Jenkins CVE Numbering Authority
43 views
Skip to first unread message
Daniel Beck
May 31, 2018, 5:25:43 PM5/31/18
to Jenkins Developers
Hi everyone,
I propose that the Jenkins project becomes a CVE Numering Authority, so we can assign our own CVE IDs to vulnerabilities in Jenkins and plugins.
Details here:
https://github.com/jenkinsci/jep/pull/115
Please provide feedback about this proposal here.
Thanks!
Daniel
I propose that the Jenkins project becomes a CVE Numering Authority, so we can assign our own CVE IDs to vulnerabilities in Jenkins and plugins.
Details here:
https://github.com/jenkinsci/jep/pull/115
Please provide feedback about this proposal here.
Thanks!
Daniel
Oleg Nenashev
Jun 1, 2018, 3:40:22 AM6/1/18
to Jenkins Developers
Hi Daniel,
Thanks for doing it! IMHO it is really important to get it implemented, because it will increase the trust to the organization and help companies running security scans to ensure their Jenkins instances are fine. +1 for accepting the current JEP proposal as a draft:
Some comments:
To be able to submit data to CVE, every individual involved in providing that data (...) will need to agree to the https://cve.mitre.org/about/termsofuse.html[MITRE CVE Terms of service]
Sounds totally reasonable. Nothing really changes, because somebody grants MITRE the same license in the current submission process IIUC.
How many people from Security Team do you expect to pass through this process? The entire team?
- As a CNA operating under the DWF project, the Jenkins project will need to agree to the http://contributor-covenant.org/version
- The Jenkins project will need to agree to the http://cve.mitre.org/cve/cna/rules.html[MITRE CNA rules] that outlines the rules and processes the Jenkins project will need to follow and implement
How do you expect it to happen? Jenkins project does not have a legal entity, so we may have a problem with signing these docs.
To start this process, an individual associated with the Jenkins project will need to become a CVE mentor.
IIUC it implies "Jenkins Security officer will need to become a CVE mentor". Maybe makes sense to make it explicit.
It would also make sense to explicitly mention how it would map the current security process:
- Will CVEs be requested before or after the Security release?
- Will "have CVE assigned and staged" be mandatory for a security release/advisory to be published?
- It may be critical for security scanning tools
- What would be the process for disputing CVEs if needed?
- IIUC Jenkins project will be responsible for that once we become a CVE Numbering Authority
- If I am right, we may need to add section to https://jenkins.io/security/
Best regards,
Oleg
Daniel Beck
Jun 1, 2018, 9:33:38 AM6/1/18
to jenkin...@googlegroups.com
> On 1. Jun 2018, at 09:40, Oleg Nenashev <o.v.ne...@gmail.com> wrote:
>
> Thanks for doing it! IMHO it is really important to get it implemented, because it will increase the trust to the organization and help companies running security scans to ensure their Jenkins instances are fine. +1 for accepting the current JEP proposal as a draft:
> Some comments:
>
>> To be able to submit data to CVE, every individual involved in providing that data (...) will need to agree to the https://cve.mitre.org/about/termsofuse.html[MITRE CVE Terms of service]
>
> Sounds totally reasonable. Nothing really changes, because somebody grants MITRE the same license in the current submission process IIUC.
> How many people from Security Team do you expect to pass through this process? The entire team?
The CNA wouldn't straight fail without a mentor though, as CVE assignment (from the Jenkins CNA block) would move up the chain of CNAs -- but it wouldn't be ideal.
>> • As a CNA operating under the DWF project, the Jenkins project will need to agree to the http://contributor-covenant.org/version
>> • The Jenkins project will need to agree to the http://cve.mitre.org/cve/cna/rules.html[MITRE CNA rules] that outlines the rules and processes the Jenkins project will need to follow and implement
> How do you expect it to happen? Jenkins project does not have a legal entity, so we may have a problem with signing these docs.
I doubt a legal entity is necessary here. Probably good enough for the board to agree on behalf of the Jenkins project.
> How do you expect it to happen? Jenkins project does not have a legal entity, so we may have a problem with signing these docs.
According to Kurt who leads the DWF, the split between CNA and mentor responsibilities in the DWF is designed to allow small projects to participate without needing a dedicated mentor. Needing a legal entity would probably make this approach useless.
>> To start this process, an individual associated with the Jenkins project will need to become a CVE mentor.
>
> IIUC it implies "Jenkins Security officer will need to become a CVE mentor". Maybe makes sense to make it explicit.
> It would also make sense to explicitly mention how it would map the current security process:
> • Will CVEs be requested before or after the Security release?
> • Will "have CVE assigned and staged" be mandatory for a security release/advisory to be published?
> • It may be critical for security scanning tools
Well, we'll just assign CVEs from our block before publication, and done.
> • What would be the process for disputing CVEs if needed?
> • IIUC Jenkins project will be responsible for that once we become a CVE Numbering Authority
> • If I am right, we may need to add section to https://jenkins.io/security/
We'll need to provide contact information for other CNAs, as I outline in the infrastructure section. That said, AFAIUI, once we're a CNA, other CNAs will no longer assign CVEs for Jenkins, unless we really mess this up. So not sure how much need for disputing there is going to be.
> • If I am right, we may need to add section to https://jenkins.io/security/
R. Tyler Croy
Jun 1, 2018, 10:14:44 AM6/1/18
to jenkin...@googlegroups.com
This looks great to me, glad we're finally going to tackle this :)
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/BF9B25DF-9013-4820-9025-FDF7EB815878%40beckweb.net.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/BF9B25DF-9013-4820-9025-FDF7EB815878%40beckweb.net.
> For more options, visit https://groups.google.com/d/optout.
Daniel Beck
Jun 12, 2018, 4:00:41 PM6/12/18
to jenkin...@googlegroups.com
https://github.com/jenkinsci/jep/pull/122
Reply all
Reply to author
Forward
0 new messages