Mercurial > farol
changeset 55:76cba17794ab
Add Descriptions to the Remediation fields
author | Benoît Allard <benoit.allard@greenbone.net> |
---|---|
date | Wed, 08 Oct 2014 09:57:13 +0200 |
parents | 8ffd3ec96f7c |
children | e6da0705a47c |
files | farol/templates/vulnerability/edit_remediation.j2 |
diffstat | 1 files changed, 27 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/farol/templates/vulnerability/edit_remediation.j2 Wed Oct 08 09:28:23 2014 +0200 +++ b/farol/templates/vulnerability/edit_remediation.j2 Wed Oct 08 09:57:13 2014 +0200 @@ -24,19 +24,40 @@ -#} {% extends "base.j2" %} -{% from "macros.j2" import selectinput, textinput, textarea, selectinput2 %} +{% from "macros.j2" import selectinput, textinput, textarea, selectinput2, examples %} {% block title %}Edit Remediation{% endblock %} {% set active = 'vulnerability' %} {% block content %} +<p>The <strong>Remediation</strong> container holds specific details on how to handle (and presumably, fix) a vulnerability.</p> +<p>A <strong>Remediation</strong> container can be tied to one or more specific products by referencing these products using either the <strong>Product ID</strong> or <strong>Group ID</strong> child elements. If the <strong>Remediation</strong> is meant to be general or nonspecific for all products, the <strong>Product ID</strong> and <strong>Group ID</strong> child elements should be omitted.</p> <form role="form" method="POST"> -{{ selectinput('type', "Type", types, type) }} -{{ textinput('date', "Date", now.isoformat(), date, type="datetime") }} -{{ textarea('description', "Description", '', description, 5, required=True) }} -{{ textarea('entitlement', "Entitlement", '', entitlement, 5) }} -{{ textinput('url', "URL", 'https://...', url, type="url") }} +{% call selectinput('type', "Type", types, type) %} +<p>The <em>Type</em> attribute is required and can be one of the following:</p> +<dl class="dl-horizontal"> + <dt>Workaround:</dt><dd>Workaround contains information about a configuration or specific deployment scenario that can be used to avoid exposure to the vulnerability. There may be none, one, or more workarounds available. This is typically the “first line of defense” against a new vulnerability before a mitigation or vendor fix has been issued or even discovered.</dd> + <dt>Mitigation:</dt><dd>Mitigation contains information about a configuration or deployment scenario that helps to reduce the risk of the vulnerability but that does not resolve the vulnerability on the affected product. Mitigations may include using devices or access controls external to the affected product. Mitigations may or may not be issued by the original author of the affected product, and they may or may not be officially sanctioned by the document producer.</dd> + <dt>Vendor Fix:</dt><dd>Vendor Fix contains information about an official fix that is issued by the original author of the affected product. Unless otherwise noted, it is assumed that this fix fully resolves the vulnerability.</dd> + <dt>None Available:</dt><dd>Currently there is no fix available. Description should contain details about why there is no fix.</dd> + <dt>Will Not Fix:</dt><dd>There is no fix for the vulnerability and there never will be one. This is often the case when a product has been orphaned, end-of-lifed, or otherwise deprecated. Description should contain details about why there will be no fix issued.</dd> +</dl> +{% endcall %} +{% call textinput('date', "Date", now.isoformat(), date, type="datetime") %} +<p><strong>Date</strong> is the date Remedy was last updated, if omitted it is deemed to be unknown, unimportant, or irrelevant. All dateTime values in CVRF require a time, and we recommend the inclusion of a time zone as well (ICASI endorses the use of GMT or “Zulu time”). If a time zone is excluded, Zulu should be assumed.</p> +{% endcall %} +{% call textarea('description', "Description", '', description, 5, required=True) %} +<p>The <strong>Description</strong> element will contain a thorough human-readable discussion of the Remediation.</p> +{% endcall %} +{% call textarea('entitlement', "Entitlement", '', entitlement, 5) %} +<p><strong>Entitlement</strong> contains any possible vendor-defined constraints for obtaining fixed software or hardware that fully resolves the vulnerability. This element will often contain information about service contracts or service-level agreements that is directed toward customers of large vendors.</p> +{{ examples(['Cisco customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels, generally from the Cisco website. Cisco recommends contacting the TAC only with specific and imminent problems or questions.<br>As a special customer service, and to improve the overall security of the Internet, Cisco may offer customers free of charge software updates to address security problems. If Cisco has offered a free software update to address a specific issue, noncontract customers who are eligible for the update may obtain it by contacting the Cisco TAC using any of the means described in the Contact Summary section of this document. To verify their entitlement, individuals who contact the TAC should have available the URL of the Cisco document that is offering the upgrade.<br>All aspects of this process are subject to change without notice and on a case-by-case basis. No particular level of response is guaranteed for any specific issue or class of issues.']) }} +{% endcall %} +{% call textinput('url', "URL", 'https://...', url, type="url") %} +<p><strong>URL</strong> is the optional URL to the Remediation.</p> +{% endcall %} + {{ selectinput2('products', "Products", products, productids, multiple=True) }} {% if groups %} {{ selectinput2('groups', "Groups", groups, groupids, multiple=True)}}