1
0
Fork 0
mirror of https://github.com/cisagov/log4j-affected-db.git synced 2024-11-23 00:50:48 +00:00
log4j-affected-db/PULL-EXAMPLE.md

116 lines
3.8 KiB
Markdown
Raw Normal View History

2022-01-10 18:11:44 +00:00
# Pull Request Example #
2022-01-05 20:02:50 +00:00
Thank you for contributing to CISA's Log4j-affected-db GitHub Repository! Please
2022-01-10 18:10:45 +00:00
follow the steps listed below in order to add a product to the public
repository. **Note:** To assure the accuracy of data please only include
products that have official advisories or alerts that verify the product's
vulnerability status to [CVE-2021-4104](https://nvd.nist.gov/vuln/detail/cve-2021-4104),
[CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228),
[CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046),
2022-01-10 18:02:34 +00:00
and/or [CVE-2021-45105](https://nvd.nist.gov/vuln/detail/CVE-2021-45105?s=09).
2022-01-05 17:16:44 +00:00
**Step 1:** Go to the [cisagov data .yml files](https://github.com/cisagov/log4j-affected-db/tree/develop/data/)
and choose the appropriate file to include your updates.
The files are separated alphabetically based on the first letter of the
vendor name. For example, 'CISA' would be located in
[`cisagov_C.yml`](https://github.com/cisagov/log4j-affected-db/blob/develop/data/cisagov_C.yml).
2022-01-05 17:16:44 +00:00
2022-01-05 17:39:50 +00:00
**Step 2:** Click the file edit button.
2022-01-05 17:16:44 +00:00
**Step 3:** Add the blank template to the **.yml** file for new entries and fill
2022-01-10 18:10:45 +00:00
it out with the correct data.
2022-01-05 17:16:44 +00:00
Blank template:
2022-01-10 17:55:58 +00:00
```yml
2022-01-10 20:43:15 +00:00
- vendor: ''
product: ''
cves:
cve-2021-4104:
investigated: ''
affected_versions: []
fixed_versions: []
unaffected_versions: []
cve-2021-44228:
investigated: ''
affected_versions: []
fixed_versions: []
unaffected_versions: []
cve-2021-45046:
investigated: ''
affected_versions: []
fixed_versions: []
unaffected_versions: []
cve-2021-45105:
investigated: ''
affected_versions: []
fixed_versions: []
unaffected_versions: []
vendor_links:
- ''
notes: ''
references:
- ''
last_updated: ''
2022-01-05 17:39:50 +00:00
```
2022-01-05 17:54:44 +00:00
2022-01-10 18:10:45 +00:00
**Step 4:** Verify the new entry was entered before and/or after the prior and
next entries.
2022-01-10 18:07:38 +00:00
2022-01-10 18:10:45 +00:00
- If you are adding it to the beginning of the file, ensure you are pasting
2022-01-10 18:02:34 +00:00
it after `software:` and before the next entry starting with `- vendor:`.
2022-01-10 18:10:45 +00:00
- If you are adding it to the end of the file, ensure the entry ends before
2022-01-10 18:02:34 +00:00
the file is closed out with `...`.
2022-01-10 18:02:34 +00:00
**Step 5:** When you add content to the file, remove the `''` or `[]` for fields
which are replaced with values (strings `''` or lists `[]` should be replaced as
2022-01-10 18:10:45 +00:00
shown in the example below, with list values on the following line(s) starting
with hyphen(s) `-`). The symbols should only remain used when fields remain
empty. For example, `fixed_versions: []` in our example below remains as is,
given there are no patched versions available for this entry.
2022-01-05 17:16:44 +00:00
2022-01-05 20:02:50 +00:00
**Note:** not all fields have to be updated.
2022-01-05 17:16:44 +00:00
Entry example:
2022-01-10 17:55:58 +00:00
```yml
2022-01-10 20:43:15 +00:00
- vendor: Example Vendor
product: Example Product
cves:
cve-2021-4104:
investigated: false
affected_versions: []
fixed_versions: []
unaffected_versions: []
cve-2021-44228:
investigated: true
affected_versions:
- <=8.4.6
- <=8.5.3
- <=8.6.4
2022-01-10 20:43:15 +00:00
fixed_versions: []
unaffected_versions: []
cve-2021-45046:
investigated: ''
affected_versions: []
fixed_versions: []
unaffected_versions: []
cve-2021-45105:
investigated: ''
affected_versions: []
fixed_versions: []
unaffected_versions: []
vendor_links:
- https://www.example.org/
2022-01-10 20:45:14 +00:00
notes: Contains vulnerable code but not likely to get
unauthenticated user input to the log4j component.
2022-01-10 20:43:15 +00:00
references:
- ''
last_updated: '2021-12-14T00:00:00'
2022-01-05 17:39:50 +00:00
```
2022-01-10 18:10:45 +00:00
**Step 6:** Validate that your data follows the appropriate format and proceed
with submitting the pull request.
2022-01-05 17:16:44 +00:00
For any additional questions feel free to [submit an Issue](https://github.com/cisagov/log4j-affected-db/issues).