add related question, other labels

VulnerabilityHistoryProject · Oct 25, 2023 · aceed2a · aceed2a
1 parent b81c3f1
commit aceed2a
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 15 deletions.
diff --git a/app/assets/javascripts/curate/curationwizard.js b/app/assets/javascripts/curate/curationwizard.js
@@ -294,10 +294,7 @@ function populateYMLField(progress) {
   yamlField.value = "";
   // TODO For now, remove all "_instructions" keys from the yml right here. Eventually we need a cleaner way of handling that.
   progress = Object.fromEntries(Object.entries(progress).filter(([k,_v]) => !k.includes('_instructions' )))
-
-  // console.log("Populating YAML with this: ")
-  // console.log(progress);
-  yamlField.value = YAML.stringify(progress)
+  yamlField.value = YAML.stringify(progress, { nullStr: '' })
 
   // FIXME Old YML emitter wasn't clean enough - BUT, I'm not sure what hte first half of the if-statement is doing here so I'm going to ask.
   // if (progress && Object.keys(progress).some((key) => key === "fieldName")) {

diff --git a/app/assets/javascripts/curate/questions/kernel.json b/app/assets/javascripts/curate/questions/kernel.json
@@ -134,6 +134,7 @@
   }, {
     "key": "sandbox",
     "label": "Sandbox",
+    "summary": "Was a sandbox violated?",
     "instructions": "Did this vulnerability violate a sandboxing feature that the system provides?<br/><br/>A sandboxing feature is one that allows files, users, or other features limited access. Vulnerabilities that violate sandboxes are usually based on access control, checking privileges incorrectly, path traversal, and the like.",
     "defaultValue": "",
     "type": "input"
@@ -163,7 +164,8 @@
     "comparisonType" : "NOT IN"
   }, {
     "key": "ipc",
-    "label": "ipc",
+    "label": "IPC",
+    "summary": "Was inter-process communication involved?",
     "instructions": "Did the feature that this vulnerability affected use inter-process communication? IPC includes OS signals, pipes, stdin/stdout, message passing, and clipboard. Writing to files that another program in this software system reads is another form of IPC.",
     "defaultValue": "",
     "type": "input"

