Closed Bug 1080600 Opened 11 years ago Closed 11 years ago

CVE ID format change: CVE-\d{4}-\d{4} becomes CVE-\d{4}-\d{4,} this year

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Product:
bugzilla.mozilla.org
Component:
Extensions
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: Atoll, Assigned: dkl)

References

Details

Attachments

(1 file)

1080600_1.patch
611 bytes, patch
dylan
: review+
Details | Diff | Splinter Review
https://cve.mitre.org/cve/identifiers/syntaxchange.html They haven't *yet* reached CVE-2014-10000, but if they don't, they promise to release a five-digit CVE at the beginning of 2015. Interestingly, "There is no limit on the number of arbitrary digits. Leading 0’s will only be used in IDs 1 to 999, as shown in column one below." So these CVEs would need to match: CVE-2014-0001 CVE-2014-9999 CVE-2014-10000 CVE-2014-99999 CVE-2014-100000 CVE-2014-999999 CVE-2014-1000000 CVE-2014-9999999 And these would be invalid: CVE-2014-00001 CVE-2014-099999 CVE-2014-0123456 Which sounds more like this than my simplified subject: CVE-\d{4}-(?:\d{4}|[1-9]\d{4,6})(?!\d)
As of the time of filing this bug, only the first row of CVE IDs get highlighting (0001 and 9999), which makes it useful as a test case (the four rows of valid IDs should be highlighted, the three rows of invalid should not.)
Attached patch 1080600_1.patchSplinter Review
Assignee: nobody → dkl
Status: NEW → ASSIGNED
Attachment #8502540 - Flags: review?(dylan)
Comment on attachment 8502540 [details] [diff] [review] 1080600_1.patch Review of attachment 8502540 [details] [diff] [review]: ----------------------------------------------------------------- this looks like an efficient regex in Regexp::Debugger.
Attachment #8502540 - Flags: review?(dylan) → review+
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 75e5744..1f84551 master -> master
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
OS: Mac OS X → All
Hardware: x86 → All
Resolution: --- → FIXED
This is incorrect.... New CVE-ID Syntax The new CVE-ID syntax is variable length and includes: CVE prefix + Year + Arbitrary Digits So, either CVE-\d{4}-(0\d{3}|[1-9]\d{3,}) or CVE-\d{4}-\d{4,}
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Summary: CVE ID format change: CVE-\d{4}-\d{4} becomes CVE-\d{4}-\d{4,7} this year → CVE ID format change: CVE-\d{4}-\d{4} becomes CVE-\d{4}-\d{4,} this year
Blocks: 1117599
(In reply to Reed Loden [:reed] from comment #5) > This is incorrect.... reopening a r/f bug isn't useful; i've created bug 1117599 to track this change.
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Component: Extensions: BMO → Extensions
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: