130
edits
Security/Firefox/Security Bug Life Cycle/Security Advisories: Difference between revisions
Jump to navigation
Jump to search
Security/Firefox/Security Bug Life Cycle/Security Advisories (view source)
Revision as of 17:25, 27 May 2025
, 27 May→Assign CVEs
m (Fixing the formatting for "advisory.txt" examples) |
|||
| Line 98: | Line 98: | ||
That script will automatically reserve new CVEs, insert them into the yml file, and set the CVE IDs as aliases on Bugzilla. You can use it by running <tt>pip i && assign_cve_ids</tt> in the root of the repository. You can provide the required credentials through the '''CVE_USER''', '''CVE_ORG''', '''CVE_API_KEY''', '''CVE_ENV''', and '''BUGZILLA_API_KEY''' environment variables. Before running the script, make sure to set the names of the advisories that should get a CVE ID to '''MFSA-RESERVE-{YEAR}-{BUG_ID}''', where '''{YEAR}''' is the year that should be associated with the CVE, and '''{BUG_ID}''' is the id of a Bugzilla bug that should get the CVE ID as an alias. If you do not want to have a alias set for the advisory, use a small unique number instead. If you have used the [[#Generate_and_edit_the_YML_File|'''gen_yml.py''' script from the previous step]] to generate your yml file, the advisories should already have this format. | That script will automatically reserve new CVEs, insert them into the yml file, and set the CVE IDs as aliases on Bugzilla. You can use it by running <tt>pip i && assign_cve_ids</tt> in the root of the repository. You can provide the required credentials through the '''CVE_USER''', '''CVE_ORG''', '''CVE_API_KEY''', '''CVE_ENV''', and '''BUGZILLA_API_KEY''' environment variables. Before running the script, make sure to set the names of the advisories that should get a CVE ID to '''MFSA-RESERVE-{YEAR}-{BUG_ID}''', where '''{YEAR}''' is the year that should be associated with the CVE, and '''{BUG_ID}''' is the id of a Bugzilla bug that should get the CVE ID as an alias. If you do not want to have a alias set for the advisory, use a small unique number instead. If you have used the [[#Generate_and_edit_the_YML_File|'''gen_yml.py''' script from the previous step]] to generate your yml file, the advisories should already have this format. | ||
A noteworthy item is that '''issues that already have had a CVE assigned''' - for example because it's an upstream bug - should | A noteworthy item is that '''issues that already have had a CVE assigned''' - for example because it's an upstream bug - should instead have their identifier set to that CVE. If the issue should have a CVE from another org but we don't have it yet, then it should be set to '''MFSA-TMP-2025-XXXX''' where XXXX is an incrementing number. We strive not to re-ruse these. It is common (usually once or twice a year) for us to request Google to assign a CVE for an issue in an upstream library. The Googler to contact for this is James Zern, and Tom Ritter (among others) can put you in touch. | ||
The CVE ID is unique per bug except for the internal roll-up advisories, which use one CVE ID for a list of bugs. (The CVE assignment process can be complicated because Mitre imposes many rules on CVE assignment and requires communication back in specified data formats when CVEs are assigned. Failure to follow this process can result in Mitre refusing to hand out additional CVE IDs for use.) | The CVE ID is unique per bug except for the internal roll-up advisories, which use one CVE ID for a list of bugs. (The CVE assignment process can be complicated because Mitre imposes many rules on CVE assignment and requires communication back in specified data formats when CVEs are assigned. Failure to follow this process can result in Mitre refusing to hand out additional CVE IDs for use.) | ||