Page MenuHomePhabricator
Create Task
Maniphest T279690

Enable risk rating field in Phabricator's task form
Closed, ResolvedPublic
Actions

Description

Hello,

As part of some security-related work (T279140), I am exploring ways to specify the risk rating of tasks that are marked with Vuln-* tags. When pulling data from the Conduit's maniphest.search endpoint, I could see a custom.risk.rating subfield. I presume it is related to the Risk Rating options one can find using the advanced search (as here).

How difficult would it be to enable users (or some of them) to specify the risk rating when creating or editing a Phabricator task?

Thanks for your time.

Related Objects

Event Timeline

sguebo_WMF created this task.Apr 8 2021, 4:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 8 2021, 4:30 PM
sguebo_WMF renamed this task from Enable risk rating field in Phabricator's New task form to Enable risk rating field in Phabricator's task form.Apr 8 2021, 4:31 PM
sbassett awarded a token.Apr 8 2021, 4:34 PM
Aklapper added a comment.EditedApr 9 2021, 8:28 AM

Which exact new task form is this about? URLs always welcome. :) (Ref: T204138 and T204160)

Aklapper added a project: Phabricator.Apr 9 2021, 8:34 AM
Aklapper moved this task from To Triage to Administration (UI) on the Phabricator board.
sguebo_WMF added a comment.EditedApr 9 2021, 6:02 PM

Hello @Aklapper,

Originally I was interested in having the risk rating field being added to New Task. However, while looking at the tickets your referenced, I could see that the Security Type Advanced form (73) already has the Security rating field, although it seems to be locked at the moment.

So now I guess my questions are:

  1. Is it okay if I go on and and re-enable the Risk rating field for form 73?
  2. Since form 73 is already marked as an "Edit" form, how can I use it to edit existing tickets?
Aklapper added a comment.EditedApr 9 2021, 8:50 PM

The "Risk Rating" field in form 73 got locked by Chase in https://phabricator.wikimedia.org/transactions/editengine/maniphest.task/view/73/#1620 for reasons that I do not know. It could be re-enabled in that edit form if that is wanted. (Note that edit forms refer to existing tasks and are separate from task creation forms.)
Is there any documentation how the Security Team used, uses, or plans to use that field? (I'd like to avoid having fields for the sake of having fields.)

RhinosF1 subscribed.Apr 9 2021, 9:21 PM
sbassett added a comment.Apr 12 2021, 2:50 PM

Hey @Aklapper -

It could be re-enabled in that edit form if that is wanted. (Note that edit forms refer to existing tasks and are separate from task creation forms.)

This is most likely what the Security-Team will want to do, yes, but I think we'll need to confirm this as a team sometime soon first.

Is there any documentation how the Security Team used, uses, or plans to use that field? (I'd like to avoid having fields for the sake of having fields

Yes, but the Foundation-wide risk management policy only exists on officewiki right now. It has been summarized publicly in at least one place (T249039#6309061), and my hope is that at least some summary of it will eventually be made public, but I do not have sole input into that decision.

sbassett triaged this task as Medium priority.Apr 13 2021, 3:19 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.
Aklapper assigned this task to sbassett.May 9 2021, 3:22 AM

but I think we'll need to confirm this as a team sometime soon first.

Boldly assigning then. Feel free to reassign.

sbassett added a comment.May 11 2021, 2:46 PM
In T279690#7072114, @Aklapper wrote:

Boldly assigning then. Feel free to reassign.

  1. I'll plan to re-confirm with the Security-Team that we indeed want to do this.
  2. If we do, I'll need a Phab admin to revert Chase's lock, I believe.
sbassett added a subscriber: mmodell.May 14 2021, 7:31 PM

Update: I've re-enabled the risk rating field for the "Security Type Advanced (Form 73)" task type. It should now display and be editable for any existing tasks of that type or any new tasks created via Form 73. Unfortunately, I don't believe there is a simple mechanism to change existing Phab tasks types to the "Security Type Advanced" type, which would be a requirement for our desired risk rating workflow. I'm not sure if @mmodell or anyone else could provide some guidance on how that might be accomplished.

mmodell added a comment.May 14 2021, 7:38 PM

@sbassett: I think it should be possible to change tasks in bulk using the bulk editor.

If you can tell me a criteria for which tasks should be changed I can change the type with a silenced bulk edit to minimize notification spam.

sbassett added a comment.May 14 2021, 7:44 PM
In T279690#7088943, @mmodell wrote:

@sbassett: I think it should be possible to change tasks in bulk using the bulk editor.

Huh, I don't think I've ever used the bulk task editor. Do I need some Phab permissions to do that or can anyone use that? It's not immediately obvious to me where that feature lives...

If you can tell me a criteria for which tasks should be changed I can change the type with a silenced bulk edit to minimize notification spam.

So we don't have a list right now. We would just want the ability to do this when needed. Here's the desired workflow:

  1. A task is created and is assigned to the Security-Team
  2. The task is reviewed by a member of the Security-Team and they want to assign a risk rating for whatever the task concerns
  3. The member of the Security-Team changes the task type to "Security Type Advanced" and can now add/edit a risk rating
Aklapper added a comment.May 14 2021, 8:15 PM
In T279690#7088948, @sbassett wrote:

I don't think I've ever used the bulk task editor.

See https://www.mediawiki.org/wiki/Phabricator/Help#Batch_edits

mmodell added a comment.May 14 2021, 9:39 PM

@sbasset: To change a task Using the "Add Action" dropdown on any task, just select "change subtype" and then select the security task subtype from the dropdown that appears.

sbassett added a comment.May 17 2021, 2:32 PM

@mmodell -

@sbassett: To change a task Using the "Add Action" dropdown on any task, just select "change subtype" and then select the security task subtype from the dropdown that appears.

So I see "Security Issue" within the subtype list, but not "Security Type Advanced". Can we add that type to the dropdown list?

@Aklapper -

See https://www.mediawiki.org/wiki/Phabricator/Help#Batch_edits

Thanks for the information.

Aklapper added a comment.May 18 2021, 9:44 AM

Task subtypes and fields on a form are different things. Set the "Security Issue" subtype, then edit the task itself.

sbassett closed this task as Resolved.May 18 2021, 6:54 PM
In T279690#7095168, @Aklapper wrote:

Task subtypes and fields on a form are different things. Set the "Security Issue" subtype, then edit the task itself.

Ok, that works. Thanks.

sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.May 18 2021, 6:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL