Closed Bug 882309 Opened 7 years ago Closed 5 years ago
When plugincheck declares a plugin vulnerable, it should link to the advisory
44 bytes, text/x-github-pull-request
|Details | Review|
When the PluginCheck service tells the user an installed plugin version is vulnerable, it should link to the advisory (either CVE or vendor) that convinced the PluginCheck team that the reportedly installed version is vulnerable. In practice this means the backend data should have an advisory URL associated with the data indicating which version is the most recent non-vulnerable one. No such link is needed for the data item listing which version is the most recent one (as this only triggers the "outdated" end user message). Of cause for plugins with multiple stable and secure public branches, such links are obviously needed for the safe version data point in each non-contiguous version range. For instance if plugin X version 0.0 through 1.9.543 are vulnerable, as are 2.0 through 2.0.123, while both 1.9.544 and 2.0.124 are up to date, then separate URLs items are needed for users running 1.x.x before 1.9.544 and for for users running 2.0.x before 2.0.124 (Even if those two URLs are sometimes the same if both updates were released together using a joint security advisory, since this may not be true for the next security update).
oh seems this is a regression in the new design, the old one had the more information link (schalk thats pulled also from plugins.m.o) with the link to the advisorys. The new design has not (flash is a good testcase here). Schalk could you take a look?
Status: UNCONFIRMED → NEW
Ever confirmed: true
No longer blocks: 1121456
Status: ASSIGNED → NEW
OS: Windows XP → All
Hardware: x86_64 → All
Commits pushed to master at https://github.com/mozilla/bedrock https://github.com/mozilla/bedrock/commit/e73f8e1660319a0282b6519e89d88c481563f6b9 Fix Bug 882309, provide link to advisory when plugin is vulnerable https://github.com/mozilla/bedrock/commit/ae3282228f23c12d16a969b8eda002c184d3558d Merge pull request #3209 from schalkneethling/bug882309-provide-link-to-advisory Fix Bug 882309, provide link to advisory when plugin is vulnerable
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.