diff --git a/app/assets/javascripts/curate/questions/shared.json b/app/assets/javascripts/curate/questions/shared.json
@@ -30,14 +30,15 @@
   },{
     "key": "nickname",
     "label": "Nickname",
+    "summary": "Because nobody memorizes CVE numbers",
     "instructions": "A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters.",
     "defaultValue": "",
     "type": "input"
   },{
     "key": "announced",
     "label": "Announced Date",
     "summary": "When was it announced?",
-    "howToFind": "You can find this in changelogs, blogs, bug reports, or perhaps the CVE date.",
+    "howToFind": "You can find this in changelogs, blogs, bug reports, or perhaps the date in the CVE entry. Not necessarily the same date as the fix commit date.",
     "defaultValue": "",
     "type": "date"
   },  {
@@ -79,7 +80,7 @@
     "key": "vccs",
     "label": "Origin Commits (VCC)",
     "summary": "What are the Vulnerability-Contributing Commits?",
-    "instructions": "VCCs are the vulnerability-contributing commits. Look up these VCC commits and verify that they are not simple refactorings, and that they are, in fact introducing the vulnerability into the system. Often, introducing the file or function is  where the VCC is, but VCCs can be anything.",
+    "instructions": "VCCs are the <b>vulnerability-contributing commits</b>. Look up these VCC commits and verify that they are not simple refactorings, and that they are, in fact introducing the vulnerability into the system. Often, introducing the file or function is  where the VCC is, but VCCs can be any commit. Update the note to say 'Manually Confirmed' after checking each VCC.",
     "howToFind": "These are found by our tools by traversing the Git Blame history, where we determine which commit(s) introduced the functionality. ",
     "defaultValue": 1,
     "type": "repeater",
@@ -111,6 +112,7 @@
   },{
     "key": "discovered",
     "label": "Discovered",
+    "summary": "How was this discovered?",
     "instructions": "How was this vulnerability discovered? Answer in longform below in 'answer.' If there is no evidence as to how this vulnerability was found, then please explain where you looked.",
     "howToFind": "Go to the bug report and read the conversation to find out how this was originally found. ",
     "defaultValue": "",
@@ -231,6 +233,7 @@
     "id": "il8n",
     "key": "il8n",
     "label": "il8n",
+    "summary": "Was internationalization involved?",
     "instructions": "Was the feature impacted by this vulnerability about internationalization (i18n)? An internationalization feature is one that enables people from all over the world to use the system. This includes translations, locales, typography, unicode, or various other features. Write a note about how you came to the conclusions you did",
     "defaultValue": 1,
     "type": "content"
@@ -557,13 +560,6 @@
     "parentField": "lessons_complex_inputs_applies",
     "acceptedValues" : "1",
     "comparisonType" : "IN"
-  }, {
-    "key": "mistakes",
-    "label": "Mistakes",
-    "instructions": "In your opinion, after all of this research, what mistakes were made that led to this vulnerability? Coding mistakes? Design mistakes? Maintainability? Requirements? Miscommunications? There can, and usually are, many mistakes behind a vulnerability. These are grey areas, of course. But do your best to analyze the mistakes according to this framework. Look at the CWE entry for this vulnerability and examine the mitigations they have written there. Are they doing those? Does the fix look proper? Write a thoughtful entry here that those in the software engineering industry would find interesting.",
-    "defaultValue": "",
-    "type": "textarea",
-    "examples": "Remember that mistakes can come in many forms:<ul><li>slip: failing to complete a properly planned step due to inattention e.g. wrong key in the ignition e.g. using < instead of <= </li><li>lapse: failing to complete a properly planned step due to memory failure e.g. forgetting to put car in reverse before backing up e.g. forgetting to check null</li><li>planning error: error that occurs when the plan is inadequate e.g. getting stuck in traffic because you didn't consider the impact of the bridge closing e.g. calling the wrong method e.g. using a poor design</li></ul>"
   }, {
     "key": "specifications",
     "label": "Specifications",
@@ -599,6 +595,7 @@
   }, {
     "key": "discussion",
     "label": "Discussion",
+    "summary": "What discussions did the team have?",
     "instructions": "Was there any discussion surrounding this? A discussion can include debates, disputes, or polite talk about how to resolve uncertainty.<br/<br/>Just because you see multiple comments doesn't mean it's a discussion. For example:<ul><li>'Fix line 10.' 'Ok' is not what we call a discussion</li><li>'Ping' (reminding people)</li></ul>",
     "howToFind": "Check the bugs reports, pull requests, and mailing lists archives.",
     "defaultValue": 1,
@@ -646,6 +643,7 @@
   }, {
     "key": "vouch",
     "label": "Vouch",
+    "summary": "Did someone vouch for another person?",
     "instructions": "Was there any part of the fix that involved one person vouching for another's work? This can include:<ul><li>signing off on a commit message</li><li>mentioning a discussion with a colleague checking the work</li><li>upvoting a solution on a pull request</li></ul>",
     "defaultValue": 1,
     "type": "content"
@@ -676,6 +674,7 @@
   }, {
     "key": "stacktrace",
     "label": "Stacktrace",
+    "summary": "Does the report include a stacktrace?",
     "instructions": "Are there any stacktraces in the bug reports? Secondly, if there is a stacktrace, is the fix in the same file that the stacktrace points to? If there are no stacktraces, then both of these are false - but be sure to mention where you checked in the note.",
     "defaultValue": 1,
     "type": "content"
@@ -721,6 +720,7 @@
   }, {
     "key": "forgotten_check",
     "label": "Forgotten Check",
+    "summary": "Did someone forget to check for something?",
     "instructions": "Does the fix for the vulnerability involve adding a forgotten check? A 'forgotten check' can mean many things. It often manifests as the fix inserting an entire if-statement or a conditional to an existing if-statement. Or a call to a method that checks something.",
     "defaultValue": 1,
     "type": "content",
@@ -752,6 +752,7 @@
   }, {
     "key": "order_of_operations",
     "label": "Order of Operations",
+    "summary": "Did they mix up the order of things?",
     "instructions": "Does the fix for the vulnerability involve correcting an order of operations? This means the fix involves moving code around or changing the order of how things are done.",
     "defaultValue": 1,
     "type": "content"
@@ -779,5 +780,28 @@
     "parentField": "order_of_operations",
     "acceptedValues" : "1",
     "comparisonType" : "IN"
+  },
+  {
+    "key": "mistakes",
+    "label": "Mistakes (Do this last!)",
+    "summary": "Summarize the various mistakes made (do this last!)",
+    "instructions": "In your opinion, after all of this research, what mistakes were made that led to this vulnerability? Coding mistakes? Design mistakes? Maintainability? Requirements? Miscommunications? There can, and usually are, many mistakes behind a vulnerability. These are grey areas, of course. But do your best to analyze the mistakes according to this framework. Look at the CWE entry for this vulnerability and examine the mitigations they have written there. Are they doing those? Does the fix look proper? Write a thoughtful entry here that those in the software engineering industry would find interesting.",
+    "defaultValue": "",
+    "type": "textarea",
+    "examples": "Remember that mistakes can come in many forms:<ul><li>slip: failing to complete a properly planned step due to inattention e.g. wrong key in the ignition e.g. using < instead of <= </li><li>lapse: failing to complete a properly planned step due to memory failure e.g. forgetting to put car in reverse before backing up e.g. forgetting to check null</li><li>planning error: error that occurs when the plan is inadequate e.g. getting stuck in traffic because you didn't consider the impact of the bridge closing e.g. calling the wrong method e.g. using a poor design</li></ul>"
+  },
+  {
+    "key": "related",
+    "label": "Related CVEs",
+    "defaultValue": "",
+    "type": "input",
+    "validationType": "input",
+    "summary":"Any related vulnerabilities?",
+    "instructions": "In the course of your research, did you come across any other vulnerabilities mentioned that this is directly related to? The CVE does not need to exist in this repository. Explain how they are related.",
+    "examples": [
+      "Incomplete fix for another vulnerability",
+      "Multiple, similar vulnerabilities found at once",
+      "Explicitly stating that this one is different than another"
+    ]
   }
-  ]
+]