Skip to content

Draft: MAIN: Adds Request CVE ID button to issue sidebar

James Johnson requested to merge add_request_cve_issue into master

️ NOTE

NOTE This MR is too large and is being split into three separate MRs:

What does this MR do?

This MR adds a button to the issue sidebar and a corresponding general project setting to allow project maintainers to directly request a CVE ID from GitLab. This is a continuation of the issue Create a form for reporting vulnerabilities that need a CVE number

See the video/slides below for a walkthrough of this MR, as well as some background on the CVE assignment process.

image Slides

The button sends the user to the new issue page of gitlab-org/cves. The new issue link sets the issue description, title, and confidential checkbox:

/gitlab-org/cves/-/issues/new?issue[confidential]=true&issue[title]=Vulnerability%20Submission&issue[description]=...

The CVE ID Request icon in the collapsed sidebar

image

The unexpanded help text in the issue sidebar

image

The expanded help text in the issue sidebar

image

The project setting to disable the CVE ID Request button

image

For a CVE ID Request that was created from a project named root/test_project, the created issue on gitlab-org/cves has the title:

CVE ID Request - root/test_projecthttps://gitlab.com/groups/gitlab-org/-/epics/4200

and the issue description:


**NOTE:** Only maintainers of GitLab-hosted projects may request a CVE for
a vulnerability within their project.

Project issue: root/test_project#21

After a CVE request is validated, a CVE identifier will be assigned. On what
schedule should the details of the CVE be published?

* [ ] Publish immediately
* [ ] Wait to publish

<!--
Please fill out the yaml codeblock below
-->

```yaml
vulnerability:
  description: "TODO" # "[VULNTYPE] in [COMPONENT] in [VENDOR][PRODUCT] [VERSION] allows [ATTACKER] to [IMPACT] via [VECTOR]"
  cwe: "TODO" # "CWE-22" # Path Traversal
  product:
    gitlab_path: "root/test_project"
    vendor: "TODO" # "iTerm2"
    name: "TODO" # "iTerm2"
    affected_versions:
      - "TODO" # "1.2.3"
      - "TODO" # ">1.3.0, <=1.3.9"
    fixed_versions:
      - "TODO" # "1.2.4"
      - "TODO" # "1.3.10"
  impact: "TODO" # "CVSS v3 string" # https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  solution: "TODO" # "Upgrade to version 1.2.4 or 1.3.10"
  credit: "TODO"
  references:
    - "TODO" # "https://some.domain.tld/a/reference"
```

CVSS scores can be computed by means of the [NVD CVSS Calculator](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator).

Requirements

All of the following must be true for the button to be visible:

  • Button is only visible to maintainers
  • Button is only visible on GitLab.com (not self-hosted instances of GitLab)
  • Button is only visible on public projects
  • Button is only visible on confidential issues

Users must be able to disable this button from appearing in the issue sidebar:

  • Add project setting for CVE ID Request button

Update documentation

  • www-gitlab-com - about.gitlab.com/security/cve should be updated to recommend that the CVE ID Request button be used
  • gitlab-org/gitlab/docs - This should only be visible on gitlab-com documentation, not self-hosted versions of GitLab

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Julian Thome

Merge request reports