Closed Bug 1080600 Opened 10 years ago Closed 9 years ago

CVE ID format change: CVE-\d{4}-\d{4} becomes CVE-\d{4}-\d{4,} this year

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Product:
bugzilla.mozilla.org
Component:
Extensions
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: Atoll, Assigned: dkl)

References

Details

Attachments

(1 file)

1080600_1.patch
611 bytes, patch
dylan
: review+
Details | Diff | Splinter Review 
https://cve.mitre.org/cve/identifiers/syntaxchange.html

They haven't *yet* reached CVE-2014-10000, but if they don't, they promise to release a five-digit CVE at the beginning of 2015.

Interestingly,

"There is no limit on the number of arbitrary digits. Leading 0’s will only be used in IDs 1 to 999, as shown in column one below."

So these CVEs would need to match:

CVE-2014-0001 CVE-2014-9999
CVE-2014-10000 CVE-2014-99999
CVE-2014-100000 CVE-2014-999999
CVE-2014-1000000 CVE-2014-9999999

And these would be invalid:

CVE-2014-00001
CVE-2014-099999
CVE-2014-0123456

Which sounds more like this than my simplified subject:

CVE-\d{4}-(?:\d{4}|[1-9]\d{4,6})(?!\d)
As of the time of filing this bug, only the first row of CVE IDs get highlighting (0001 and 9999), which makes it useful as a test case (the four rows of valid IDs should be highlighted, the three rows of invalid should not.)
Attached patch 1080600_1.patchSplinter Review 
Assignee: nobody → dkl
Status: NEW → ASSIGNED

        Attachment #8502540 -
        Flags: review?(dylan)

    
    

    
  
Comment on attachment 8502540 [details] [diff] [review]
1080600_1.patch

Review of attachment 8502540 [details] [diff] [review]:
-----------------------------------------------------------------

this looks like an efficient regex in Regexp::Debugger.

        Attachment #8502540 -
        Flags: review?(dylan) → review+

    
    

    
  
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   75e5744..1f84551  master -> master
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
OS: Mac OS X → All
Hardware: x86 → All
Resolution: --- → FIXED

    
    

    
  
This is incorrect....


New CVE-ID Syntax

The new CVE-ID syntax is variable length and includes:

CVE prefix + Year + Arbitrary Digits


So, either CVE-\d{4}-(0\d{3}|[1-9]\d{3,}) or CVE-\d{4}-\d{4,}
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Summary: CVE ID format change: CVE-\d{4}-\d{4} becomes CVE-\d{4}-\d{4,7} this year → CVE ID format change: CVE-\d{4}-\d{4} becomes CVE-\d{4}-\d{4,} this year

    
  
Blocks: 1117599

    
    

    
  
(In reply to Reed Loden [:reed] from comment #5)
> This is incorrect....

reopening a r/f bug isn't useful; i've created bug 1117599 to track this change.
Status: REOPENED → RESOLVED
Closed: 10 years ago9 years ago
Resolution: --- → FIXED
Component: Extensions: BMO → Extensions

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: