Skip to content

Adds CVE ID Request button to issue sidebar - RUN AS-IF-FOSS [RUN ALL RSPEC]

James Johnson requested to merge add_request_cve_issue_vue into master

What does this MR do?

This MR adds the CVE ID Request button in the issue sidebar. This feature uses the cve_id_request_button feature flag.

This MR is the UI portion of Draft: Adds Request CVE ID button to issue sidebar, which was broken into separate merge requests.

For an overview of what purpose the button serves, please see the video below, or read the high-level bullet points below the video:

image Slides

  • CVE identifiers track specific vulnerabilities in specific version ranges of a project
  • GitLab participates in MITRE's CNA program and is able to issue CVE identifiers to projects that are:
    • public
    • hosted on GitLab.com
  • Prior to this feature, users needed to manually create an issue to start the CVE request process
  • The CVE ID Request button allows project maintainers to directly create the CVE ID Request issue from an existing, confidential issue's sidebar

The CVE ID Request button is only available

  • when the project is public
  • when the project is hosted on GitLab.com
  • when the current user is a maintainer
  • when the current issue is a confidential issue

Local Setup

  • Enable the feature flag :cve_id_request_button
  • Create a public project at gitlab-org/cves (this is the target of the CVE ID request button)
  • To see the button locally:
    • As a maintainer+
    • In a public project
    • Create a confidential issue

Usage / Screenshots

The button sends the user to the new issue page of gitlab-org/cves. The new issue link sets the issue description, title, and confidential checkbox:

/gitlab-org/cves/-/issues/new?issue[confidential]=true&issue[title]=Vulnerability%20Submission&issue[description]=...

The CVE ID Request icon in the collapsed sidebar

image

The unexpanded help text in the issue sidebar

image

The expanded help text in the issue sidebar

image

The project setting to disable the CVE ID Request button

image

For a CVE ID Request that was created from a project named root/test_project, the created issue on gitlab-org/cves has the title:

CVE ID Request - root/test_project

and the issue description:


**NOTE:** Only maintainers of GitLab-hosted projects may request a CVE for
a vulnerability within their project.

Project issue: root/test_project#21

After a CVE request is validated, a CVE identifier will be assigned. On what
schedule should the details of the CVE be published?

* [ ] Publish immediately
* [ ] Wait to publish

<!--
Please fill out the yaml codeblock below
-->

```yaml
vulnerability:
  description: "TODO" # "[VULNTYPE] in [COMPONENT] in [VENDOR][PRODUCT] [VERSION] allows [ATTACKER] to [IMPACT] via [VECTOR]"
  cwe: "TODO" # "CWE-22" # Path Traversal
  product:
    gitlab_path: "root/test_project"
    vendor: "TODO" # "iTerm2"
    name: "TODO" # "iTerm2"
    affected_versions:
      - "TODO" # "1.2.3"
      - "TODO" # ">1.3.0, <=1.3.9"
    fixed_versions:
      - "TODO" # "1.2.4"
      - "TODO" # "1.3.10"
  impact: "TODO" # "CVSS v3 string" # https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  solution: "TODO" # "Upgrade to version 1.2.4 or 1.3.10"
  credit: "TODO"
  references:
    - "TODO" # "https://some.domain.tld/a/reference"
```

CVSS scores can be computed by means of the [NVD CVSS Calculator](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator).

Requirements

All of the following must be true for the button to be visible:

  • Button is only visible to maintainers
  • Button is only visible on GitLab.com (not self-hosted instances of GitLab)
  • Button is only visible on public projects
  • Button is only visible on confidential issues

Users must be able to disable this button from appearing in the issue sidebar:

  • Add project setting for CVE ID Request button

Does this MR meet the acceptance criteria?

Conformity

Database Migration Output

 lptp [ gitlab ]: bundle exec rake db:migrate:up VERSION=20200816133024 RAILS_ENV=development
== 20200816133024 AddCveIdRequestProjectSetting: migrating ====================
-- add_column(:project_settings, :cve_id_request_enabled, :boolean, {:default=>true, :null=>false})
   -> 0.0010s
== 20200816133024 AddCveIdRequestProjectSetting: migrated (0.0010s) ===========

 lptp [ gitlab ]: bundle exec rake db:migrate:down VERSION=20200816133024 RAILS_ENV=development
== 20200816133024 AddCveIdRequestProjectSetting: reverting ====================
-- remove_column(:project_settings, :cve_id_request_enabled)
   -> 0.0009s
== 20200816133024 AddCveIdRequestProjectSetting: reverted (0.0009s) ===========

Availability and Testing

Edited by Mayra Cabrera

Merge request reports