Page MenuHomePhabricator
Create Task
Maniphest T109968

List #Security subprojects (e.g. Vuln-*) in Phabricator project description
Closed, DeclinedPublic
Actions

Description

I just [[T109331#1558739|learnt]] that phabricator is flooded with 11 (!) additional tags named Vuln-Something, which are only mentioned in https://www.mediawiki.org/wiki/Phabricator/Projects

I have no idea what's the use of such tags, but for sure they should be listed as subprojects of the main Security project, together with all the other subprojects. There is little gain in tracking security issues if they can't be found. https://phabricator.wikimedia.org/project/profile/30/

Related Objects

Event Timeline

Nemo_bis created this task.Aug 23 2015, 7:26 AM
Nemo_bis raised the priority of this task from to Needs Triage.
Nemo_bis updated the task description. (Show Details)
Nemo_bis added projects: Phabricator, Security-Team.
Nemo_bis added a subscriber: Nemo_bis.
Restricted Application added subscribers: scfc, Aklapper. · View Herald TranscriptAug 23 2015, 7:26 AM
Aklapper added a comment.Aug 23 2015, 6:10 PM

See T1390, T104388, T109345 for the history of Vuln-* tags.
See T95486 and T78221 for further Security related projects, plus the ones we took over from Bugzilla times (Security-Core, Security-Extensions, Security-General, Security-Other).

Aklapper renamed this task from List #Security subprojects to List #Security subprojects (e.g. Vuln-*) in Phabricator project description.Aug 23 2015, 6:11 PM
Aklapper triaged this task as Low priority.
Aklapper set Security to None.
Aklapper added a comment.Sep 15 2015, 10:17 AM

Added

A classification of Security bugs is applied via numerous Vuln-* tags.

to Security-Team description. Is that sufficient?

Security should probably be a acl* project in Phab instead. :-/

Nemo_bis added a comment.Sep 18 2015, 7:41 AM

The link is helpful, but it still doesn't explain in what cases such tags should be added. The parent project should also be linked by the subprojects, so that the explanation is accessible from those too.

Aklapper lowered the priority of this task from Low to Lowest.Feb 9 2016, 9:50 AM
In T109968#1652569, @Nemo_bis wrote:

The link is helpful, but it still doesn't explain in what cases such tags should be added.

That part I'd leave to the Security team to clarify.

The parent project should also be linked by the subprojects

As subprojects are available and we can mark them as such but I'm not sure that is wanted.

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptFeb 9 2016, 9:50 AM
csteipp added a subscriber: csteipp.Mar 10 2016, 12:14 AM
In T109968#2010922, @Aklapper wrote:
In T109968#1652569, @Nemo_bis wrote:

The link is helpful, but it still doesn't explain in what cases such tags should be added.

That part I'd leave to the Security team to clarify.

I've specified that they correspond to the OWASP top-10 (+DoS). If you want more clarification documented there, I can summarize each vulnerability class there as well.

Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptJul 2 2016, 7:55 PM
dpatrick closed this task as Resolved.Jul 7 2016, 7:27 PM
dpatrick claimed this task.
Danny_B edited projects, added Project-Admins; removed Phabricator.Jul 12 2016, 1:29 PM
Danny_B added a subscriber: Danny_B.Aug 4 2016, 9:22 PM

@dpatrick How is it solved, please? Where is the list published? Thank you.

Danny_B moved this task from Incoming to Projects to change / set on the Project-Admins board.Aug 4 2016, 9:23 PM
Peachey88 added a subscriber: Peachey88.Aug 5 2016, 7:59 AM
In T109968#2524168, @Danny_B wrote:

@dpatrick How is it solved, please? Where is the list published? Thank you.

https://phabricator.wikimedia.org/project/profile/1179/

Danny_B added a comment.Aug 5 2016, 9:56 AM
In T109968#2526040, @Peachey88 wrote:
In T109968#2524168, @Danny_B wrote:

@dpatrick How is it solved, please? Where is the list published? Thank you.

https://phabricator.wikimedia.org/project/profile/1179/

There is no list there. There is link to external site and link to search result.
I am looking for something like https://phabricator.wikimedia.org/project/profile/483/ (and I believe it was @Nemo_bis's intention as well).

Nemo_bis added a comment.Aug 5 2016, 10:07 AM

If the OWASP list is considered clear enough, there's nothing wrong with just linking the list of Vuln-* projects.

However, the parent project should really explain e.g. the differences between Security-Core, Security-General, Security-Other.

Danny_B reopened this task as Open.Aug 5 2016, 10:26 AM
In T109968#2526219, @Nemo_bis wrote:

If the OWASP list is considered clear enough, there's nothing wrong with just linking the list of Vuln-* projects.

...except for dependency on external site and forcing users to open new tab/window to see the definitions. Also tag names do not match names on the list, so one has to spend some time to match them.

However, the parent project should really explain e.g. the differences between Security-Core, Security-General, Security-Other.

T136594: Clarify distinction between #security-general and #security-other -> T109328: Undefined #Security-General and #Security-Other

Danny_B added a comment.Aug 5 2016, 10:27 AM
In T109968#2105345, @csteipp wrote:

I've specified that they correspond to the OWASP top-10 (+DoS). If you want more clarification documented there, I can summarize each vulnerability class there as well.

Please. Cf. https://phabricator.wikimedia.org/project/profile/483/ mentioned earlier. Thank you.

Aklapper removed dpatrick as the assignee of this task.Aug 5 2016, 11:56 AM
Aklapper added a subscriber: dpatrick.
MarcoAurelio added a subscriber: MarcoAurelio.Jan 22 2017, 4:57 PM

Maybe make a general Vulnerabilities project and have infoleak, etc. as subprojects of them. And also have Security and Security-Extensions, etc. subprojects/milestones for them as well.

Aklapper added a comment.Jan 24 2017, 12:44 PM

A security issue could be of more than one type of vulnerability hence no subprojects please.

MarcoAurelio added a comment.Jan 24 2017, 10:50 PM

Right. But what about the other security-xxx tags? Regards.

Aklapper added a comment.Jun 19 2017, 6:21 PM
In T109968#2967127, @MarcoAurelio wrote:

Right. But what about the other security-xxx tags?

That sounds like a comment for T109328 instead.

Aklapper closed this task as Declined.EditedJun 19 2017, 6:22 PM

Currently the (external) classification is linked, a query to get a list of all existing vuln* tags, and that it "should be applied to tasks that fall into those classifications." Furthermore, each tag offers a project description of its meaning.

Copying and listing every single vuln* tag description into the project description of Security-Team creates yet another separate place to manually update every time a tag description is updated or a new tag is created (if the updating person is aware of it). This duplication creates the likeliness of outdated information for rather little gain.
Hence I don't consider it feasible to list all vuln* tags in the project description of Security-Team and I am declining this task.

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 7:13 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL