Confirmed users
184
edits
Security/B2G/VulnerabilityManagement: Difference between revisions
Jump to navigation
Jump to search
Security/B2G/VulnerabilityManagement (view source)
Revision as of 17:15, 11 June 2015
, 11 June 2015phases and objectives added
(→B2G: tags explanations added) |
(phases and objectives added) |
||
| Line 10: | Line 10: | ||
=== Firefox OS 2.2 === | === Firefox OS 2.2 === | ||
==== [http://mzl.la/1GuWfc0 Sec-Fixed-Since B2G 2.1] ==== | ==== Bug status clarification phase ==== | ||
The objective of this phase is to find all relevant security bugs and have them | |||
* have a '''sec-low/moderate/high/critical''' rating | |||
* categorized in '''correct components''', preferably in ones supporting ''status-b2g-*'' | |||
* have '''status-b2g-v2.2''' set | |||
* have '''[b2g-adv-main2.2*]''' set if ''status-b2g-*'' flags unavailable | |||
===== [http://mzl.la/1GuWfc0 Sec-Fixed-Since B2G 2.1] ===== | |||
This search contains all '''critical/high/moderate/other''' security bugs '''last resolved after 2014-11-21''' (after 2.1 went code complete) with '''resolution FIXED'''. It is meant to define the superset of bugs that may be relevant for the 2.2 release. It also contains products and components that can't have ''status-b2g-*'' tracking flags that may have to be moved, cloned, or split to components that can. | This search contains all '''critical/high/moderate/other''' security bugs '''last resolved after 2014-11-21''' (after 2.1 went code complete) with '''resolution FIXED'''. It is meant to define the superset of bugs that may be relevant for the 2.2 release. It also contains products and components that can't have ''status-b2g-*'' tracking flags that may have to be moved, cloned, or split to components that can. | ||
| Line 16: | Line 25: | ||
This list is meant to serve as an overview for spotting bugs that may have improper security rating or component/product association, yet. | This list is meant to serve as an overview for spotting bugs that may have improper security rating or component/product association, yet. | ||
==== [http://mzl.la/1GuYLiz Sec-Status-Needed B2G 2.2] ==== | ===== [http://mzl.la/1GuYLiz Sec-Status-Needed B2G 2.2] ===== | ||
This search lists all security bugs fixed since 2.1 '''lacking status-b2g-v2.2''' classification, and '''without [b2g-adv-*]''' tagging on the whiteboard. | This search lists all security bugs fixed since 2.1 '''lacking status-b2g-v2.2''' classification, and '''without [b2g-adv-*]''' tagging on the whiteboard. | ||
| Line 22: | Line 31: | ||
This list '''should ideally be empty''', either by setting ''status-b2g-v2.2'' or adding a whiteboard tag for all the bugs it contains. | This list '''should ideally be empty''', either by setting ''status-b2g-v2.2'' or adding a whiteboard tag for all the bugs it contains. | ||
==== [http://mzl.la/1Gv1CrM Sec-Status-Requested B2G 2.2] ==== | ===== [http://mzl.la/1Gv1CrM Sec-Status-Requested B2G 2.2] ===== | ||
This search lists all security bugs with ''status-b2g-v2.2'' set to ''?'' or containing '''[b2g-adv-main2.2?] on the whiteboard'''. It is meant to signal that the '''developer was sent a NEEDINFO''' request for setting the appropriate ''status-b2g-v2.2'', or that we still need some form of security clarification. | This search lists all security bugs with ''status-b2g-v2.2'' set to ''?'' or containing '''[b2g-adv-main2.2?] on the whiteboard'''. It is meant to signal that the '''developer was sent a NEEDINFO''' request for setting the appropriate ''status-b2g-v2.2'', or that we still need some form of security clarification. | ||
| Line 28: | Line 37: | ||
Ideally this list will be empty. | Ideally this list will be empty. | ||
==== [http://mzl.la/1B5j71u Sec-Affects B2G 2.2] ==== | === Advisory selection phase === | ||
The objective of this phase is to sort all relevant security bugs known to affect 2.2 into either | |||
* requiring an advisory, tagging them ''[b2g-adv-man2.2+]'' | |||
* requiring no advisory, tagging them ''[b2g-adv-man2.2-]'' | |||
* already having an advisory done by Firefox Sec (''[adv-*+]'') | |||
===== [http://mzl.la/1B5j71u Sec-Affects B2G 2.2] ===== | |||
This is the list with all security bugs that have '''status-b2g-v2.2 set to affected, verified or fixed''', or has a '''[b2g-adv-main2.2*]''' tag on the whiteboard. It is intended as superset for advisory candidates for the 2.2 release. | This is the list with all security bugs that have '''status-b2g-v2.2 set to affected, verified or fixed''', or has a '''[b2g-adv-main2.2*]''' tag on the whiteboard. It is intended as superset for advisory candidates for the 2.2 release. | ||
==== [http://mzl.la/1eQTNSK Sec-Advisory-Needed B2G 2.2] ==== | ===== [http://mzl.la/1eQTNSK Sec-Advisory-Needed B2G 2.2] ===== | ||
These are all security bugs '''confirmed to be affecting 2.2''', but without an '''[adv-*''' tag on whiteboard. | These are all security bugs '''confirmed to be affecting 2.2''', but without an '''[adv-*''' tag on whiteboard. | ||
| Line 41: | Line 58: | ||
'''TODO''': query needs update for [b2g-adv-*] | '''TODO''': query needs update for [b2g-adv-*] | ||
==== [http://mzl.la/1B5nOsg Sec-Has-Advisory B2G 2.2] ==== | ===== [http://mzl.la/1B5nOsg Sec-Has-Advisory B2G 2.2] ===== | ||
These are all bugs with '''[b2g-adv-main2.2+]''' on the whiteboard, or with '''affected, fixed, or verified in status-b2g-v2.2''' and any of the '''[adv-*+]''' tags, meaning that the Firefox sec team provides an advisory that we just need to refer to. | These are all bugs with '''[b2g-adv-main2.2+]''' on the whiteboard, or with '''affected, fixed, or verified in status-b2g-v2.2''' and any of the '''[adv-*+]''' tags, meaning that the Firefox sec team provides an advisory that we just need to refer to. | ||