1
0
Fork 0
mirror of https://github.com/cisagov/log4j-affected-db.git synced 2024-11-22 16:40:48 +00:00

Merge pull request #425 from cisagov/contributing-adjustments

Contributing adjustments
This commit is contained in:
Nick 2022-01-12 15:47:35 -05:00 committed by GitHub
commit 404dec8aa2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 130 additions and 0 deletions

View file

@ -38,6 +38,11 @@ regular contributor, then you will want to set up
do that, the CI checks will run locally before you even write your do that, the CI checks will run locally before you even write your
commit message. This speeds up your development cycle considerably. commit message. This speeds up your development cycle considerably.
### Creating a pull request ###
Instructions for creating a pull request using the GitHub Web UI can be found
in [`PULL-EXAMPLE.md`](PULL-EXAMPLE.md).
### Setting up pre-commit ### ### Setting up pre-commit ###
There are a few ways to do this, but we prefer to use There are a few ways to do this, but we prefer to use

115
PULL-EXAMPLE.md Normal file
View file

@ -0,0 +1,115 @@
# Pull Request Example #
Thank you for contributing to CISA's Log4j-affected-db GitHub Repository! Please
follow the steps listed below in order to add a product to the public
repository. **Note:** To assure the accuracy of data please only include
products that have official advisories or alerts that verify the product's
vulnerability status to [CVE-2021-4104](https://nvd.nist.gov/vuln/detail/cve-2021-4104),
[CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228),
[CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046),
and/or [CVE-2021-45105](https://nvd.nist.gov/vuln/detail/CVE-2021-45105?s=09).
**Step 1:** Go to the [cisagov data .yml files](https://github.com/cisagov/log4j-affected-db/tree/develop/data/)
and choose the appropriate file to include your updates.
The files are separated alphabetically based on the first letter of the
vendor name. For example, 'CISA' would be located in
[`cisagov_C.yml`](https://github.com/cisagov/log4j-affected-db/blob/develop/data/cisagov_C.yml).
**Step 2:** Click the file edit button.
**Step 3:** Add the blank template to the **.yml** file for new entries and fill
it out with the correct data.
Blank template:
```yml
- vendor: ''
product: ''
cves:
cve-2021-4104:
investigated: ''
affected_versions: []
fixed_versions: []
unaffected_versions: []
cve-2021-44228:
investigated: ''
affected_versions: []
fixed_versions: []
unaffected_versions: []
cve-2021-45046:
investigated: ''
affected_versions: []
fixed_versions: []
unaffected_versions: []
cve-2021-45105:
investigated: ''
affected_versions: []
fixed_versions: []
unaffected_versions: []
vendor_links:
- ''
notes: ''
references:
- ''
last_updated: ''
```
**Step 4:** Verify the new entry was entered before and/or after the prior and
next entries.
- If you are adding it to the beginning of the file, ensure you are pasting
it after `software:` and before the next entry starting with `- vendor:`.
- If you are adding it to the end of the file, ensure the entry ends before
the file is closed out with `...`.
**Step 5:** When you add content to the file, remove the `''` or `[]` for fields
which are replaced with values (strings `''` or lists `[]` should be replaced as
shown in the example below, with list values on the following line(s) starting
with hyphen(s) `-`). The symbols should only remain used when fields remain
empty. For example, `fixed_versions: []` in our example below remains as is,
given there are no patched versions available for this entry.
**Note:** not all fields have to be updated.
Entry example:
```yml
- vendor: Example Vendor
product: Example Product
cves:
cve-2021-4104:
investigated: false
affected_versions: []
fixed_versions: []
unaffected_versions: []
cve-2021-44228:
investigated: true
affected_versions:
- <=8.4.6
- <=8.5.3
- <=8.6.4
fixed_versions: []
unaffected_versions: []
cve-2021-45046:
investigated: ''
affected_versions: []
fixed_versions: []
unaffected_versions: []
cve-2021-45105:
investigated: ''
affected_versions: []
fixed_versions: []
unaffected_versions: []
vendor_links:
- https://www.example.org/
notes: Contains vulnerable code but not likely to get
unauthenticated user input to the log4j component.
references:
- ''
last_updated: '2021-12-14T00:00:00'
```
**Step 6:** Validate that your data follows the appropriate format and proceed
with submitting the pull request.
For any additional questions feel free to [submit an Issue](https://github.com/cisagov/log4j-affected-db/issues).

View file

@ -75,6 +75,16 @@ update but may limit agency risk.
For more information regarding CISA recommended mitigation measures please visit For more information regarding CISA recommended mitigation measures please visit
[here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures). [here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures).
## Contributing ##
We welcome contributions! Please see [`CONTRIBUTING.md`](CONTRIBUTING.md) for
details.
### Creating a pull request ###
Instructions for creating a pull request using the GitHub Web UI can be found
in [`PULL-EXAMPLE.md`](PULL-EXAMPLE.md).
## Software List ## ## Software List ##
To view the full list of vendors & software [click here](./SOFTWARE-LIST.md). To view the full list of vendors & software [click here](./SOFTWARE-LIST.md).