-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE management process for Node.js #33
Comments
I think we should act as a CNA, if we have the bandwidth to do so. |
(edited to fix the link to the PDF) |
@nodejs/security, @nodejs/security-wg would be good to get input from a good number of people as we'll need a number of people to agree to help with the work required if we chose to act as a CNA. |
Acting as a CNA will also help us assigning CVEs to vulnerabilities in npm packages as well |
Just catching up after beeing out a few weeks. It was mentioned here: #17 (comment) that HackerOne might be able to act as a CNA for us. Its another option to consider. @dadinolfi any comments on pros/cons of that ? |
If you are a HackerOne customer, they can assign CVE IDs for vulnerabilities reported through their platform. If a vulnerability is disclosed outside of HackerOne, they may not assign for it, which then leaves you in a similar space as now. Some of HackerOne's customers are already CNAs themselves, and they and HackerOne have worked out who will assign for what and when. |
Talkin with @sam-github who re HackerOne we came to the conclusion we should probably become a CNA even if we end up using HackerOne. @nodejs/tsc @nodejs/security @nodejs/security-wg Please comment if you have any objections to the project becoming its own CNA for CVEs. |
CNA seems like a reasonably good idea. |
Discussed in the TSC meeting today. Consensus was that we should try it out unless somebody objects in this issue in the next week (ie by Sep27th) |
@dadinolfi I requested a CVE yesterday, just wondering if you can check if we'll get it soon ? At the same time we should probably agree on the next steps for us becoming a CNA as well. |
@dadinolfi I just requested a second one right now as well, wanted to let you know in order to avoid confusion as its the first one that I'd like to get ASAP for https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/ |
@dadinolfi I received the second one but not the first one. If you can take a look at why we've not had a response on the first one that would be great. |
I'm looking into it. |
Our Content folks believe both requests had been replied to. Just in case: |
@mhdawson looks like there is general approval (and no objection) for us becoming a CNA. What are the next steps? What process needs to be put in place? |
From the MITRE side, we need the following four bits of information to proceed:
Once I have these bits of information, I will ask the CVE Content Team to send you your initial block of CVE IDs. When you have a vulnerability to assign, you would take a CVE from that block, create the entry request (per Appendix B of the CNA Rules or using the JSON format described here: https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema ), and ask me to review it. I'll give you some feedback regarding the content and formatting. Once we are happy with it, you can submit it through the regular method (https://cveform.mitre.org/) or through the new GitHub-based process that I can set you up with. Please let me know if you have any questions. |
@dadinolfi We definitely want to be a CNA for all projects administered by the Node Foundation, above info is great, thank you. Can we, as well, be a CNA for thirdparty modules published to npmjs.org? If so, can we do it under the same CNA/block, or do we need a seperate application? We will soon be accepting reports of vulnerabilities in these modules, it would be convenient to issue CVEs for them, even though the Node Foundation didn't write and publish those modules. |
@dadinolfi to confirm I have both CVE's thanks. |
@sam-github we have agreement to act as a CNA for Node core issues, I think we'd need to get further agreement as well as find people who are willing to do the work for third party modules before expanding the scope. I suggest we start by ramping up to be a CNA just for node-core and then expand once we are comfortable with that. |
If no one else has those modules as part of their CNA scope, there would be no barrier to you assigning CVE IDs to vulnerabilities disclosed in those. By including them explicitly in your scope, though, you'd be taking on the responsibility of being the one to assign CVE IDs for them for all cases, and other CNAs would send people looking for CVE IDs for those modules to you. |
Add email aliases for acting as a CNA asas per: nodejs/security-wg#33 cve-request - email address that people should be directed to in order to ask questions about CVE-related issues cve-mitre-contact - private contact points for mitre to reach out directly to in case there are issues that required immediate attention cna-discussion-list - email address added ot the CNA email discussion list. Used for announcements, sharing documents or discussion relevant to CNA community. Rarely has more than 10 messages a week
Submitted request for Node.js to become CNA and manage CVE's First cut at CVE management process #60 |
I tried subscribing the email address you gave me to our cve-cna-list mailing list, but our mail server got a recipient rejected message when we tried to send to it. Is the address you gave me functioning? Thanks. -Dan |
Add email aliases for acting as a CNA asas per: nodejs/security-wg#33 cve-request - email address that people should be directed to in order to ask questions about CVE-related issues. cve-mitre-contact - private contact points for mitre to reach out directly to in case there are issues that required immediate attention. cna-discussion-list - email address added ot the CNA email discussion list. Used for announcements, sharing documents or discussion relevant to CNA community. Rarely has more than 10 messages a week. PR-URL: #71 Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Add email aliases for acting as a CNA asas per: nodejs/security-wg#33 cve-request - email address that people should be directed to in order to ask questions about CVE-related issues. cve-mitre-contact - private contact points for mitre to reach out directly to in case there are issues that required immediate attention. cna-discussion-list - email address added ot the CNA email discussion list. Used for announcements, sharing documents or discussion relevant to CNA community. Rarely has more than 10 messages a week. PR-URL: #71 Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Email aliases PR had not yet landed, all in place now. Process has been documented so we should be good to go. Landing. |
Add email aliases for acting as a CNA asas per: nodejs/security-wg#33 cve-request - email address that people should be directed to in order to ask questions about CVE-related issues. cve-mitre-contact - private contact points for mitre to reach out directly to in case there are issues that required immediate attention. cna-discussion-list - email address added ot the CNA email discussion list. Used for announcements, sharing documents or discussion relevant to CNA community. Rarely has more than 10 messages a week. PR-URL: nodejs/email#71 Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
I had a discussion @dadinolfi from Mitre about the options for managing CVE's for Node.js.
There are 2 options that we have:
Some open source projects already acting as a CNA
There are pros/cons as outlined in the sections which follows.
From my read of he rules and my discussion with @dadinolfi I think the extra work in being a CNA will be relatively small and have the community being able to control the CVE's assigned for Node.js would be good so I'd lean towards the option of Acting as a CNA.
Acting as CNA
When we act as a CNA, we get a block of CVE's at the start of the year and then assign these ourselves. When publicly disclose the vulnerability we use the web form (and other methods like json in the future) to provide info to Mitre which get published in the CVE. This information is relatively minimal
If any other entity wants a CVE for Node.js they will be referred to us and we decide based on the CNA rules if we believe a CVE should be assigned and if appropriate provide one to the requesting entity.
The full rules for acting as a CNA are here: http://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf
Pros
Cons
misc
CVE only public once public, don't publish number until public, release when embargo is lifted.
Web form
Pros:
Cons
The text was updated successfully, but these errors were encountered: