mirror of
https://github.com/cisagov/log4j-affected-db.git
synced 2024-11-23 00:50:48 +00:00
Merge branch 'develop' into improvement/switch_to_yaml_files
This commit is contained in:
commit
11da8a796f
3 changed files with 130 additions and 0 deletions
|
@ -38,6 +38,11 @@ regular contributor, then you will want to set up
|
||||||
do that, the CI checks will run locally before you even write your
|
do that, the CI checks will run locally before you even write your
|
||||||
commit message. This speeds up your development cycle considerably.
|
commit message. This speeds up your development cycle considerably.
|
||||||
|
|
||||||
|
### Creating a pull request ###
|
||||||
|
|
||||||
|
Instructions for creating a pull request using the GitHub Web UI can be found
|
||||||
|
in [`PULL-EXAMPLE.md`](PULL-EXAMPLE.md).
|
||||||
|
|
||||||
### Setting up pre-commit ###
|
### Setting up pre-commit ###
|
||||||
|
|
||||||
There are a few ways to do this, but we prefer to use
|
There are a few ways to do this, but we prefer to use
|
||||||
|
|
115
PULL-EXAMPLE.md
Normal file
115
PULL-EXAMPLE.md
Normal file
|
@ -0,0 +1,115 @@
|
||||||
|
# Pull Request Example #
|
||||||
|
|
||||||
|
Thank you for contributing to CISA's Log4j-affected-db GitHub Repository! Please
|
||||||
|
follow the steps listed below in order to add a product to the public
|
||||||
|
repository. **Note:** To assure the accuracy of data please only include
|
||||||
|
products that have official advisories or alerts that verify the product's
|
||||||
|
vulnerability status to [CVE-2021-4104](https://nvd.nist.gov/vuln/detail/cve-2021-4104),
|
||||||
|
[CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228),
|
||||||
|
[CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046),
|
||||||
|
and/or [CVE-2021-45105](https://nvd.nist.gov/vuln/detail/CVE-2021-45105?s=09).
|
||||||
|
|
||||||
|
**Step 1:** Go to the [cisagov data .yml files](https://github.com/cisagov/log4j-affected-db/tree/develop/data/)
|
||||||
|
and choose the appropriate file to include your updates.
|
||||||
|
The files are separated alphabetically based on the first letter of the
|
||||||
|
vendor name. For example, 'CISA' would be located in
|
||||||
|
[`cisagov_C.yml`](https://github.com/cisagov/log4j-affected-db/blob/develop/data/cisagov_C.yml).
|
||||||
|
|
||||||
|
**Step 2:** Click the file edit button.
|
||||||
|
|
||||||
|
**Step 3:** Add the blank template to the **.yml** file for new entries and fill
|
||||||
|
it out with the correct data.
|
||||||
|
|
||||||
|
Blank template:
|
||||||
|
|
||||||
|
```yml
|
||||||
|
- vendor: ''
|
||||||
|
product: ''
|
||||||
|
cves:
|
||||||
|
cve-2021-4104:
|
||||||
|
investigated: ''
|
||||||
|
affected_versions: []
|
||||||
|
fixed_versions: []
|
||||||
|
unaffected_versions: []
|
||||||
|
cve-2021-44228:
|
||||||
|
investigated: ''
|
||||||
|
affected_versions: []
|
||||||
|
fixed_versions: []
|
||||||
|
unaffected_versions: []
|
||||||
|
cve-2021-45046:
|
||||||
|
investigated: ''
|
||||||
|
affected_versions: []
|
||||||
|
fixed_versions: []
|
||||||
|
unaffected_versions: []
|
||||||
|
cve-2021-45105:
|
||||||
|
investigated: ''
|
||||||
|
affected_versions: []
|
||||||
|
fixed_versions: []
|
||||||
|
unaffected_versions: []
|
||||||
|
vendor_links:
|
||||||
|
- ''
|
||||||
|
notes: ''
|
||||||
|
references:
|
||||||
|
- ''
|
||||||
|
last_updated: ''
|
||||||
|
```
|
||||||
|
|
||||||
|
**Step 4:** Verify the new entry was entered before and/or after the prior and
|
||||||
|
next entries.
