Bug 912

Summary: Custom field for CVE
Product: Infrastructure Reporter: Michael Scherer <misc>
Component: BugzillaAssignee: Sysadmin Team <sysadmin-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: enhancement    
Priority: Normal CC: LpSolit, atelier-bugs, dmorganec, marja11, sysadmin-bugs
Version: unspecified   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: CVE:
Status comment:
Bug Depends on: 40    
Bug Blocks:    

Description Michael Scherer 2011-04-20 22:53:36 CEST 
We should add a custom field in bugzilla when the security categroy is used on a package, to add the CVE identifier. The field should not be present by default.
Comment 1 Nicolas Vigier 2011-04-21 01:38:52 CEST 
I have looked at how to do that. It's possible to do it from this page :
https://bugs.mageia.org/editfields.cgi?action=add

We can select "Field only appears when" to show it only in some cases. However, it is only possible to make the field present based on the value of :
- Product
- Platform
- OS/Version
- Status
- Resolution
- Severity
- Priority

In our case, we would like to show it or not based on value of Component (only show it if it's a bug on Security component). But it looks like it's not possible.

So if we cannot do it based on component, I think there is two solutions :
 - add a new severity value, "security issue" (set by default for bugs in components Security). And add the custom field only when severity is "security issue".
 - add the custom field in all cases

CC: (none) => boklm

Comment 2 Michael Scherer 2011-04-21 02:15:10 CEST 
Well, a CVE would be linked to a rpm, so the component should be Rpm packages, no ?

However, security is not a severity, if we decide to use it , we will not be able to see if a security bug is urgent or not ( I would rate a potential dos on some obscure erlang application less severe than a remote root on openssh, for example ).

That's quite bad that the only filed we would want to use is the one that cannot :)
Comment 3 Frédéric "LpSolit" Buclin 2011-04-28 22:47:16 CEST 
bugs.mageia.org runs Bugzilla 3.6.4. Upgrade to 4.0 as proposed in bug 40, and you will be able to use the Component field. ;)

CC: (none) => LpSolit

Comment 4 D Morgan 2011-04-28 23:13:24 CEST 
i really need to push this on the top of my todo.

CC: (none) => dmorganec

Comment 5 Marja Van Waes 2011-10-09 23:22:58 CEST 
(In reply to comment #4)
> i really need to push this on the top of my todo.

What happened since?

CC: (none) => marja11

Comment 6 Marja Van Waes 2012-01-13 22:13:08 CET 
setting depend on bug 40

Depends on: (none) => 40

Manuel Hiebel 2012-01-28 15:23:18 CET

Assignee: mageia-sysadm => sysadmin-bugs

Comment 7 Nicolas Vigier 2013-09-21 15:22:53 CEST 
CVE field has been added, available only for bugs in the security component.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:07:02 CEST

CC: boklm => (none)