Hello,
Red Hat Product Security would like to inquire the usage of whiteboard from security/CVE bugs in Fedora Infrastructure. Is there any infrastructure tool that is reading and parsing the data from the Whiteboard field from mentioned bugs.
The CVE bugs are are bugs filed in Bugzilla under "Security Response"/vulnerability, often having a CVE as an alias.
For example: CVE-2019-1010222 https://bugzilla.redhat.com/show_bug.cgi?id=1735591
Thank you for your time.
On 9/10/19 3:59 AM, Viliam Križan wrote:
Hello,
Red Hat Product Security would like to inquire the usage of whiteboard from security/CVE bugs in Fedora Infrastructure. Is there any infrastructure tool that is reading and parsing the data from the Whiteboard field from mentioned bugs.
The CVE bugs are are bugs filed in Bugzilla under "Security Response"/vulnerability, often having a CVE as an alias.
For example: CVE-2019-1010222 https://bugzilla.redhat.com/show_bug.cgi?id=1735591
Thank you for your time.
I dont think we currently use the whiteboard data for anything.
However, there is a plan to retire packages with outstanding security issues, and any script around that might parse it? It might not if we can get all the data from other places.
Are you planning on changing the format or ?
kevin
Hello Kevin,
Sorry for late reply (I did not got it into my mailbox).
By retiring packages you mean this effort? https://pagure.io/fesco/issue/1935 https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/...
If that is that what you had in mind, then that depends on reading the security trackers (bugs with SecurityTracking keyword). Those bugs have the required information to process them, where severity maps to the impact of a vulnerability.
Product Security will stop using the whiteboard field at all on CVE bugs. However, there will be means to retrieve the impact information from the bug's severity. Product Security will keep creating bugs for affected components in Fedora.
Thank you.
On Wed, Sep 25, 2019 at 03:14:26PM -0000, Viliam Križan wrote:
Hello Kevin,
Sorry for late reply (I did not got it into my mailbox).
No worries.
By retiring packages you mean this effort? https://pagure.io/fesco/issue/1935 https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/...
Yep.
Also: https://pagure.io/releng/issue/7793
If that is that what you had in mind, then that depends on reading the security trackers (bugs with SecurityTracking keyword). Those bugs have the required information to process them, where severity maps to the impact of a vulnerability.
Product Security will stop using the whiteboard field at all on CVE bugs. However, there will be means to retrieve the impact information from the bug's severity. Product Security will keep creating bugs for affected components in Fedora.
ok. I guess when we have someone implementing the above they can look further into it.
Thanks for the info.
kevin
infrastructure@lists.fedoraproject.org