mozilla / foundation-security-advisories Goto Github PK

Hi
I'm writing a package url for the packages in the advisories and I would need the names and versions of packages explicitly. Currently, it appears that the pattern follows package_name version and package_name is also allowed to have spaces.
Though there is no validation to make sure this pattern follows.

Something like the following should be fine:

pkg.split(" ")[-1].replace('.','').isdigit()

The python script does not seem to work correctly with Python 3.10 (default on Ubuntu 22.04). There is no error in creating the virtualenv and installing the dependencies, but running check_advisories --all yields parsing errors:

check_advisories --all
Checking all files
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE..
Checked 1253 files. Found 1251 errors.

ERRORS:
  - announce/2011/mfsa2011-02.md: Failed to parse "March 1, 2011" as a date
  - announce/2011/mfsa2011-29.md: Failed to parse "August 16, 2011" as a date
  - announce/2011/mfsa2011-51.md: Failed to parse "November 8, 2011" as a date
...

Looking at the circle-ci script in the repo, it indicates that CI runs with Python 3.8 so I installed an alternate 3.8 version alongside my distro version reinstalled the dependencies in the virtualenv and everything works fine now.

I think it would be good to have the script work with other recent versions of Python.

There are a number of mobile products we want to put advisories out for. This ticket is to ensure the website supports that.

If you file a bug, it's not resolved, but we award it a hof+, we will almost certainly not add it to the hof, because the script doesn't look for "show me when this bug had the hof+ flag added" - it only uses the bug's creation date.

But we should be able to query a bug's change history from bugzilla to do this better...

What is the recommended way to find all advisories for "Firefox", or for "Firefox ESR"?

eea98a8#r133174122

I want to be notified when a new security release is available, but there isn't anyway to be notified.

A RSS Feed or a ml announcement could be useful.

We almost published one of those accidentally, let's add a check to prevent it.

Both Line 42 and Line 50 refer to the same CVE CVE-2022-42930

However the bugzilla points to CVE-2022-46884 as the correct CVE

Pocket independently operates their own bounty program through HackerOne. Let's get this under Mozilla's program and classify Pocket's web properties.

It's been requested that Pocket's HoF list be maintained somehow throughout this migration.

Advisory is supposed to be for Thunderbird but the fixed_in product is Firefox ESR

Firefox Bug Bounty Rewards is extremely outdated.
https://www.mozilla.org/security/bug-bounty/hall-of-fame/

The link below (from https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/) goes to a page which requires Google Account authentication and, presumably because I get Access Denied after authenticating with a non-Mozilla account, appropriate access to view it.

Not sure if the permissions need to change, or if it's ok to have a closed link in the sec advisory, but flagging it here for a decision. Thanks very much in advance!

We're opening this issue because your project has used Travis CI within the last 6 months. If you have already migrated off it, you can close and ignore this issue.

Travis CI is ending free builds on public repositories. travis-ci.com stopped providingthem in early November, and travis-ci.org will stop after December 31, 2020. To avoid disruptions to your workflows, you must migrate to another CI service.

For production use cases, we recommend switching to CircleCI. This service is already widely used within Mozilla. There is a guide to migrating from Travis CI to CircleCI available here.

For non production use cases, we recommend either CircleCI or Github Actions. There is a guide to migrating from Travis CI to Github Actions available here. Github Actions usage within Mozilla is new, and you will have to work with our github administrators to enable specific actions following this process.

If you have any questions, reach out in #github-admin:mozilla.org on matrix.

Current checks at https://github.com/mozilla/foundation-security-advisories/blob/master/check_advisories.py#L162 ensure that all the required fields are present in the files.

Inversely, we should ensure that there are no extra fields either, e.g., due to a nesting error we had a CVE section hidden below a CVE section

As of January 1 2019, Mozilla requires that all GitHub projects include this CODE_OF_CONDUCT.md file in the project root. The file has two parts:

1. Required Text - All text under the headings Community Participation Guidelines and How to Report, are required, and should not be altered.
2. Optional Text - The Project Specific Etiquette heading provides a space to speak more specifically about ways people can work effectively and inclusively together. Some examples of those can be found on the Firefox Debugger project, and Common Voice. (The optional part is commented out in the raw template file, and will not be visible until you modify and uncomment that part.)

If you have any questions about this file, or Code of Conduct policies and procedures, please see Mozilla-GitHub-Standards or email [email protected].

(Message COC001)

Hi - over on Bedrock one of our ingestion scripts is unhappy, and the root cause seems to be this file and specifically the diff marker at the end. Could someone take a look, please?

https://github.com/mozilla/foundation-security-advisories/blob/76e22fdf026300782069ca30e4d2b59b77e52d75/announce/2023/mfsa2023-39.yml

Also switch travis CI to Python 3. Possibly dockerize all of this for consistency of platform.

For the 71 release, bedrock failed to parse our yaml files and put them in their database, yet no error was reported by our linter.

I found that we had this syntax in the new files

bugs:
      - url: 1449736, 1533957, 1560667, 1567209, 1580288, 1585760, 1592502
      - desc: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3

While in older released we had:

bugs:
      - url: 1558522, 1577061, 1548044, 1571223, 1573048, 1578933, 1575217, 1583684, 1586845, 1581950, 1583463, 1586599
        desc: Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2

Note the extra dash in front of the desc key.

We should have a check that the desc key should not have a dash in front or something like that.

We should add some formatting checks otherwise we wind up with issues like #135

1. <code> is not allowed in title
2. If a colon is present in title, the title must be in single quotes.
3. An HTML tag (e.g. <dialog>) must not use a < but rather <

It might be possible to use backticks instead of <code> tags also...