well.

I believe we could and should do better. We should *always* have
a
JIRA
issue explaining the CVE issue and its effect on the OFBiz
product,
have
it
enhanced with the proper tags or labels (e.g. CVE/Security), and
-
like
any
other JIRA issue - have it showing with which commit(s) it has
been
resolved and on which branch it has been implemented.

With a proper filter definition on JIRA we can then shorten the
vulnerability section in [1] and have that link to that JIRA
filter
definition.

What do you think?

References:

      - [1] http://ofbiz.apache.org/download.html
      - [2] CVE: Common Vulnerability and Exposure
      - [3] http://cve.mitre.org/cgi-bin/
cvename.cgi?name=CVE-2016-6800

Best regards,

Pierre Smits

ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services

OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/






Reply via email to