Tags or components are fine to me (you can specify more than one component to each ticket); I agree that a tag may be more appropriate for this use case. My preference is just to not use subtasks.
Jacopo On Tue, Nov 29, 2016 at 2:13 PM, Pierre Smits <pierre.sm...@gmail.com> wrote: > Well... > > CVEs can occur on any component (even though past issues have been related > for most to framework components. So having a particular component just for > CVE reference purposes would complicate matters as much as converting JIRA > issues into sub-tasks. > > Applying a tag to the issue (e.g. CVE) and using a persisted filter in JIRA > would be sufficient to link to from the download page (and elsewhere e.g. > the 'keeping OFBiz secure' cwiki page. > > Best regards, > > > > > Pierre Smits > > ORRTIZ.COM <http://www.orrtiz.com> > OFBiz based solutions & services > > OFBiz Extensions Marketplace > http://oem.ofbizci.net/oci-2/ > > On Tue, Nov 29, 2016 at 2:04 PM, Jacopo Cappellato < > jacopo.cappell...@hotwaxsystems.com> wrote: > > > Rather than using subtasks I think it would be better to use a component > > (named CVE or similar). > > > > Il 29 Nov 2016 1:50 PM, "Jacques Le Roux" <jacques.le.r...@les7arts.com> > > ha > > scritto: > > > > > Also it would be better if we can group all security issues in Jira. > For > > > that I created OFBIZ-1525, please if you create Jira security issues > > create > > > (or convert) them as subtasks of OFBIZ-1525 > > > > > > Thanks > > > > > > Jacques > > > > > > > > > Le 29/11/2016 à 11:05, Pierre Smits a écrit : > > > > > >> Of course, I implied this policy to be in line with > > >> http://www.apache.org/security/ > > >> > > >> Best regards, > > >> > > >> Pierre Smits > > >> > > >> ORRTIZ.COM <http://www.orrtiz.com> > > >> OFBiz based solutions & services > > >> > > >> OFBiz Extensions Marketplace > > >> http://oem.ofbizci.net/oci-2/ > > >> > > >> On Tue, Nov 29, 2016 at 10:59 AM, Nicolas Malin < > > nicolas.ma...@nereide.fr > > >> > > > >> wrote: > > >> > > >> Yes I agree with Jacopo, when can create the issue only when they are > > >>> corrected > > >>> > > >>> Nicolas > > >>> > > >>> > > >>> > > >>> Le 29/11/2016 à 10:55, Jacopo Cappellato a écrit : > > >>> > > >>> We can definitely create one Jira ticket for each CVE number with all > > the > > >>>> details we want and link them from the "security" section of the > OFBiz > > >>>> download page. > > >>>> This was probably implied in Pierre's proposal, but I prefer to > > >>>> explicitly > > >>>> state here: these tickets will be created only after the CVE are > > >>>> publicly > > >>>> disclosed (i.e. the tickets will be created and resolved at the same > > >>>> time). > > >>>> The good news is that we can create now all the tickets for the CVE > > >>>> processed so far in the history of OFBiz, in order to implement what > > >>>> Pierre > > >>>> has proposed here. > > >>>> > > >>>> Jacopo > > >>>> > > >>>> On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits < > > pierre.sm...@gmail.com> > > >>>> wrote: > > >>>> > > >>>> Hi all, > > >>>> > > >>>>> Recently we have seen some security issues fixed in the code base > > >>>>> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated > in > > >>>>> identifying, analysing and fixing these OFBiz security threats. > > >>>>> > > >>>>> When I look at how we communicate to our adopters that there are > > >>>>> threats > > >>>>> and how they can be mitigated [1] I believe we could and we should > > do a > > >>>>> little bit more. There we merely put a reference to the CVE [2] > issue > > >>>>> (see > > >>>>> [3] for example) there and and advice to upgrade. But on that page > we > > >>>>> leave > > >>>>> out any particulars on how the issue affected OFBiz and what was > done > > >>>>> to > > >>>>> it. Rightly so as it is just a list of notifications. > > >>>>> > > >>>>> The details about the effect of the issue and the mitigation is in > > >>>>> commits. > > >>>>> But there is no apparent relation between the notification on [1] > and > > >>>>> the > > >>>>> actual commit that mitigated. Also reporting the CVE in JIRA issues > > not > > >>>>> optimal. This leads to the fact that details don't appear in > release > > >>>>> notes > > >>>>> very well. > > >>>>> > > >>>>> I believe we could and should do better. We should *always* have a > > JIRA > > >>>>> issue explaining the CVE issue and its effect on the OFBiz product, > > >>>>> have > > >>>>> it > > >>>>> enhanced with the proper tags or labels (e.g. CVE/Security), and - > > like > > >>>>> any > > >>>>> other JIRA issue - have it showing with which commit(s) it has been > > >>>>> resolved and on which branch it has been implemented. > > >>>>> > > >>>>> With a proper filter definition on JIRA we can then shorten the > > >>>>> vulnerability section in [1] and have that link to that JIRA filter > > >>>>> definition. > > >>>>> > > >>>>> What do you think? > > >>>>> > > >>>>> References: > > >>>>> > > >>>>> - [1] http://ofbiz.apache.org/download.html > > >>>>> - [2] CVE: Common Vulnerability and Exposure > > >>>>> - [3] http://cve.mitre.org/cgi-bin/ > > cvename.cgi?name=CVE-2016-6800 > > >>>>> > > >>>>> > > >>>>> Best regards, > > >>>>> > > >>>>> Pierre Smits > > >>>>> > > >>>>> ORRTIZ.COM <http://www.orrtiz.com> > > >>>>> OFBiz based solutions & services > > >>>>> > > >>>>> OFBiz Extensions Marketplace > > >>>>> http://oem.ofbizci.net/oci-2/ > > >>>>> > > >>>>> > > >>>>> > > > > > >