Security/B2G/VulnerabilityManagement: Difference between revisions
(→B2G: tags explanations added) |
(phases and objectives added) |
||
| Line 10: | Line 10: | ||
=== Firefox OS 2.2 === | === Firefox OS 2.2 === | ||
==== [http://mzl.la/1GuWfc0 Sec-Fixed-Since B2G 2.1] ==== | ==== Bug status clarification phase ==== | ||
The objective of this phase is to find all relevant security bugs and have them | |||
* have a '''sec-low/moderate/high/critical''' rating | |||
* categorized in '''correct components''', preferably in ones supporting ''status-b2g-*'' | |||
* have '''status-b2g-v2.2''' set | |||
* have '''[b2g-adv-main2.2*]''' set if ''status-b2g-*'' flags unavailable | |||
===== [http://mzl.la/1GuWfc0 Sec-Fixed-Since B2G 2.1] ===== | |||
This search contains all '''critical/high/moderate/other''' security bugs '''last resolved after 2014-11-21''' (after 2.1 went code complete) with '''resolution FIXED'''. It is meant to define the superset of bugs that may be relevant for the 2.2 release. It also contains products and components that can't have ''status-b2g-*'' tracking flags that may have to be moved, cloned, or split to components that can. | This search contains all '''critical/high/moderate/other''' security bugs '''last resolved after 2014-11-21''' (after 2.1 went code complete) with '''resolution FIXED'''. It is meant to define the superset of bugs that may be relevant for the 2.2 release. It also contains products and components that can't have ''status-b2g-*'' tracking flags that may have to be moved, cloned, or split to components that can. | ||
| Line 16: | Line 25: | ||
This list is meant to serve as an overview for spotting bugs that may have improper security rating or component/product association, yet. | This list is meant to serve as an overview for spotting bugs that may have improper security rating or component/product association, yet. | ||
==== [http://mzl.la/1GuYLiz Sec-Status-Needed B2G 2.2] ==== | ===== [http://mzl.la/1GuYLiz Sec-Status-Needed B2G 2.2] ===== | ||
This search lists all security bugs fixed since 2.1 '''lacking status-b2g-v2.2''' classification, and '''without [b2g-adv-*]''' tagging on the whiteboard. | This search lists all security bugs fixed since 2.1 '''lacking status-b2g-v2.2''' classification, and '''without [b2g-adv-*]''' tagging on the whiteboard. | ||
| Line 22: | Line 31: | ||
This list '''should ideally be empty''', either by setting ''status-b2g-v2.2'' or adding a whiteboard tag for all the bugs it contains. | This list '''should ideally be empty''', either by setting ''status-b2g-v2.2'' or adding a whiteboard tag for all the bugs it contains. | ||
==== [http://mzl.la/1Gv1CrM Sec-Status-Requested B2G 2.2] ==== | ===== [http://mzl.la/1Gv1CrM Sec-Status-Requested B2G 2.2] ===== | ||
This search lists all security bugs with ''status-b2g-v2.2'' set to ''?'' or containing '''[b2g-adv-main2.2?] on the whiteboard'''. It is meant to signal that the '''developer was sent a NEEDINFO''' request for setting the appropriate ''status-b2g-v2.2'', or that we still need some form of security clarification. | This search lists all security bugs with ''status-b2g-v2.2'' set to ''?'' or containing '''[b2g-adv-main2.2?] on the whiteboard'''. It is meant to signal that the '''developer was sent a NEEDINFO''' request for setting the appropriate ''status-b2g-v2.2'', or that we still need some form of security clarification. | ||
| Line 28: | Line 37: | ||
Ideally this list will be empty. | Ideally this list will be empty. | ||
==== [http://mzl.la/1B5j71u Sec-Affects B2G 2.2] ==== | === Advisory selection phase === | ||
The objective of this phase is to sort all relevant security bugs known to affect 2.2 into either | |||
* requiring an advisory, tagging them ''[b2g-adv-man2.2+]'' | |||
* requiring no advisory, tagging them ''[b2g-adv-man2.2-]'' | |||
* already having an advisory done by Firefox Sec (''[adv-*+]'') | |||
===== [http://mzl.la/1B5j71u Sec-Affects B2G 2.2] ===== | |||
This is the list with all security bugs that have '''status-b2g-v2.2 set to affected, verified or fixed''', or has a '''[b2g-adv-main2.2*]''' tag on the whiteboard. It is intended as superset for advisory candidates for the 2.2 release. | This is the list with all security bugs that have '''status-b2g-v2.2 set to affected, verified or fixed''', or has a '''[b2g-adv-main2.2*]''' tag on the whiteboard. It is intended as superset for advisory candidates for the 2.2 release. | ||
==== [http://mzl.la/1eQTNSK Sec-Advisory-Needed B2G 2.2] ==== | ===== [http://mzl.la/1eQTNSK Sec-Advisory-Needed B2G 2.2] ===== | ||
These are all security bugs '''confirmed to be affecting 2.2''', but without an '''[adv-*''' tag on whiteboard. | These are all security bugs '''confirmed to be affecting 2.2''', but without an '''[adv-*''' tag on whiteboard. | ||
| Line 41: | Line 58: | ||
'''TODO''': query needs update for [b2g-adv-*] | '''TODO''': query needs update for [b2g-adv-*] | ||
==== [http://mzl.la/1B5nOsg Sec-Has-Advisory B2G 2.2] ==== | ===== [http://mzl.la/1B5nOsg Sec-Has-Advisory B2G 2.2] ===== | ||
These are all bugs with '''[b2g-adv-main2.2+]''' on the whiteboard, or with '''affected, fixed, or verified in status-b2g-v2.2''' and any of the '''[adv-*+]''' tags, meaning that the Firefox sec team provides an advisory that we just need to refer to. | These are all bugs with '''[b2g-adv-main2.2+]''' on the whiteboard, or with '''affected, fixed, or verified in status-b2g-v2.2''' and any of the '''[adv-*+]''' tags, meaning that the Firefox sec team provides an advisory that we just need to refer to. | ||
Revision as of 17:15, 11 June 2015
Definition of a security bug
In Bugzilla we define security bugs as having both
- Classification is Client Software OR Components
- Keywords contain sec- OR Group contains core-security
Bugzilla searches
Firefox OS 2.2
Bug status clarification phase
The objective of this phase is to find all relevant security bugs and have them
- have a sec-low/moderate/high/critical rating
- categorized in correct components, preferably in ones supporting status-b2g-*
- have status-b2g-v2.2 set
- have [b2g-adv-main2.2*] set if status-b2g-* flags unavailable
Sec-Fixed-Since B2G 2.1
This search contains all critical/high/moderate/other security bugs last resolved after 2014-11-21 (after 2.1 went code complete) with resolution FIXED. It is meant to define the superset of bugs that may be relevant for the 2.2 release. It also contains products and components that can't have status-b2g-* tracking flags that may have to be moved, cloned, or split to components that can.
This list is meant to serve as an overview for spotting bugs that may have improper security rating or component/product association, yet.
Sec-Status-Needed B2G 2.2
This search lists all security bugs fixed since 2.1 lacking status-b2g-v2.2 classification, and without [b2g-adv-*] tagging on the whiteboard.
This list should ideally be empty, either by setting status-b2g-v2.2 or adding a whiteboard tag for all the bugs it contains.
Sec-Status-Requested B2G 2.2
This search lists all security bugs with status-b2g-v2.2 set to ? or containing [b2g-adv-main2.2?] on the whiteboard. It is meant to signal that the developer was sent a NEEDINFO request for setting the appropriate status-b2g-v2.2, or that we still need some form of security clarification.
Ideally this list will be empty.
Advisory selection phase
The objective of this phase is to sort all relevant security bugs known to affect 2.2 into either
- requiring an advisory, tagging them [b2g-adv-man2.2+]
- requiring no advisory, tagging them [b2g-adv-man2.2-]
- already having an advisory done by Firefox Sec ([adv-*+])
Sec-Affects B2G 2.2
This is the list with all security bugs that have status-b2g-v2.2 set to affected, verified or fixed, or has a [b2g-adv-main2.2*] tag on the whiteboard. It is intended as superset for advisory candidates for the 2.2 release.
Sec-Advisory-Needed B2G 2.2
These are all security bugs confirmed to be affecting 2.2, but without an [adv-* tag on whiteboard.
This list needs special scrutiny after we're confident that all security bugs have gotten a proper status-b2g-v2.2 classification.
TODO: list of whiteboard tags we use and their meaning TODO: query needs update for [b2g-adv-*]
Sec-Has-Advisory B2G 2.2
These are all bugs with [b2g-adv-main2.2+] on the whiteboard, or with affected, fixed, or verified in status-b2g-v2.2 and any of the [adv-*+] tags, meaning that the Firefox sec team provides an advisory that we just need to refer to.
Pay special attention to bugs that have status-b2g-v2.2 set to affected. Make sure they're all at least fixed.
This Bugzilla query is intended to be used for automatic generation of the advisory overview for the Firefox 2.2 release.
Whiteboard keywords
Firefox
Al Billings uses the [adv-*] tag space to declare advisory status for Firefox releases. Tags ending in +] will get an advisory, those ending in -] will not get an advisory. Generally, when there's already an [adv- tag, we don't need to care about creating an advisory for b2g, because either its already there and we must only collect it for our overview, or b2g (most likely) won't require one either.
All Firefox advisory tags are supposed to match either regular expression:
\[adv-[a-zA-Z0-9_.]*\+] \[adv-[a-zA-Z0-9_.]*\-]
B2G
For Firefox OS we use [b2g-adv-*] tag space, but otherwise same principles as with Firefox, but Al kindly asks not to pollute his [adv-* space.
All B2G advisory tags are supposed to match either regular expression:
\[b2g-adv-[a-zA-Z0-9_.]*\+] # an advisory is or will be written \[b2g-adv-[a-zA-Z0-9_.]*-] # no advisory \[b2g-adv-[a-zA-Z0-9_.]*?] # advisory or bug status needs clarification
Tags dedicated to our main 2.2 release: [b2g-adv-main2.2*]