Commit ecf465ce authored by Nick Gaskill's avatar Nick Gaskill

Merge branch 'add_request_cve_issue_docs' into 'master'

Adds documentation for CVE ID Request button

See merge request gitlab-org/gitlab!40993
parents 5b0a35eb 013d3d56
---
type: tutorial
stage: Secure
group: Vulnerability Research
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
---
# CVE ID Requests
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/41203) in GitLab 13.4, only for public projects on GitLab.com.
As part of [GitLab's role as a CVE Numbering Authority](https://about.gitlab.com/security/cve)
([CNA](https://cve.mitre.org/cve/cna.html)), you may request
[CVE](https://cve.mitre.org/index.html) identifiers from GitLab to track
vulnerabilities found within your project.
## Overview
CVE identifiers track specific vulnerabilities within projects. Having a CVE assigned to a
vulnerability in your project helps your users stay secure and informed. For example,
[dependency scanning tools](../application_security/dependency_scanning/index.md)
can detect when vulnerable versions of your project are used as a dependency.
## Conditions
If the following conditions are met, a **Request CVE ID** button appears in your issue sidebar:
- The project is hosted in GitLab.com.
- The project is public.
- You are a maintainer of the project.
- The issue is confidential.
## Submitting a CVE ID Request
Clicking the **Request CVE ID** button in the issue sidebar takes you to the new issue page for
[GitLab's CVE project](https://gitlab.com/gitlab-org/cves).
![CVE ID request button](img/cve_id_request_button.png)
Creating the confidential issue starts the CVE request process.
![New CVE ID request issue](img/new_cve_request_issue.png)
You are required to fill in the issue description, which includes:
- A description of the vulnerability
- The project's vendor and name
- Impacted versions
- Fixed versions
- The vulnerability type (a [CWE](https://cwe.mitre.org/data/index.html) identifier)
- A [CVSS v3 vector](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
## CVE Assignment
GitLab triages your submitted CVE ID request and communicates with you throughout the CVE validation
and assignment process.
![CVE ID request communication](img/cve_request_communication.png)
Once a CVE identifier is assigned, you may use and reference it as you see fit.
Details of the vulnerability submitted in the CVE ID request are published according to your
schedule. It's common to request a CVE for an unpatched vulnerability, reference the assigned CVE
identifier in release notes, and later publish the vulnerability's details after the fix is
released.
Separate communications notify you when different stages of the publication process are complete.
![CVE ID request publication communication](img/cve_request_communication_publication.png)
...@@ -247,7 +247,9 @@ You can create an issue for a vulnerability by visiting the vulnerability's page ...@@ -247,7 +247,9 @@ You can create an issue for a vulnerability by visiting the vulnerability's page
This creates a [confidential issue](../project/issues/confidential_issues.md) in the project the This creates a [confidential issue](../project/issues/confidential_issues.md) in the project the
vulnerability came from, and pre-populates it with some useful information taken from the vulnerability vulnerability came from, and pre-populates it with some useful information taken from the vulnerability
report. Once the issue is created, you are redirected to it so you can edit, assign, or comment on report. Once the issue is created, you are redirected to it so you can edit, assign, or comment on
it. it. CVE identifiers can be requested from GitLab by clicking the
[_CVE ID Request_ button](cve_id_request.md) that is enabled for maintainers of
public projects on GitLab.com
Upon returning to the group security dashboard, the vulnerability now has an associated issue next Upon returning to the group security dashboard, the vulnerability now has an associated issue next
to the name. to the name.
......
...@@ -122,6 +122,7 @@ The following table depicts the various user permission levels in a project. ...@@ -122,6 +122,7 @@ The following table depicts the various user permission levels in a project.
| Manage Feature Flags **(PREMIUM)** | | | ✓ | ✓ | ✓ | | Manage Feature Flags **(PREMIUM)** | | | ✓ | ✓ | ✓ |
| Create/edit/delete metrics dashboard annotations | | | ✓ | ✓ | ✓ | | Create/edit/delete metrics dashboard annotations | | | ✓ | ✓ | ✓ |
| Run CI/CD pipeline against a protected branch | | | ✓ (*5*) | ✓ | ✓ | | Run CI/CD pipeline against a protected branch | | | ✓ (*5*) | ✓ | ✓ |
| Request a CVE ID **(FREE ONLY)** | | | | ✓ | ✓ |
| Use environment terminals | | | | ✓ | ✓ | | Use environment terminals | | | | ✓ | ✓ |
| Run Web IDE's Interactive Web Terminals **(ULTIMATE ONLY)** | | | | ✓ | ✓ | | Run Web IDE's Interactive Web Terminals **(ULTIMATE ONLY)** | | | | ✓ | ✓ |
| Add new team members | | | | ✓ | ✓ | | Add new team members | | | | ✓ | ✓ |
......
...@@ -37,6 +37,8 @@ When you create a project in GitLab, you'll have access to a large number of ...@@ -37,6 +37,8 @@ When you create a project in GitLab, you'll have access to a large number of
- [Signing commits](gpg_signed_commits/index.md): use GPG to sign your commits - [Signing commits](gpg_signed_commits/index.md): use GPG to sign your commits
- [Deploy tokens](deploy_tokens/index.md): Manage project-based deploy tokens that allow permanent access to the repository and Container Registry. - [Deploy tokens](deploy_tokens/index.md): Manage project-based deploy tokens that allow permanent access to the repository and Container Registry.
- [Web IDE](web_ide/index.md) - [Web IDE](web_ide/index.md)
- [CVE ID Requests](../application_security/cve_id_request.md): Request a CVE identifier to track a
vulnerability in your project.
**Issues and merge requests:** **Issues and merge requests:**
......
...@@ -100,6 +100,16 @@ Some features depend on others: ...@@ -100,6 +100,16 @@ Some features depend on others:
- Metrics dashboard access requires reading both project environments and deployments. - Metrics dashboard access requires reading both project environments and deployments.
Users with access to the metrics dashboard can also access environments and deployments. Users with access to the metrics dashboard can also access environments and deployments.
#### Disabling the CVE ID request button
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/41203) in GitLab 13.4, only for public projects on GitLab.com.
In applicable environments, a [**Create CVE ID Request** button](../../application_security/cve_id_request.md)
is present in the issue sidebar. The button may be disabled on a per-project basis by toggling the
setting **Enable CVE ID requests in the issue sidebar**.
![CVE ID Request toggle](img/cve_id_request_toggle.png)
#### Disabling email notifications #### Disabling email notifications
Project owners can disable all [email notifications](../../profile/notifications.md#gitlab-notification-emails) Project owners can disable all [email notifications](../../profile/notifications.md#gitlab-notification-emails)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment