Mercurial > farol
changeset 50:496ae1e8e90c
Add Descriptions for edit_involvement
author | Benoît Allard <benoit.allard@greenbone.net> |
---|---|
date | Tue, 07 Oct 2014 16:29:58 +0200 |
parents | 5583ddcd6164 |
children | 718e6b555075 |
files | farol/templates/document/edit_publisher.j2 farol/templates/vulnerability/edit_involvement.j2 |
diffstat | 2 files changed, 38 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/farol/templates/document/edit_publisher.j2 Tue Oct 07 16:15:43 2014 +0200 +++ b/farol/templates/document/edit_publisher.j2 Tue Oct 07 16:29:58 2014 +0200 @@ -44,7 +44,7 @@ <dd>Everyone using a vendor’s product.</dd> <dt>Other:</dt> <dd>Catchall for everyone else. Currently this includes forwarders, republishers, language translators, and miscellaneous contributors.</dd> -</ul> +</dl> {% endcall %} {% call textinput("vendorid", "Vendor ID", "", publisher._vendorid or '') %} <p>The optional <em>Vendor ID</em> attribute is a unique identifier (OID) that a vendor uses as issued by FIRST under the auspices of IETF. At the time of this writing, OID is a work in progress.</p>
--- a/farol/templates/vulnerability/edit_involvement.j2 Tue Oct 07 16:15:43 2014 +0200 +++ b/farol/templates/vulnerability/edit_involvement.j2 Tue Oct 07 16:29:58 2014 +0200 @@ -24,17 +24,50 @@ -#} {% extends "base.j2" %} -{% from "macros.j2" import textinput, textarea, selectinput %} +{% from "macros.j2" import textinput, textarea, selectinput, examples %} {% block title %}Edit Involvement{% endblock %} {% set active = 'vulnerability' %} {% block content %} +<p>The <strong>Involvement</strong> container allows the document producers (or third party) to comment on their level of involvement in the vulnerability identification, scoping, and remediation process.</p> <form role="form" method="POST"> -{{ selectinput("party", "Party", parties, party) }} -{{ selectinput("status", "Status", statuses, status) }} -{{ textarea("description", "Description", "", description, 10) }} +{% call selectinput("party", "Party", parties, party) %} +<p>The attribute <em>Party</em> indicates the type of the producer issuing the status. It is identical to the <strong>Document Publisher</strong> attribute <em>Type</em>. Most of the time, both attributes will be the same because document producers will issue an <string>Involvement</strong> status on their own behalf. However, if the document producer wants to issue a status on behalf of a third party and use a different type from that used in <strong>Document Publisher</strong>, that use is allowed by the schema. If this is the case, <strong>Description</strong> should contain additional context regarding what is going on.</p> +<dl class="dl-horizontal"> + <dt>Vendor:</dt> + <dd>Developers or maintainers of information system products or services. This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), and product resellers and distributors, including authoritative vendor partners.</dd> + <dt>Discoverer:</dt> + <dd>Individuals or organizations that find vulnerabilities or security weaknesses. This includes all manner of researchers.</dd> + <dt>Coordinator:</dt> + <dd>Individuals or organizations that manage a single vendor’s response or multiple vendors’ responses to a vulnerability, a security flaw, or an incident. This includes all Computer Emergency/Incident Response Teams (CERTs/CIRTs) or agents acting on the behalf of a researcher.</dd> + <dt>User:</dt> + <dd>Everyone using a vendor’s product.</dd> + <dt>Other:</dt> + <dd>Catchall for everyone else. Currently this includes forwarders, republishers, language translators, and miscellaneous contributors.</dd> +</dl> +{% endcall %} + +{% call selectinput("status", "Status", statuses, status) %} +<p>The attribute <em>Status</em> indicates the level of involvement of Party.</p> +<p>The child <strong>Description</strong> (below) is an optional element used to give context about the involvement or engagement of the <em>Party</em>.</p> +<p>The final two status states, <samp>Contact Attempted</samp> and <samp>Not Contacted</samp>, are intended for use by document producers other than vendors (such as research or coordinating entities).</p> +<p>Status types include:</p> +<dl class="dl-horizontal"> + <dt>Open:</dt><dd>This is the default status. It doesn’t indicate anything about the vulnerability remediation effort other than the fact that the vendor has acknowledged awareness of the vulnerability report. The use of this status by a vendor indicates that future updates from the vendor about the vulnerability are to be expected.</dd> + <dt>Disputed:</dt><dd>This status indicates that the vendor disputes the vulnerability report in its entirety. Vendors should indicate this status when they believe that a vulnerability report regarding their product is completely inaccurate (that there is no real underlying security vulnerability) or that the technical issue being reported has no security implications.</dd> + <dt>In Progress:</dt><dd>This status indicates that some hotfixes, permanent fixes, mitigations, workarounds, or patches may have been made available by the vendor, but more information or fixes may be released in the future. The use of this status by a vendor indicates that future information from the vendor about the vulnerability is to be expected.</dd> + <dt>Completed:</dt><dd>The vendor asserts that investigation of the vulnerability is complete. No additional information, fixes, or documentation from the vendor about the vulnerability should be expected to be released.</dd> + <dt>Contact Attempted:</dt><dd>The document producer attempted to contact the affected vendor.</dd> + <dt>Not Contacted:</dt><dd>The document producer has not attempted to make contact with the affected vendor.</dd> +</dl> +<p>Each status is mutually exclusive—only one status is valid for a particular vulnerability at a particular time. As the vulnerability ages, a party’s involvement could move from state to state. However, in many cases, a document producer may choose not to issue CVRF documents at each state, or simply omit this element altogether. It is recommended, however, that vendors that issue CVRF documents indicating an open or in-progress <strong>Involvement</strong> should eventually expect to issue a document as Disputed or Completed.</p> +{% endcall %} +{% call textarea("description", "Description", "", description, 10) %} +<p>The <strong>Description</strong> element will contain a thorough human-readable discussion of the <strong>Involvement</strong>.</p> +{{ examples(['Cisco acknowledges that the IronPort Email Security Appliances (ESA) and Cisco IronPort Security Management Appliances (SMA) contain a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. A Mitigation is available.', 'We emailed the vendor on February 14, 2012 when the vulnerability was first discovered by our team.']) }} +{% endcall %} <button class="btn btn-primary" type="submit">{{ action or 'Update' }}</button> <a class="btn btn-danger" href="{% if action=='Add' %}{{ url_for('.view', ordinal=ordinal) }}{% else %}{{ url_for('.view_involvement', ordinal=ordinal, index=index) }}{% endif %}">Cancel</a>