Thanks Jeremy for the instructions, as suggested, I've added
'openstack-security' team to access the storyboard task and paste the
code change as a comment.

I am still hoping the process could be documented in the right place in
case someone else is in the similar situation as me.

-
Best regards,
Lingxian Kong
Catalyst Cloud


On Thu, Apr 9, 2020 at 7:01 PM Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2020-04-09 16:43:53 +1200 (+1200), Lingxian Kong wrote:
> As most of the projects have migrated to storyboard for bug tracking,

Most have not, actually, at last count it was nearing 50% of
OpenStack teams but I don't have exact numbers handy at the moment.

> after reading https://security.openstack.org/vmt-process.html, I have
> two questions:
>
> 1. I didn't find openstack/ossa or ossa project exists in storyboard.

Like in Launchpad, you report suspected vulnerabilities to the
projects in which you've found them. The VMT isn't using explicit
advisory tasks in StoryBoard at the moment, but we're still acting
on vulnerabilities reported in StoryBoard for projects with the
vulnerability:managed governance tag (at present that's Barbican,
Heat, Sahara and Trove). We get automatic access to those, but are
also happy to discuss suspected vulnerabilities in other projects as
long as you give us access to the story (click the pencil-shaped
edit icon next to the story title, then add the "openstack-security"
team to the list of "Teams and Users that can see this story" and
click the Save button).

> 2. I didn't find a place in storyboard to attach a patch.

There is work underway to add attachments support:

https://review.opendev.org/#/q/topic:story-attachments

Right now you can just paste the patch into a story comment if the
story is private (for public stories, patches should go to Gerrit as
usual, and use a Task or Story footer in the commit message to refer
to a relevant task or story ID number). The comment field supports
markdown, so if you indent all the lines of a patch by an additional
4 spaces it will be displayed as a block of preformatted code. Use
the Toggle Preview button so you can make sure it looks the way you
expect before committing the comment. I've put an example in
storyboard-dev here:

https://storyboard-dev.openstack.org/#!/story/1831449

It can be a bit unwieldy, but it's the best option we've got until
proper attachment support is finished.

> Am I missing something?

Hopefully not, but feel free to reach out to OpenStack VMT team
members directly by private E-mail (OpenPGP-encrypted to our keys if
you feel it's especially sensitive). You can find us listed at
https://security.openstack.org/#how-to-report-security-issues-to-openstack
along with high-level instructions on reporting vulnerabilities.
Some of us also generally attend the OpenStack Security SIG meeting
every Thursday at 15:00 UTC in #openstack-meeting and can be found
at various times of day in the #openstack-security IRC channel as
well.
--
Jeremy Stanley