Security Advisories - rajparad/firefox-ios GitHub Wiki
Overview
This page documents the process to create security advisories for Firefox for iOS. If you're looking for what the advisories actually are; please go to this webpage.
The general process, omitting getting access and first time setup is to:
- Check for advisories for current release version. This is where we make sure the bugzilla ticket has the required information and tagged properly.
- Generate advisories to be sent on the security advisories repository.
- Publish advisories once the release was done.
Access and roles
To be able to do a security advisories, you'll need specific accesses and roles.
- You'll need to be part of either Mozilla or Mozilla-mobile GitHub org. You can check if you are part of a group directly on your Github Profile.
- Add your GitHub identity verified on PeopleMo. You can add your GitHub identity directly on your PeopleMo profile page.
- As of 2023/07, message @tritter on Slack to ask for access to https://github.com/mozilla/foundation-security-advisories-private.git
Setup
- git clone https://github.com/mozilla/foundation-security-advisories-private.git
- git clone https://github.com/tomrittervg/secadv.git
- cd secadv && cp apikey-example.py apikey.py
- Go to https://bugzilla.mozilla.org/userprefs.cgi?tab=apikey and create an API key. Paste it in apikey.py by keeping the leading and trailing ".
Python virtual environment
Running security advisories script requires a python script. This is done easily by installing requirements in a virtual environment. There's more than one way to do this, but here's one:
- Install virtual environment with
pip3 install virtualenv - Navigate to the root of the secadv project
- Create virtual environment with
virtualenv -p python3 secadv-env - Activate the virtual environment with
source secadv-env/bin/activate - Install project requirements with
pip install requests - Each time you wanna run the security advisories you'll have to activate the virtual environment first
Checking for Advisories
- Make sure that the security bugs have an updated tracking flag with the correct version number. If the flag doesn't exists for the particular version, you can check in with the #release-coordination people. If you have admin access you can do the change on the admin page.
- Navigate to the root of the secadv project
- Activate your virtual environment with
source secadv-env/bin/activate - Run the python script
./ios_advisories.py [version]- Example for v99.0
./ios_advisories.py 99 - Example for v99.1
./ios_advisories.py 99.1
- Example for v99.0
Missing advisory.txt
- Create this file following the documentation
- Attach it to the bug
- Ask in #release-coordination for a CVE (Common Vulnerabilities and Exposures) number
@dveditz @tritter I need a CVE for https://bugzilla.mozilla.org/show_bug.cgi?id=xxx
Generate Advisory
- Navigate to the root of the foundation-security-advisories-private project
- Create virtual environment for this repository as it was done for secadv project
- Install project requirements with
pip install -r requirements.txt
Generate the new advisory:
- Find the latest .yml file present in the announcement folder
ls announce/YEAR - Navigate to the root of the secadv project and activate the virtual environment
- Run the security advisories script with the following command:
./ios_advisories.py [version] > ../foundation-security-advisories-private/announce/2023/mfsa2023-<xx>.yml. This will output the python results inside the yml file.
Hopefully there are no errors. If it has errors and you need help, contact the [sec-team].
Double check the file:
less ../foundation-security-advisories-private/announce/2023/mfsa2023-<xx>.yml- Update the date in the file (labeled with 'FIXME'), or else check_advisories.py will fail. This date needs to be the date of the release. If you don't have the date you can put a placeholder until you have it. When you have the final date you can commit it.
- Confirm it makes sense and adheres to the norms (https://wiki.mozilla.org/Security/Firefox/Security_Bug_Life_Cycle/Security_Advisories#Review_it_yourself)
cd ../foundation-security-advisories-private./check_advisories.py --all
Add and commit the file
- Create a new branch for your changes
git add announce/2023/mfsa-<xx>.ymlgit commit -m “Advisories for iOS Release Foo”- Create a PR with those changes, tagging @tritter for review.
Await Apple approval of App
Once the release has been made, the next step can be done which is to publish the advisories.
Publish Advisory
When Apple has approved the app, and you are ready to release it to users, go to #release-coordination on Slack Link to your specific commit in foundation-security-advisories-private and ask for the advisory to be made public. Tag @tritter @dveditz for visibility