|
||||||
|
|
||||||
|
- If you are adding it to the beginning of the file, ensure you are pasting
|
||||||
|
it after `software:` and before the next entry starting with `- vendor:`.
|
||||||
|
- If you are adding it to the end of the file, ensure the entry ends before
|
||||||
|
the file is closed out with `...`.
|
||||||
|
|
||||||
|
**Step 5:** When you add content to the file, remove the `''` or `[]` for fields
|
||||||
|
which are replaced with values (strings `''` or lists `[]` should be replaced as
|
||||||
|
shown in the example below, with list values on the following line(s) starting
|
||||||
|
with hyphen(s) `-`). The symbols should only remain used when fields remain
|
||||||
|
empty. For example, `fixed_versions: []` in our example below remains as is,
|
||||||
|
given there are no patched versions available for this entry.
|
||||||
|
|
||||||
|
**Note:** not all fields have to be updated.
|
||||||
|
|
||||||
|
Entry example:
|
||||||
|
|
||||||
|
```yml
|
||||||
|
- vendor: Example Vendor
|
||||||
|
product: Example Product
|
||||||
|
cves:
|
||||||
|
cve-2021-4104:
|
||||||
|
investigated: false
|
||||||
|
affected_versions: []
|
||||||
|
fixed_versions: []
|
||||||
|
unaffected_versions: []
|
||||||
|
cve-2021-44228:
|
||||||
|
investigated: true
|
||||||
|
affected_versions:
|
||||||
|
- <=8.4.6
|
||||||
|
- <=8.5.3
|
||||||
|
- <=8.6.4
|
||||||
|
fixed_versions: []
|
||||||
|
unaffected_versions: []
|
||||||
|
cve-2021-45046:
|
||||||
|
investigated: ''
|
||||||
|
affected_versions: []
|
||||||
|
fixed_versions: []
|
||||||
|
unaffected_versions: []
|
||||||
|
cve-2021-45105:
|
||||||
|
investigated: ''
|
||||||
|
affected_versions: []
|
||||||
|
fixed_versions: []
|
||||||
|
unaffected_versions: []
|
||||||
|
vendor_links:
|
||||||
|
- https://www.example.org/
|
||||||
|
notes: Contains vulnerable code but not likely to get
|
||||||
|
unauthenticated user input to the log4j component.
|
||||||
|
references:
|
||||||
|
- ''
|
||||||
|
last_updated: '2021-12-14T00:00:00'
|
||||||
|
```
|
||||||
|
|
||||||
|
**Step 6:** Validate that your data follows the appropriate format and proceed
|
||||||
|
with submitting the pull request.
|
||||||
|
|
||||||
|
For any additional questions feel free to [submit an Issue](https://github.com/cisagov/log4j-affected-db/issues).
|
10
README.md
10
README.md
|
@ -75,6 +75,16 @@ update but may limit agency risk.
|
||||||
For more information regarding CISA recommended mitigation measures please visit
|
For more information regarding CISA recommended mitigation measures please visit
|
||||||
[here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures).
|
[here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures).
|
||||||
|
|
||||||
|
## Contributing ##
|
||||||
|
|
||||||
|
We welcome contributions! Please see [`CONTRIBUTING.md`](CONTRIBUTING.md) for
|
||||||
|
details.
|
||||||
|
|
||||||
|
### Creating a pull request ###
|
||||||
|
|
||||||
|
Instructions for creating a pull request using the GitHub Web UI can be found
|
||||||
|
in [`PULL-EXAMPLE.md`](PULL-EXAMPLE.md).
|
||||||
|
|
||||||
## Software List ##
|
## Software List ##
|
||||||
|
|
||||||
To view the full list of vendors & software [click here](./SOFTWARE-LIST.md).
|
To view the full list of vendors & software [click here](./SOFTWARE-LIST.md).
|
||||||
|
|
Loading…
Reference in a new issue