4
edits
Security/Firefox/Security Bug Life Cycle/Security Advisories: Difference between revisions
Security/Firefox/Security Bug Life Cycle/Security Advisories (view source)
Revision as of 20:16, 8 October 2025
, 8 OctoberUpdating links to generation scripts ;)
(clarify email address of group) |
(Updating links to generation scripts ;)) |
||
| Line 22: | Line 22: | ||
==== Tag them ==== | ==== Tag them ==== | ||
# Query for bugs using the status-firefoxXX (with the release number) flag that are marked as “verified” or “fixed” that also do not have the status-firefoxXY flag for the previous release set to “fixed”, “verified”, “unaffected”, or “disabled” in bugzilla. Additionally, we query on whether the bugs have a “sec-” keyword or are in any security group in Bugzilla. [https://github.com/ | # Query for bugs using the status-firefoxXX (with the release number) flag that are marked as “verified” or “fixed” that also do not have the status-firefoxXY flag for the previous release set to “fixed”, “verified”, “unaffected”, or “disabled” in bugzilla. Additionally, we query on whether the bugs have a “sec-” keyword or are in any security group in Bugzilla. [https://github.com/MozillaSecurity/security-advisories-scripts/blob/main/gen_queries.py I use a script that generates the bugzilla query for a given version.] For example <tt>./gen_queries.py 71</tt> or <tt>./gen_queries.py 71 -v</tt> | ||
# For each bug, decide on an advisory, marking it with a whiteboard tag. A missing whiteboard tag helps us notice when new fixes land late in the release cycle, and in the future the whiteboard tag is useful for tracking when a vulnerability received an advisory. | # For each bug, decide on an advisory, marking it with a whiteboard tag. A missing whiteboard tag helps us notice when new fixes land late in the release cycle, and in the future the whiteboard tag is useful for tracking when a vulnerability received an advisory. | ||
## The whiteboard of the bug is tagged with [adv-mainXX+], [adv-mainXX-], [adv-ESRXX.X+], or [adv-ESRXX.X-] to mark whether an advisory is being created (a ‘+’) or explicitly not being created (a ‘-’) for a given Firefox or Firefox ESR release. | ## The whiteboard of the bug is tagged with [adv-mainXX+], [adv-mainXX-], [adv-ESRXX.X+], or [adv-ESRXX.X-] to mark whether an advisory is being created (a ‘+’) or explicitly not being created (a ‘-’) for a given Firefox or Firefox ESR release. | ||
| Line 48: | Line 48: | ||
=== Generate and edit the YML File === | === Generate and edit the YML File === | ||
Using [https://github.com/ | Using [https://github.com/MozillaSecurity/security-advisories-scripts/blob/main/gen_yml.py this script], generate a first-pass at the .yml file. | ||
Go through and review it. For the first pass, I recommend edits be made directly on the advisory.txt attachments. However, certain edits will not be possible to do there. Specifically: adding (or removing) the description field from the top of the document and editing the list of reporters in the rollup advisory. | Go through and review it. For the first pass, I recommend edits be made directly on the advisory.txt attachments. However, certain edits will not be possible to do there. Specifically: adding (or removing) the description field from the top of the document and editing the list of reporters in the rollup advisory. | ||