Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 589630 - point to our per-CVE pages rather than MITRE's site
point to our per-CVE pages rather than MITRE's site
Status: CLOSED NEXTRELEASE
Product: Bugzilla
Classification: Community
Component: User Interface (Show other bugs)
3.4
All Linux
low Severity medium (vote)
: ---
: ---
Assigned To: David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-06 11:12 EDT by Vincent Danen
Modified: 2013-06-23 23:40 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-12 13:47:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-05-06 11:12:41 EDT
Bugzilla auto-links any mention of CVE-foo to MITRE's site (i.e. CVE-2010-0047).  Now that we have per-CVE pages that we point customers to (that contain our CVSSv2 scores, our impact rating, links to our errata we've released, and our NVD statements), I think it makes more sense to have bugzilla auto-link to our per-CVE pages rather than MITRE.  There is much more relevant information on our pages than there is on MITRE's (and our page links back to MITRE's page anyways).

The only downside is that we may end up pointing to a "not found" page in some cases due to how we parse bugzilla and our requirements, for instance:

https://www.redhat.com/security/data/cve/CVE-2010-0047.html

That brings up a "not found" page because our bug doesn't have a valid CVSSv2 score.  This is something we need to work on (in this case, just provide the score), but that is one drawback.  We could probably make the "not found" page provide a direct link to MITRE's site to see if they have further information.
Comment 1 David Lawrence 2010-05-11 15:47:43 EDT
This is our current regex code that does this auto-linkification:

# Linkify CAN or CVE links IE: CAN-XXXX-XXXX CVE-XXXX-XXXX
$text =~ s~\b(C(?:VE|AN)-\d{4}-\d{4})~<a href=\"http://cve\.mitre\.org/cgi-bin/cvename\.cgi\?name=$1\">$1</a>~g;

We would just change it to:

# Linkify CVE links IE: CVE-XXXX-XXXX
$text =~ s~\bCVE-\d{4}-\d{4})~<a href=\"https://www.redhat.com/security/data/cve/$1\.html\">$1</a>~g;
# Linkify CAN Links IE: CAN-XXXX-XXXX CVE-XXXX-XXXX
$text =~ s~\bCAN-\d{4}-\d{4})~<a href=\"http://cve\.mitre\.org/cgi-bin/cvename.cgi\?name=$1\">$1</a>~g;

Does that look acceptable to you? Also should we go forward before the page not found issue is resolved?

Dave
Comment 2 Vincent Danen 2010-05-11 20:05:19 EDT
I don't think we want to point CAN-XXXX-XXXX to MITRE's site since all CAN-foo have turned to CVE-foo (i.e. if you go to CAN-2009-0301 it will take you to the CVE-2009-0301 page.  So I think it would be safe to make all CAN's point to our CVE pages also (just s/CAN/CVE/ for the name).

The page not found issue has been resolved.  If you visit:

https://www.redhat.com/security/data/cve/CVE-2009-0001.html

You'll see some javascript stuff at the bottom to point to MITRE's site.

I'll let Mark make the call on the CAN handling though.  I think they should be converted to CVE-foo and pointing to our page.

Thanks Dave!
Comment 3 David Lawrence 2010-05-11 22:59:08 EDT
(In reply to comment #2)
> I don't think we want to point CAN-XXXX-XXXX to MITRE's site since all CAN-foo
> have turned to CVE-foo (i.e. if you go to CAN-2009-0301 it will take you to the
> CVE-2009-0301 page.  So I think it would be safe to make all CAN's point to our
> CVE pages also (just s/CAN/CVE/ for the name).
> 
> The page not found issue has been resolved.  If you visit:
> 
> https://www.redhat.com/security/data/cve/CVE-2009-0001.html
> 
> You'll see some javascript stuff at the bottom to point to MITRE's site.
> 
> I'll let Mark make the call on the CAN handling though.  I think they should be
> converted to CVE-foo and pointing to our page.

Okay, works for me. I will hold off til Mark's sign off before making the change.

Dave
Comment 4 Mark J. Cox 2010-05-12 04:35:05 EDT
Agreed, any CAN-xxxx-yyyy should point to https://www.redhat.com/security/data/cve/CVE-xxxx-yyyy.html
Comment 5 David Lawrence 2010-05-12 13:47:29 EDT
Thanks. Change committed to SVN and will be in the next update.

Dave
Comment 6 Vincent Danen 2010-05-12 16:19:17 EDT
Great!  Thanks Dave.

Note You need to log in before you can comment on or make changes to this bug.