Bug 589630 - point to our per-CVE pages rather than MITRE's site
Summary: point to our per-CVE pages rather than MITRE's site
Status: CLOSED NEXTRELEASE
Alias: None
Product: Bugzilla
Classification: Community
Component: User Interface (Show other bugs)
(Show other bugs)
Version: 3.4
Hardware: All Linux
low
medium vote
Target Milestone: ---
Assignee: David Lawrence
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-06 15:12 UTC by Vincent Danen
Modified: 2013-06-24 03:40 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-12 17:47:29 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Vincent Danen 2010-05-06 15:12:41 UTC
Bugzilla auto-links any mention of CVE-foo to MITRE's site (i.e. CVE-2010-0047).  Now that we have per-CVE pages that we point customers to (that contain our CVSSv2 scores, our impact rating, links to our errata we've released, and our NVD statements), I think it makes more sense to have bugzilla auto-link to our per-CVE pages rather than MITRE.  There is much more relevant information on our pages than there is on MITRE's (and our page links back to MITRE's page anyways).

The only downside is that we may end up pointing to a "not found" page in some cases due to how we parse bugzilla and our requirements, for instance:

https://www.redhat.com/security/data/cve/CVE-2010-0047.html

That brings up a "not found" page because our bug doesn't have a valid CVSSv2 score.  This is something we need to work on (in this case, just provide the score), but that is one drawback.  We could probably make the "not found" page provide a direct link to MITRE's site to see if they have further information.

Comment 1 David Lawrence 2010-05-11 19:47:43 UTC
This is our current regex code that does this auto-linkification:

# Linkify CAN or CVE links IE: CAN-XXXX-XXXX CVE-XXXX-XXXX
$text =~ s~\b(C(?:VE|AN)-\d{4}-\d{4})~<a href=\"http://cve\.mitre\.org/cgi-bin/cvename\.cgi\?name=$1\">$1</a>~g;

We would just change it to:

# Linkify CVE links IE: CVE-XXXX-XXXX
$text =~ s~\bCVE-\d{4}-\d{4})~<a href=\"https://www.redhat.com/security/data/cve/$1\.html\">$1</a>~g;
# Linkify CAN Links IE: CAN-XXXX-XXXX CVE-XXXX-XXXX
$text =~ s~\bCAN-\d{4}-\d{4})~<a href=\"http://cve\.mitre\.org/cgi-bin/cvename.cgi\?name=$1\">$1</a>~g;

Does that look acceptable to you? Also should we go forward before the page not found issue is resolved?

Dave

Comment 2 Vincent Danen 2010-05-12 00:05:19 UTC
I don't think we want to point CAN-XXXX-XXXX to MITRE's site since all CAN-foo have turned to CVE-foo (i.e. if you go to CAN-2009-0301 it will take you to the CVE-2009-0301 page.  So I think it would be safe to make all CAN's point to our CVE pages also (just s/CAN/CVE/ for the name).

The page not found issue has been resolved.  If you visit:

https://www.redhat.com/security/data/cve/CVE-2009-0001.html

You'll see some javascript stuff at the bottom to point to MITRE's site.

I'll let Mark make the call on the CAN handling though.  I think they should be converted to CVE-foo and pointing to our page.

Thanks Dave!

Comment 3 David Lawrence 2010-05-12 02:59:08 UTC
(In reply to comment #2)
> I don't think we want to point CAN-XXXX-XXXX to MITRE's site since all CAN-foo
> have turned to CVE-foo (i.e. if you go to CAN-2009-0301 it will take you to the
> CVE-2009-0301 page.  So I think it would be safe to make all CAN's point to our
> CVE pages also (just s/CAN/CVE/ for the name).
> 
> The page not found issue has been resolved.  If you visit:
> 
> https://www.redhat.com/security/data/cve/CVE-2009-0001.html
> 
> You'll see some javascript stuff at the bottom to point to MITRE's site.
> 
> I'll let Mark make the call on the CAN handling though.  I think they should be
> converted to CVE-foo and pointing to our page.

Okay, works for me. I will hold off til Mark's sign off before making the change.

Dave

Comment 4 Mark J. Cox 2010-05-12 08:35:05 UTC
Agreed, any CAN-xxxx-yyyy should point to https://www.redhat.com/security/data/cve/CVE-xxxx-yyyy.html

Comment 5 David Lawrence 2010-05-12 17:47:29 UTC
Thanks. Change committed to SVN and will be in the next update.

Dave

Comment 6 Vincent Danen 2010-05-12 20:19:17 UTC
Great!  Thanks Dave.


Note You need to log in before you can comment on or make changes to this bug.