Problem/Motivation

It would be good to know how the labels work and who can change them and when.

They have documentation on the labels themselves already. See a list and the documentation at https://git.drupalcode.org/groups/security/-/labels?search=security

That list is linked from this documentation page https://www.drupal.org/drupal-security-team/security-team-procedures/sec...

CommentFileSizeAuthor
#7 security-hover-labels.png68.71 KBgreggles

Comments

greggles created an issue. See original summary.

greggles’s picture

Status: Active » Needs review

I tried to start each description with "automatically set (and when)" or "manually set by whom...".

These label descriptions are available on that list or when a label has been applied and someone hovers over the label.

ergonlogic’s picture

Are these based on an external reference or ontology?

If not, I'd suggest that "Severity" might be a more descriptive scope than "Security risk", considering the labels are "Critical", "Highly critical", etc. IMO, "Security risk" implies a more qualitative/categorical descriptor, like "Privilege escalation" or "Remote exploit". But we probably don't want to re-invent CVSS...

Also, the "Security status" scope seems to mix concerns somewhat. For example, "not in advisory policy" seems to be of a different nature than "needs work", "rtbc", etc. Perhaps it should be in the "Security Advisory" scope instead?

greggles’s picture

Thanks for the review and feedback! Worth considering.

Yeah, we did reinvent CVSS a long time ago because it's not a great fit for web vulnerabilities and it's not easy to understand. Since then CVSS got better (though I think it's still flawed) and is more adopted so there's more documentation supporting the sense-making process. The severity scope is based on our risk scores so we should probably keep them like that. They are automatically set. There's some work to move to CVSS at #3442181: Switch to CVSS scoring and part of that will probably be adjusting the risk score syncing code.

I agree the status is a mix of who needs to do work and what the next work is, but I think it's a decent compromise for ease of use of the system. It is purposeful that "not in advisory policy" is exclusive with the other values because it indicates that none of the other values are relevant. The team reviews the other statuses to find things to work on, but "not in advisory policy" doesn't require the team to get involved.

cmlara’s picture

https://git.drupalcode.org/groups/security/-/labels?search=security

This link appears to not be visible to unauthenticated users. I wonder if it is possibly not accessible to anyone who hasn’t been added to at least one security issues (my test account doesn’t work with GitLab for some reason I’ve never requested infra to evaluate so I can’t test this myself if anyone else has no GitLab security issues you could help by commenting on if you can access this link).

Perhaps not a major blocker since you have to be authenticated to see issues or edit them however worth knowing/evaluating as it relates to public documentation.

That list is linked from this documentation page https://www.drupal.org/drupal-security-team/security-team-procedures/sec...

I’ll note that page is unlikely to be found from a security issue. It’s buried under a topic that says

This section of the handbook details the procedures for Drupal Security Team members. If that is not you, you can safely skip this section of the documentation unless you are particularly interested in the topic.

Longer term: I imagine users will learn to click on Manage > Labels which will mitigate any of these external needs.

Near term: I didn’t think to to check the labels before I responded in Slack regarding a lack of documentation, and while I’m far from a GitLab expert, my experience has been I tend to be one of the users most likely to explore and use the full UI. That leads me to be concerned other users are less likely in the near future learn this GitLab method for finding label text.

Security Status Validated:
and meets the team policies and practices I’ve seen too many issues I expect the security team to refuse end up accepted and ones I would expect them to accept be refused. That phrase for me likley makes this team only. At the very least it implies maintiners need to have a firm grasp of the security team action history to make decisions. Perhaps another middle ground “maintainer agrees” stage ? (Possibly out of scope for this issue since it’s documenting current tags.)

If not, I'd suggest that "Severity" might be a more descriptive scope than "Security risk"

Expanding on that, I would go so far as to suggest it could be prefaced with “Calculated …” to make it more clear it’s an automated field (possibly out of scope for this issue, just wanted to suggest it since it is related to the previous suggestions of changing title)

drumm’s picture

That leads me to be concerned other users are less likely in the near future learn this GitLab method for finding label text.

We can mention the labels in one of the automated issue updates or comments if we think it will help people. As long as the text doesn’t become so long that the really important points get glossed over.

I thought GitLab had helpful hover tips for labels right on the issue, but it seems it does not.

greggles’s picture

StatusFileSize
new68.71 KB

Thanks for your thoughts in #5, cmlara.

re #4 - They show on the issue after a label has been assigned which is not really helpful for discovery of how to use the labels (see screenshot). It's better than nothing, but not ideal.

cmlara’s picture

As another data point:
Mobile devices also do not have hover/mouseover support.

On my phone (where I do somehere around 80-90% of my reviewing and commenting) it is a link where you see the mouseover text for a moment when you click the link before being directed to a page that filters only on that tag (same for my native device app).

To reiterate I do expect long term users will learn all these methods, it is only in the short term where most the project are still likley on D.O. yet the securtiy issues are on G.D.O. (And maybe a half year to a year after the great migration to issues) that I expect this to be a point of per user learning. Unlike much of the rest of the conversion there really wasn’t a viable way to train users on Labels before migration.