Security/B2G/VulnerabilityManagement
Definition of a security bug
In Bugzilla we define security bugs as having both
- Classification is Client Software OR Components
- Keywords contain sec- OR Group contains core-security
Bugzilla searches
Firefox OS 2.2
Bug status clarification phase
The objective of this phase is to find all relevant security bugs and have them
- have a sec-low/moderate/high/critical rating
- categorized in correct components, preferably in ones supporting status-b2g-*
- have status-b2g-v2.2 set
- have [b2g-adv-main2.2*] set if status-b2g-* flags unavailable
Sec-Fixed-Since B2G 2.1
This search contains all critical/high/moderate/other as well af core-security group security bugs last resolved after 2014-11-21 (after 2.1 went code complete) with resolution FIXED. It is meant to define the superset of bugs that may be relevant for the 2.2 release. It also contains products and components that can't have status-b2g-* tracking flags that may have to be moved, cloned, or split to components that can.
This list is meant to serve as an overview for spotting bugs that may have improper security rating or component/product association.
Sec-Status-Needed B2G 2.2
This search lists all security bugs fixed since 2.1 lacking status-b2g-v2.2 classification, and without [b2g-adv-*] tagging on the whiteboard.
This list should ideally be empty, either by setting status-b2g-v2.2 or adding a whiteboard tag for all the bugs it contains.
Sec-Status-Requested B2G 2.2
This search lists all security bugs with status-b2g-v2.2 set to ? or containing [b2g-adv-main2.2?] on the whiteboard. It is meant to signal that the developer was sent a NEEDINFO request for setting the appropriate status-b2g-v2.2, or that we still need some form of security clarification.
Ideally this list will be empty.
Advisory selection phase
The objective of this phase is to sort all relevant security bugs known to affect 2.2 into either
- requiring an advisory, tagging them [b2g-adv-main2.2+]
- requiring no advisory, tagging them [b2g-adv-main2.2-]
- already having an advisory done by Firefox Sec ([adv-*+])
Sec-Affects B2G 2.2
This is the list with all security bugs that have status-b2g-v2.2 set to affected, verified or fixed, or has a [b2g-adv-main2.2*] tag on the whiteboard. It is intended as superset for advisory candidates for the 2.2 release.
Sec-Advisory-Undecided B2G 2.2
These are all security bugs rated high or critical and affecting 2.2, but without an [adv-*+], [bg2-adv-man2.2+] or [bg2-adv-man2.2-] tag on whiteboard.
This list is the main focus for our work. If bugs that need advisory decision don't appear here at some point, we will likely miss them.
This list ideally is empty.
Sec-Has-Advisory B2G 2.2
These are all bugs with [b2g-adv-main2.2+] on the whiteboard, or with affected, fixed, or verified in status-b2g-v2.2 and any of the [adv-*+] tags, meaning that the Firefox sec team provides an advisory that we just need to refer to.
Pay special attention to bugs that have status-b2g-v2.2 set to affected. Make sure they're all at least fixed.
This Bugzilla query is intended to be used for automatic generation of the advisory overview for the Firefox 2.2 release.
Whiteboard keywords
Firefox
Al Billings uses the [adv-*] tag space to declare advisory status for Firefox releases. Tags ending in +] will get an advisory, those ending in -] will not get an advisory. Generally, when there's already an [adv- tag, we don't need to care about creating an advisory for b2g, because either its already there and we must only collect it for our overview, or b2g (most likely) won't require one either.
All Firefox advisory tags are supposed to match either regular expression:
\[adv-[a-zA-Z0-9_.]*\+] \[adv-[a-zA-Z0-9_.]*\-]
B2G
For Firefox OS we use [b2g-adv-*] tag space, but otherwise same principles as with Firefox, but Al kindly asks not to pollute his [adv-* space.
All B2G advisory tags are supposed to match either regular expression:
\[b2g-adv-[a-zA-Z0-9_.]*\+] # an advisory is or will be written \[b2g-adv-[a-zA-Z0-9_.]*-] # no advisory \[b2g-adv-[a-zA-Z0-9_.]*?] # advisory or bug status needs clarification
Tags dedicated to our main 2.2 release: [b2g-adv-main2.2*]