Closed Bug 1506144 (bmo-stmo) Opened Last year Closed 8 months ago
Access bugzilla security bug metadata via STMO
We (the Firefox security teams) would like to be able to access security bug metadata via STMO so that we can create live dashboards similar to the static info Dan is now emailing. The plan is to use the Secops metrics pipeline - that already gathers a growing set of security metrics from a variety of sources and makes them accessible via STMO. The current pipleline is: * Scripts run in the Ops Jenkins server and collect raw metrics * They write the raw data into folders under s3://foxsec-metrics * Post processing is applied if we need to reformat it (for Athena) * Athena tables are applied to the relevant folders and added to the foxsec_metrics db * The foxsec_metrics db is a data source in STMO The foxsec_metrics data source in STMO is currently restricted to the Secops team, but the plan is to expand that to all of the Firefox security teams. We also plan to make some STMO visualisations on this data accessible to everyone in Mozilla. We would like a subset of the available bugzilla fields so that we don't inadvertently expose details of unfixed security bugs. The bugs that we are interested in and the fields we would like are currently being collated in this gdoc: https://docs.google.com/document/d/1v5HZlH77PHcPSup0gDJTKUKzuCBE3ltGVwgz0d_DeU0/edit# Note that right now this is work in progress - I'll update this bug with that info once we have finalized it. We will need to be able to combine bugzilla data with data from the foxsec_metrics db. I'm not sure if we can combine multiple data sources in STMO.
:robotblake - can you confirm if we can combine data from multiple data sources in the same query in STMO?
:robotblake - we also would want to query both data sources in redash, so if that's a limitation, please let us know
Is this really security sensitive?
:dylan, problably not ;) Just internal then?
A meeting was held on Nov 14th and the above doc updated with notes. :dylan - you were down to define the schema that BMO will use to provide access to the data. Any eta on this?
I plan on hashing out a gdoc today. Sorry for the delay. Also can we drop the groups from this bug? security bugs in this product in my inbox give me anxiety.
decisions & approach on BMO access in meeting notes: https://docs.google.com/document/d/1v5HZlH77PHcPSup0gDJTKUKzuCBE3ltGVwgz0d_DeU0/edit#heading=h.6526yk3oj16u
Assignee: nobody → dylan
Component: Administration → General
Priority: -- → P1
Attachment #9042520 - Attachment is obsolete: true
Attachment #9042548 - Attachment is obsolete: true
Attachment #9042521 - Attachment is obsolete: true
Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.