Closed Bug 1080600 Opened 6 years ago Closed 6 years ago

CVE ID format change: CVE-\d{4}-\d{4} becomes CVE-\d{4}-\d{4,} this year

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Production
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: Atoll, Assigned: dkl)

References

Details

Attachments

(1 file)

https://cve.mitre.org/cve/identifiers/syntaxchange.html

They haven't *yet* reached CVE-2014-10000, but if they don't, they promise to release a five-digit CVE at the beginning of 2015.

Interestingly,

"There is no limit on the number of arbitrary digits. Leading 0’s will only be used in IDs 1 to 999, as shown in column one below."

So these CVEs would need to match:

CVE-2014-0001 CVE-2014-9999
CVE-2014-10000 CVE-2014-99999
CVE-2014-100000 CVE-2014-999999
CVE-2014-1000000 CVE-2014-9999999

And these would be invalid:

CVE-2014-00001
CVE-2014-099999
CVE-2014-0123456

Which sounds more like this than my simplified subject:

CVE-\d{4}-(?:\d{4}|[1-9]\d{4,6})(?!\d)
As of the time of filing this bug, only the first row of CVE IDs get highlighting (0001 and 9999), which makes it useful as a test case (the four rows of valid IDs should be highlighted, the three rows of invalid should not.)
Attached patch 1080600_1.patchSplinter Review
Assignee: nobody → dkl
Status: NEW → ASSIGNED
Attachment #8502540 - Flags: review?(dylan)
Comment on attachment 8502540 [details] [diff] [review]
1080600_1.patch

Review of attachment 8502540 [details] [diff] [review]:
-----------------------------------------------------------------

this looks like an efficient regex in Regexp::Debugger.
Attachment #8502540 - Flags: review?(dylan) → review+
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   75e5744..1f84551  master -> master
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
OS: Mac OS X → All
Hardware: x86 → All
Resolution: --- → FIXED
This is incorrect....


New CVE-ID Syntax

The new CVE-ID syntax is variable length and includes:

CVE prefix + Year + Arbitrary Digits


So, either CVE-\d{4}-(0\d{3}|[1-9]\d{3,}) or CVE-\d{4}-\d{4,}
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Summary: CVE ID format change: CVE-\d{4}-\d{4} becomes CVE-\d{4}-\d{4,7} this year → CVE ID format change: CVE-\d{4}-\d{4} becomes CVE-\d{4}-\d{4,} this year
Blocks: 1117599
(In reply to Reed Loden [:reed] from comment #5)
> This is incorrect....

reopening a r/f bug isn't useful; i've created bug 1117599 to track this change.
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED
Component: Extensions: BMO → Extensions
You need to log in before you can comment on or make changes to this bug.