Testing has been scheduled and there will be a kickoff meeting the week before for any questions

Testing has been scheduled and there will be a kickoff meeting the week before for any questions

confirmed with comms that we are not doing the press release

Confirmed by MITRE

There's no security review required for Jest at this time as long as it remains a developer dependency. We would like to ensure that the version stays up to date and if there are any critical vulnerabilities found, that you reach out to the security team.

@Reedy I'll store it in that. I thought there was a shared LastPass for some reason

@sbassett the security landing page has been updated. Only thing left is to remove Hal from the email list, which I will need you to do since I don't have permission.

I talked to ITS. They have removed Hal from the Security drive. They are going to merge his current accounts into his contractor accounts after they are provisioned via our Onboarding workflow. If we have any concerns we can let them know. I think that should be fine.

I reached out to confirm with ITS, will report back on that. I don't have access to the security-team email list, so I can't remove Hal.

@Aklapper perhaps they never had security access to begin with?

Hey! I'm from the security team and I didn't see either of these folks in acl*security or acl*security_wmde. Perhaps they've already been removed by someone else?

@Aklapper are you okay to resolve this ticket?

No, we still have to do an onboarding and actually become a CNA partner. Unless you think that should be a separate ticket?

@BlankEclair thank you for reporting. I'll follow up with further information soon

Met with Mitre and the finalized scope is:

@Aklapper since the gerrit patch is public this ticket is okay to be public as well. I went ahead and changed the policy

@sbassett once it's scheduled you'll receive an invite

This scope still did not pass inspection by Mitre, so we are having a meeting next week to discuss more in detail. Anyone who is interested in coming to the meeting let me know.

@sbassett is out this week, so I will set up a meeting next week so we can discuss the beta deployment

This patch looks good but I would like someone familiar with this extension to review it as well.

Great, I think this is the final scope: "Any code repository hosted under gerrit.wikimedia.org, gitlab.wikimedia.org or github.com/wikimedia that is not archived or a fork of an upstream project or otherwise unmaintained by the WMF or Wikimedia Community"

I like that, but I do think that we might either have to remove active or define what that means. Do we mean active in the last 6 months? Last year?

There needs to be clarity on what projects we will manage or not. Originally when we started this project we did say Mediawiki core, skins, and extensions, but if you want to open it up that's fine with me. I'm fine to say vulnerabilities in software maintained by the Wikimedia Foundation or something like that.

It can't be a minimal list, it needs to be an exact list of what we will issue CVEs for. I'm only saying this because I met with Mitre, and they want a canonical list of what we will and will not cover. We can also say something like, "Scope The GitLab application, any project hosted on GitLab.com in a public repository, and any vulnerabilities discovered by GitLab that are not in another CNA’s scope" but then that might be more broad than we want. Go has one that says, "Vulnerabilities in software published by the Go Project (including the Go standard library, Go toolchain, and the golang.org modules) and publicly disclosed vulnerabilities in publicly importable packages in the Go ecosystem, unless covered by another CNA’s scope". So we could say something very similar to that.

How about

I met with Mitre today and there are two issues to address before we can have the official onboarding meeting with the whole team.
They wanted to get very clear on the scope and we need to have a proper advisory page.

@Physikerwelt thank you for reporting this. This issue looks like it's referring to CVE-2023-39663 which only affects versions of Mathjax under and including 2.7.9. The current version of Mathjax for WMF production is 3.2.2 so WMF systems are not affected. I'm marking this as resolved, but if you have any other questions or comments, please let us know.

legal approved terms of service in coupa. I'm meeting with Mitre this week to talk about our scope and advisory page. There might need to be some udpates. More to come

@acooper I filled out a coupa request with legal

Mitre responded on May 15, but I was OOO so I filled out the CNA registration form today. I did reach out to legal about the terms of service as well. The next steps are for Mitre to schedule a meeting to discuss the program more. If anyone is interested in the onboarding materials, there is information about the onboarding process and the CNA Rules.

Security Review Summary - T361690 - 2024-15-05
Last commit reviewed: 54d3a6d

@jsn.sherman I'll aim for the end of May for this review, but in case I'm not able to post it, you can go ahead and get the pilot rolling

@jsn.sherman thank for letting me know, is there a deadline that I should know about for the review? If not, I will post mid June.

Supplemental announcement is out!

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.39.7/1.40.3/1.41.1)

@ashley Since MediaWikiChat is not deployed in WMF production, this patch can be pushed through github.

security issue access has been granted

@Samwalton9-WMF this review will be scoped to the extension only, the models will be out of scope for this review. Is it possible that this tool will replace existing auto moderator tools? For the timeline, does that mean the review can start in May? We're planning to do this review this quarter.

It looks like it's not too bad to convert from CycloneDX to SPDX, so even if we decide to go with CycloneDX we can still get the SPDX data if we want it. CycloneDX seems to have more tooling and also provides a license scanner to look at the licenses @Jdforrester-WMF was referencing.