Closed Bug 709816 Opened 13 years ago Closed 12 years ago

Security review OrangeFactor (WOO) integration into bugzilla.mozilla.org as an Bugzilla extension

Categories

(mozilla.org :: Security Assurance: Review Request, task, P4)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Type:
task

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Due Date:

People

(Reporter: dkl, Assigned: ygjb)

References

Details

* A quick intro to what this app does.

The Orange Factor system presents Mozilla project build data in a variety of ways, focusing on oranges (failures). This information can be tied to specific bug reports in BMO. The extension looks for a specific bug whiteboard tag "[orange]" and will attempt to contact the orange factor system to show some simple statistics in the bug report. It also displays a link that the user can click to get to the Orange Factor system to display information related to the bug id.

https://brasstacks.mozilla.com/orangefactor

* Where is the source code located?

Once committed to the stable code base it will be located at:
http://bzr.mozilla.org/bmo/4.0/files/head:/extensions/OrangeFactor

Currently it can be viewed instead at:
http://bzr.mozilla.org/bmo/4.0-dev/files/head:/extensions/OrangeFactor/

* Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.

https://bugzilla-stage-tip.mozilla.org

Sample bug showing the orange link and stats graph:
https://bugzilla-stage-tip.mozilla.org/show_bug.cgi?id=686424

* Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.

bugzilla.mozilla.org/Extensions: OrangeFactor

* Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.

It will be connecting to the REST API exported by the Orange Factor system:
https://brasstacks.mozilla.com/orangefactor/api/

A sample query can look like:
https://brasstacks.mozilla.com/orangefactor/api/count?startday=2011-11-13&endday=2011-12-11&bugid=686424&callback=OrangeFactor.getOrangeCount

It uses JSONP (callback=OrangeFactor.getOrangeCount) to allow the Bugzilla
bug page to access the brasstacks server. Otherwise you get the cross domain
restriction.

* Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.

No. The BMO extension will use normal Bugzilla accounts. The information on the Orange Factor server is based on public bugs and does not require any login.

* What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)

Worst case is the external system is inaccessible and the statistics data does not 
display properly on the bug page. The clients browser eventually times out trying to
access the data. Since it is happening in the background it should not significantly impact use of the bug page. Even without contacting the server, it is still useful
as it displays a convenient link for the user to get to the Orange Factor server to see the information related to the bug id.

* Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed?

NA

* This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

Not extremely urgent.
Whiteboard: [pending secreview]
We're focusing on Q4 goal related reviews.  Since you indicated this is not extremely urgent I'd like to schedule this for a Q1 review.
Group: websites-security
Whiteboard: [pending secreview] → [pending secreview][target Q1]
Group: websites-security
assigned to yvan to work with adamm
Whiteboard: [pending secreview][target Q1] → [target Q1][secr:yvan][secr:adamm]
QA Contact: mcoates → jstevensen
Q1 is almost over. Will this take priority for Q2?

dkl
Component: Security Assurance: Applications → Security Assurance: Review Needed
Assignee: security-assurance → nobody
Assignee: nobody → yboily
CC'ing Yvan, even though this was assigned to Yvan, he may not have gotten bugmail because he was not on the cc list.
QA Contact: jstevensen → security-assurance
Whiteboard: [target Q1][secr:yvan][secr:adamm] → [target Q1][co-review:adamm]
Keywords: sec-review-needed
Whiteboard: [target Q1][co-review:adamm] → [target Q1][co-review:adamm][start mm/dd/yyyy][target mm/dd/yyy]
Whiteboard: [target Q1][co-review:adamm][start mm/dd/yyyy][target mm/dd/yyy] → [target Q1][co-review:adamm][start mm/dd/yyyy][target mm/dd/yyyy]
Ping. Any idea when the review for this might take place?

dkl
well yvan is on PTO till next week, and given our workload with B2G, Kilimanjaro and basecamp this may have to wait for Q3 unless you have some reasoning we should prioritize it higher.
The only reason I would I argue that it should be prioritized higher is that this bug is over 6 months old. The extension is not terribly complicated and has minimal security impact, and OrangeFactor itself has already had a security review.
:mcote - our current working priorities look like this:
    Incident
    Mozilla Initiative (k9o / basecamp)
    Overall Mozilla Quarterly Goal (includes ongoing goals like "keep Firefox safe")
    Other Team's Quarterly Goal
    Reviews that have been waiting for a long time
    Other 

We know this bug is old and we want to do what we can but given our priority set and available expertise to review this there is a storm of non-availability at the moment.
Those that have the expertise are currently tied up in items 2-4. 

I will bring this up in our weekly triage (this coming Wed) again and see if anything has changed or if Yvan has available badwidth (he is coming off of a 3 week PTO) to see what we can do if anything. 

You mentioned that a review was done of OrangeFactor, but I have no record of that (could be before my time of managing that stuff) do you have link to that review information?
Also, if you want to see what our current work load looks like there is a nice graph that is live updated here

https://wiki.mozilla.org/Security/Radar

Click the show next to review stats
Priority: -- → P4
Whiteboard: [target Q1][co-review:adamm][start mm/dd/yyyy][target mm/dd/yyyy] → [target Q3-2012?][co-review:adamm][start mm/dd/yyyy][target mm/dd/yyyy]
In an email exchange a couple weeks ago, mcoates mentioned that within a week someone would look at this and gauge whether a security review was even necessary. And if not then we could go ahead and move forward with getting this live. Has anyone had a chance to do a look over to see if this is the case? I would like to get this out if a review is not really necessary.

Thanks
dkl
I will continue some additional testing around this, but based on a review of the code and the demo page, it sees pretty good!  Very happy to see this completed!
strike previous comment.  I opened this tab to report that I will work this review on Monday.  The previous comment was for a secreview I completed today.
Ping. Any more progress on this?

Thanks
dkl
This security review is complete; I wasn't able to find any issues in the round of testing I completed in July, but failed to mark this as complete.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Flags: sec-review+
Whiteboard: [target Q3-2012?][co-review:adamm][start mm/dd/yyyy][target mm/dd/yyyy]
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.