[StoryBoard][Security] The process to report a security bug
As most of the projects have migrated to storyboard for bug tracking, after reading https://security.openstack.org/vmt-process.html, I have two questions: 1. I didn't find openstack/ossa or ossa project exists in storyboard. 2. I didn't find a place in storyboard to attach a patch. Am I missing something? - Best regards, Lingxian Kong Catalyst Cloud
On 2020-04-09 16:43:53 +1200 (+1200), Lingxian Kong wrote:
As most of the projects have migrated to storyboard for bug tracking,
Most have not, actually, at last count it was nearing 50% of OpenStack teams but I don't have exact numbers handy at the moment.
after reading https://security.openstack.org/vmt-process.html, I have two questions:
1. I didn't find openstack/ossa or ossa project exists in storyboard.
Like in Launchpad, you report suspected vulnerabilities to the projects in which you've found them. The VMT isn't using explicit advisory tasks in StoryBoard at the moment, but we're still acting on vulnerabilities reported in StoryBoard for projects with the vulnerability:managed governance tag (at present that's Barbican, Heat, Sahara and Trove). We get automatic access to those, but are also happy to discuss suspected vulnerabilities in other projects as long as you give us access to the story (click the pencil-shaped edit icon next to the story title, then add the "openstack-security" team to the list of "Teams and Users that can see this story" and click the Save button).
2. I didn't find a place in storyboard to attach a patch.
There is work underway to add attachments support: https://review.opendev.org/#/q/topic:story-attachments Right now you can just paste the patch into a story comment if the story is private (for public stories, patches should go to Gerrit as usual, and use a Task or Story footer in the commit message to refer to a relevant task or story ID number). The comment field supports markdown, so if you indent all the lines of a patch by an additional 4 spaces it will be displayed as a block of preformatted code. Use the Toggle Preview button so you can make sure it looks the way you expect before committing the comment. I've put an example in storyboard-dev here: https://storyboard-dev.openstack.org/#!/story/1831449 It can be a bit unwieldy, but it's the best option we've got until proper attachment support is finished.
Am I missing something?
Hopefully not, but feel free to reach out to OpenStack VMT team members directly by private E-mail (OpenPGP-encrypted to our keys if you feel it's especially sensitive). You can find us listed at https://security.openstack.org/#how-to-report-security-issues-to-openstack along with high-level instructions on reporting vulnerabilities. Some of us also generally attend the OpenStack Security SIG meeting every Thursday at 15:00 UTC in #openstack-meeting and can be found at various times of day in the #openstack-security IRC channel as well. -- Jeremy Stanley
Thanks Jeremy for the instructions, as suggested, I've added 'openstack-security' team to access the storyboard task and paste the code change as a comment. I am still hoping the process could be documented in the right place in case someone else is in the similar situation as me. - Best regards, Lingxian Kong Catalyst Cloud On Thu, Apr 9, 2020 at 7:01 PM Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2020-04-09 16:43:53 +1200 (+1200), Lingxian Kong wrote:
As most of the projects have migrated to storyboard for bug tracking,
Most have not, actually, at last count it was nearing 50% of OpenStack teams but I don't have exact numbers handy at the moment.
after reading https://security.openstack.org/vmt-process.html, I have two questions:
1. I didn't find openstack/ossa or ossa project exists in storyboard.
Like in Launchpad, you report suspected vulnerabilities to the projects in which you've found them. The VMT isn't using explicit advisory tasks in StoryBoard at the moment, but we're still acting on vulnerabilities reported in StoryBoard for projects with the vulnerability:managed governance tag (at present that's Barbican, Heat, Sahara and Trove). We get automatic access to those, but are also happy to discuss suspected vulnerabilities in other projects as long as you give us access to the story (click the pencil-shaped edit icon next to the story title, then add the "openstack-security" team to the list of "Teams and Users that can see this story" and click the Save button).
2. I didn't find a place in storyboard to attach a patch.
There is work underway to add attachments support:
https://review.opendev.org/#/q/topic:story-attachments
Right now you can just paste the patch into a story comment if the story is private (for public stories, patches should go to Gerrit as usual, and use a Task or Story footer in the commit message to refer to a relevant task or story ID number). The comment field supports markdown, so if you indent all the lines of a patch by an additional 4 spaces it will be displayed as a block of preformatted code. Use the Toggle Preview button so you can make sure it looks the way you expect before committing the comment. I've put an example in storyboard-dev here:
https://storyboard-dev.openstack.org/#!/story/1831449
It can be a bit unwieldy, but it's the best option we've got until proper attachment support is finished.
Am I missing something?
Hopefully not, but feel free to reach out to OpenStack VMT team members directly by private E-mail (OpenPGP-encrypted to our keys if you feel it's especially sensitive). You can find us listed at https://security.openstack.org/#how-to-report-security-issues-to-openstack along with high-level instructions on reporting vulnerabilities. Some of us also generally attend the OpenStack Security SIG meeting every Thursday at 15:00 UTC in #openstack-meeting and can be found at various times of day in the #openstack-security IRC channel as well. -- Jeremy Stanley
On 2020-04-09 21:55:35 +1200 (+1200), Lingxian Kong wrote:
Thanks Jeremy for the instructions, as suggested, I've added 'openstack-security' team to access the storyboard task and paste the code change as a comment.
My pleasure, I'll take a look and follow up there.
I am still hoping the process could be documented in the right place in case someone else is in the similar situation as me. [...]
I'll try to push up a patch today adding more of those details to https://security.openstack.org/#how-to-report-security-issues-to-openstack but if there's anything specific you think needs to be there you can also feel free to propose changes for it. The source is hosted within the openstack/ossa repository in the doc/source/index.rst file. -- Jeremy Stanley
participants (2)
-
Jeremy Stanley
-
Lingxian Kong