On 2020-04-09 16:43:53 +1200 (+1200), Lingxian Kong wrote:
As most of the projects have migrated to storyboard for bug tracking,
Most have not, actually, at last count it was nearing 50% of OpenStack teams but I don't have exact numbers handy at the moment.
after reading https://security.openstack.org/vmt-process.html, I have two questions:
1. I didn't find openstack/ossa or ossa project exists in storyboard.
Like in Launchpad, you report suspected vulnerabilities to the projects in which you've found them. The VMT isn't using explicit advisory tasks in StoryBoard at the moment, but we're still acting on vulnerabilities reported in StoryBoard for projects with the vulnerability:managed governance tag (at present that's Barbican, Heat, Sahara and Trove). We get automatic access to those, but are also happy to discuss suspected vulnerabilities in other projects as long as you give us access to the story (click the pencil-shaped edit icon next to the story title, then add the "openstack-security" team to the list of "Teams and Users that can see this story" and click the Save button).
2. I didn't find a place in storyboard to attach a patch.
There is work underway to add attachments support: https://review.opendev.org/#/q/topic:story-attachments Right now you can just paste the patch into a story comment if the story is private (for public stories, patches should go to Gerrit as usual, and use a Task or Story footer in the commit message to refer to a relevant task or story ID number). The comment field supports markdown, so if you indent all the lines of a patch by an additional 4 spaces it will be displayed as a block of preformatted code. Use the Toggle Preview button so you can make sure it looks the way you expect before committing the comment. I've put an example in storyboard-dev here: https://storyboard-dev.openstack.org/#!/story/1831449 It can be a bit unwieldy, but it's the best option we've got until proper attachment support is finished.
Am I missing something?
Hopefully not, but feel free to reach out to OpenStack VMT team members directly by private E-mail (OpenPGP-encrypted to our keys if you feel it's especially sensitive). You can find us listed at https://security.openstack.org/#how-to-report-security-issues-to-openstack along with high-level instructions on reporting vulnerabilities. Some of us also generally attend the OpenStack Security SIG meeting every Thursday at 15:00 UTC in #openstack-meeting and can be found at various times of day in the #openstack-security IRC channel as well. -- Jeremy Stanley