Draft: MAIN: Adds Request CVE ID button to issue sidebar
⚠ ️ NOTE ⚠ ️
NOTE This MR is too large and is being split into three separate MRs:
-
Documentation - Adds documentation for CVE ID Request button -
UI (Issue sidebar button, project settings, Database column) - Adds CVE ID Request button to issue sidebar -
API changes
What does this MR do?
This MR adds a button to the issue sidebar and a corresponding general project setting to allow project maintainers to directly request a CVE ID from GitLab. This is a continuation of the issue Create a form for reporting vulnerabilities that need a CVE number
See the video/slides below for a walkthrough of this MR, as well as some background on the CVE assignment process.
The button sends the user to the new issue page of gitlab-org/cves. The new issue link sets the issue description, title, and confidential checkbox:
/gitlab-org/cves/-/issues/new?issue[confidential]=true&issue[title]=Vulnerability%20Submission&issue[description]=...
The CVE ID Request icon in the collapsed sidebar
The unexpanded help text in the issue sidebar
The expanded help text in the issue sidebar
The project setting to disable the CVE ID Request button
For a CVE ID Request that was created from a project named root/test_project
, the created issue on gitlab-org/cves
has the title:
CVE ID Request - root/test_projecthttps://gitlab.com/groups/gitlab-org/-/epics/4200
and the issue description:
**NOTE:** Only maintainers of GitLab-hosted projects may request a CVE for
a vulnerability within their project.
Project issue: root/test_project#21
After a CVE request is validated, a CVE identifier will be assigned. On what
schedule should the details of the CVE be published?
* [ ] Publish immediately
* [ ] Wait to publish
<!--
Please fill out the yaml codeblock below
-->
```yaml
vulnerability:
description: "TODO" # "[VULNTYPE] in [COMPONENT] in [VENDOR][PRODUCT] [VERSION] allows [ATTACKER] to [IMPACT] via [VECTOR]"
cwe: "TODO" # "CWE-22" # Path Traversal
product:
gitlab_path: "root/test_project"
vendor: "TODO" # "iTerm2"
name: "TODO" # "iTerm2"
affected_versions:
- "TODO" # "1.2.3"
- "TODO" # ">1.3.0, <=1.3.9"
fixed_versions:
- "TODO" # "1.2.4"
- "TODO" # "1.3.10"
impact: "TODO" # "CVSS v3 string" # https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
solution: "TODO" # "Upgrade to version 1.2.4 or 1.3.10"
credit: "TODO"
references:
- "TODO" # "https://some.domain.tld/a/reference"
```
CVSS scores can be computed by means of the [NVD CVSS Calculator](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator).
Requirements
All of the following must be true for the button to be visible:
-
Button is only visible to maintainers -
Button is only visible on GitLab.com (not self-hosted instances of GitLab) -
Button is only visible on public projects -
Button is only visible on confidential issues
Users must be able to disable this button from appearing in the issue sidebar:
-
Add project setting for CVE ID Request button
Update documentation
-
www-gitlab-com - about.gitlab.com/security/cve should be updated to recommend that the CVE ID Request button be used -
gitlab-org/gitlab/docs - This should only be visible on gitlab-com documentation, not self-hosted versions of GitLab
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team