Closed Bug 882309 Opened 7 years ago Closed 5 years ago

When plugincheck declares a plugin vulnerable, it should link to the advisory

Categories

(Plugin Check :: UI, enhancement)

enhancement
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jb-mozilla, Assigned: espressive)

Details

(Keywords: regression, Whiteboard: [kb=1822917])

Attachments

(1 file)

When the PluginCheck service tells the user an installed plugin version is vulnerable, it should link to the advisory (either CVE or vendor) that convinced the PluginCheck team that the reportedly installed version is vulnerable.

In practice this means the backend data should have an advisory URL associated with the data indicating which version is the most recent non-vulnerable one.  No such link is needed for the data item listing which version is the most recent one (as this only triggers the "outdated" end user message).

Of cause for plugins with multiple stable and secure public branches, such links are obviously needed for the safe version data point in each non-contiguous version range.  For instance if plugin X version 0.0 through 1.9.543 are vulnerable, as are 2.0 through 2.0.123, while both 1.9.544 and 2.0.124 are up to date, then separate URLs items are needed for users running 1.x.x before 1.9.544 and for for users running 2.0.x before 2.0.124 (Even if those two URLs are sometimes the same if both updates were released together using a joint security advisory, since this may not be true for the next security update).
Severity: normal → enhancement
OS: Windows Server 2003 → Windows XP
oh seems this is a regression in the new design, the old one had the more information link (schalk thats pulled also from plugins.m.o) with the link to the advisorys. The new design has not (flash is a good testcase here). 

Schalk could you take a look?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: regression
Assignee: nobody → sneethling
Blocks: 990857
Blocks: 1121456
No longer blocks: 990857
Status: NEW → ASSIGNED
Component: plugins.mozilla.org → UI
Product: Websites → Plugin Check
QA Contact: cbook
No longer blocks: 1121456
Status: ASSIGNED → NEW
OS: Windows XP → All
Hardware: x86_64 → All
Status: NEW → ASSIGNED
Whiteboard: [kb=1822917]
Commits pushed to master at https://github.com/mozilla/bedrock

https://github.com/mozilla/bedrock/commit/e73f8e1660319a0282b6519e89d88c481563f6b9
Fix Bug 882309, provide link to advisory when plugin is vulnerable

https://github.com/mozilla/bedrock/commit/ae3282228f23c12d16a969b8eda002c184d3558d
Merge pull request #3209 from schalkneethling/bug882309-provide-link-to-advisory

Fix Bug 882309, provide link to advisory when plugin is vulnerable
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.