Page MenuHomePhabricator

List #Security subprojects (e.g. Vuln-*) in Phabricator project description
Closed, DeclinedPublic

Description

I just [[T109331#1558739|learnt]] that phabricator is flooded with 11 (!) additional tags named Vuln-Something, which are only mentioned in https://www.mediawiki.org/wiki/Phabricator/Projects

I have no idea what's the use of such tags, but for sure they should be listed as subprojects of the main Security project, together with all the other subprojects. There is little gain in tracking security issues if they can't be found. https://phabricator.wikimedia.org/project/profile/30/

Event Timeline

Nemo_bis created this task.Aug 23 2015, 7:26 AM
Nemo_bis raised the priority of this task from to Needs Triage.
Nemo_bis updated the task description. (Show Details)
Nemo_bis added a subscriber: Nemo_bis.
Restricted Application added subscribers: scfc, Aklapper. · View Herald TranscriptAug 23 2015, 7:26 AM

See T1390, T104388, T109345 for the history of Vuln-* tags.
See T95486 and T78221 for further Security related projects, plus the ones we took over from Bugzilla times (Security-Core, Security-Extensions, Security-General, Security-Other).

Aklapper renamed this task from List #Security subprojects to List #Security subprojects (e.g. Vuln-*) in Phabricator project description.Aug 23 2015, 6:11 PM
Aklapper triaged this task as Low priority.
Aklapper set Security to None.

Added

A classification of Security bugs is applied via numerous Vuln-* tags.

to Security-Team description. Is that sufficient?

Security should probably be a acl* project in Phab instead. :-/

The link is helpful, but it still doesn't explain in what cases such tags should be added. The parent project should also be linked by the subprojects, so that the explanation is accessible from those too.

Aklapper lowered the priority of this task from Low to Lowest.Feb 9 2016, 9:50 AM

The link is helpful, but it still doesn't explain in what cases such tags should be added.

That part I'd leave to the Security team to clarify.

The parent project should also be linked by the subprojects

As subprojects are available and we can mark them as such but I'm not sure that is wanted.

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptFeb 9 2016, 9:50 AM

The link is helpful, but it still doesn't explain in what cases such tags should be added.

That part I'd leave to the Security team to clarify.

I've specified that they correspond to the OWASP top-10 (+DoS). If you want more clarification documented there, I can summarize each vulnerability class there as well.

Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptJul 2 2016, 7:55 PM
dpatrick closed this task as Resolved.Jul 7 2016, 7:27 PM
dpatrick claimed this task.
Danny_B edited projects, added Project-Admins; removed Phabricator.Jul 12 2016, 1:29 PM
Danny_B added a subscriber: Danny_B.Aug 4 2016, 9:22 PM

@dpatrick How is it solved, please? Where is the list published? Thank you.

@dpatrick How is it solved, please? Where is the list published? Thank you.

https://phabricator.wikimedia.org/project/profile/1179/

@dpatrick How is it solved, please? Where is the list published? Thank you.

https://phabricator.wikimedia.org/project/profile/1179/

There is no list there. There is link to external site and link to search result.
I am looking for something like https://phabricator.wikimedia.org/project/profile/483/ (and I believe it was @Nemo_bis's intention as well).

If the OWASP list is considered clear enough, there's nothing wrong with just linking the list of Vuln-* projects.

However, the parent project should really explain e.g. the differences between Security-Core, Security-General, Security-Other.

Danny_B reopened this task as Open.Aug 5 2016, 10:26 AM

If the OWASP list is considered clear enough, there's nothing wrong with just linking the list of Vuln-* projects.

...except for dependency on external site and forcing users to open new tab/window to see the definitions. Also tag names do not match names on the list, so one has to spend some time to match them.

However, the parent project should really explain e.g. the differences between Security-Core, Security-General, Security-Other.

T136594: Clarify distinction between #security-general and #security-other -> T109328: Undefined #Security-General and #Security-Other

I've specified that they correspond to the OWASP top-10 (+DoS). If you want more clarification documented there, I can summarize each vulnerability class there as well.

Please. Cf. https://phabricator.wikimedia.org/project/profile/483/ mentioned earlier. Thank you.

Aklapper removed dpatrick as the assignee of this task.Aug 5 2016, 11:56 AM
Aklapper added a subscriber: dpatrick.

Maybe make a general Vulnerabilities project and have infoleak, etc. as subprojects of them. And also have Security and Security-Extensions, etc. subprojects/milestones for them as well.

A security issue could be of more than one type of vulnerability hence no subprojects please.

Right. But what about the other security-xxx tags? Regards.

Right. But what about the other security-xxx tags?

That sounds like a comment for T109328 instead.

Aklapper closed this task as Declined.EditedJun 19 2017, 6:22 PM

Currently the (external) classification is linked, a query to get a list of all existing vuln* tags, and that it "should be applied to tasks that fall into those classifications." Furthermore, each tag offers a project description of its meaning.

Copying and listing every single vuln* tag description into the project description of Security-Team creates yet another separate place to manually update every time a tag description is updated or a new tag is created (if the updating person is aware of it). This duplication creates the likeliness of outdated information for rather little gain.
Hence I don't consider it feasible to list all vuln* tags in the project description of Security-Team and I am declining this task.

sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 7:13 PM