Jenkins CVE Numbering Authority

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Jenkins CVE Numbering Authority

Daniel Beck
Hi everyone,

I propose that the Jenkins project becomes a CVE Numering Authority, so we can assign our own CVE IDs to vulnerabilities in Jenkins and plugins.

Details here:
https://github.com/jenkinsci/jep/pull/115

Please provide feedback about this proposal here.

Thanks!
Daniel

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/BF9B25DF-9013-4820-9025-FDF7EB815878%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins CVE Numbering Authority

Oleg Nenashev
Hi Daniel,

Thanks for doing it! IMHO it is really important to get it implemented, because it will increase the trust to the organization and help companies running security scans to ensure their Jenkins instances are fine. +1 for accepting the current JEP proposal as a draft:

Some comments:

To be able to submit data to CVE, every individual involved in providing that data (...) will need to agree to the https://cve.mitre.org/about/termsofuse.html[MITRE CVE Terms of service]

Sounds totally reasonable. Nothing really changes, because somebody grants MITRE the same license in the current submission process IIUC.

How many people from Security Team do you expect to pass through this process? The entire team?

  • As a CNA operating under the DWF project, the Jenkins project will need to agree to the http://contributor-covenant.org/version
  • The Jenkins project will need to agree to the http://cve.mitre.org/cve/cna/rules.html[MITRE CNA rules] that outlines the rules and processes the Jenkins project will need to follow and implement
How do you expect it to happen? Jenkins project does not have a legal entity, so we may have a problem with signing these docs.

To start this process, an individual associated with the Jenkins project will need to become a CVE mentor.

IIUC it implies "Jenkins Security officer will need to become a CVE mentor". Maybe makes sense to make it explicit.


It would also make sense to explicitly mention how it would map the current security process:
  • Will CVEs be requested before or after the Security release?
  • Will "have CVE assigned and staged" be mandatory for a security release/advisory to be published?
    • It may be critical for security scanning tools
  • What would be the process for disputing CVEs if needed?
    • IIUC Jenkins project will be responsible for that once we become a CVE Numbering Authority
    • If I am right, we may need to add section to https://jenkins.io/security/
Best regards,
Oleg
 

On Thursday, May 31, 2018 at 11:25:43 PM UTC+2, Daniel Beck wrote:
Hi everyone,

I propose that the Jenkins project becomes a CVE Numering Authority, so we can assign our own CVE IDs to vulnerabilities in Jenkins and plugins.

Details here:
<a href="https://github.com/jenkinsci/jep/pull/115" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fjep%2Fpull%2F115\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEZ4Qx4I003NAtKwjuPE9ZKKpxaow&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fjep%2Fpull%2F115\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEZ4Qx4I003NAtKwjuPE9ZKKpxaow&#39;;return true;">https://github.com/jenkinsci/jep/pull/115

Please provide feedback about this proposal here.

Thanks!
Daniel

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/d9dc68fa-f2c4-44b1-824d-3b05ec7bb44a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins CVE Numbering Authority

Daniel Beck

> On 1. Jun 2018, at 09:40, Oleg Nenashev <[hidden email]> wrote:
>
> Thanks for doing it! IMHO it is really important to get it implemented, because it will increase the trust to the organization and help companies running security scans to ensure their Jenkins instances are fine. +1 for accepting the current JEP proposal as a draft:

Thanks!

> Some comments:
>
>> To be able to submit data to CVE, every individual involved in providing that data (...) will need to agree to the https://cve.mitre.org/about/termsofuse.html[MITRE CVE Terms of service]
>
> Sounds totally reasonable. Nothing really changes, because somebody grants MITRE the same license in the current submission process IIUC.

Yes, I've previously agreed to the ToS, and need to reaffirm this with every CVE request submission.

> How many people from Security Team do you expect to pass through this process? The entire team?

For the start we can probably make do with me. Ideally at least one other for backup, volunteers welcome :-)

The CNA wouldn't straight fail without a mentor though, as CVE assignment (from the Jenkins CNA block) would move up the chain of CNAs -- but it wouldn't be ideal.

>> • As a CNA operating under the DWF project, the Jenkins project will need to agree to the http://contributor-covenant.org/version
>> • The Jenkins project will need to agree to the http://cve.mitre.org/cve/cna/rules.html[MITRE CNA rules] that outlines the rules and processes the Jenkins project will need to follow and implement
> How do you expect it to happen? Jenkins project does not have a legal entity, so we may have a problem with signing these docs.

I doubt a legal entity is necessary here. Probably good enough for the board to agree on behalf of the Jenkins project.

According to Kurt who leads the DWF, the split between CNA and mentor responsibilities in the DWF is designed to allow small projects to participate without needing a dedicated mentor. Needing a legal entity would probably make this approach useless.

>> To start this process, an individual associated with the Jenkins project will need to become a CVE mentor.
>
> IIUC it implies "Jenkins Security officer will need to become a CVE mentor". Maybe makes sense to make it explicit.

Basically this, yes. Could be anyone though. While I'm not yet a CVE mentor, I've decided to be unspecific here.

> It would also make sense to explicitly mention how it would map the current security process:
> • Will CVEs be requested before or after the Security release?

If we are a CNA, we just assign them (before publication, probably as part of the staging process -- as CVEs are assigned to vulnerabilities that are, or will be made, public). The purpose of this is to get rid of the requests involving someone else.

> • Will "have CVE assigned and staged" be mandatory for a security release/advisory to be published?
> • It may be critical for security scanning tools

Well, we'll just assign CVEs from our block before publication, and done.

> • What would be the process for disputing CVEs if needed?
> • IIUC Jenkins project will be responsible for that once we become a CVE Numbering Authority
> • If I am right, we may need to add section to https://jenkins.io/security/

We'll need to provide contact information for other CNAs, as I outline in the infrastructure section. That said, AFAIUI, once we're a CNA, other CNAs will no longer assign CVEs for Jenkins, unless we really mess this up. So not sure how much need for disputing there is going to be.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/E7B14A85-3FEC-4487-8413-66E25D5F7225%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins CVE Numbering Authority

R. Tyler Croy
In reply to this post by Daniel Beck
This looks great to me, glad we're finally going to tackle this :)

On Thu, 31 May 2018, Daniel Beck wrote:

> Hi everyone,
>
> I propose that the Jenkins project becomes a CVE Numering Authority, so we can assign our own CVE IDs to vulnerabilities in Jenkins and plugins.
>
> Details here:
> https://github.com/jenkinsci/jep/pull/115
>
> Please provide feedback about this proposal here.
>
> Thanks!
> Daniel
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/BF9B25DF-9013-4820-9025-FDF7EB815878%40beckweb.net.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/20180601141432.GL2503%40grape.lasagna.io.
For more options, visit https://groups.google.com/d/optout.

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins CVE Numbering Authority

Daniel Beck
In reply to this post by Daniel Beck

> On 31. May 2018, at 23:25, Daniel Beck <[hidden email]> wrote:
>
> I propose that the Jenkins project becomes a CVE Numering Authority, so we can assign our own CVE IDs to vulnerabilities in Jenkins and plugins.
>
> Details here:
> https://github.com/jenkinsci/jep/pull/115
>
> Please provide feedback about this proposal here.
>

As per JEP-1 I am seeking to have the current JEP draft accepted:
https://github.com/jenkinsci/jep/pull/122

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/50F1045C-C200-4D85-9969-F2EAE50505D8%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.