File: cve_id_request.md

package info (click to toggle)
gitlab 17.6.5-19
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 629,368 kB
  • sloc: ruby: 1,915,304; javascript: 557,307; sql: 60,639; xml: 6,509; sh: 4,567; makefile: 1,239; python: 406
file content (70 lines) | stat: -rw-r--r-- 2,576 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
---
stage: Govern
group: Threat Insights
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
---

# CVE ID request

DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com

For any public project, you can request a CVE identifier (ID).

A [CVE](https://cve.mitre.org/index.html) identifier is assigned to a publicly-disclosed software
vulnerability. GitLab is a [CVE Numbering Authority](https://about.gitlab.com/security/cve/)
([CNA](https://cve.mitre.org/cve/cna.html)).

Assigning a CVE ID to a vulnerability in your project helps your users stay secure and informed. For
example, [dependency scanning tools](../application_security/dependency_scanning/index.md) can
detect when vulnerable versions of your project are used as a dependency.

A common vulnerability workflow is:

1. Request a CVE for a vulnerability.
1. Reference the assigned CVE identifier in release notes.
1. Publish the vulnerability's details after the fix is released.

## Prerequisites

To [submit a CVE ID Request](#submit-a-cve-id-request) the following prerequisites must be met:

- The project is hosted on GitLab.com.
- The project is public.
- You are a maintainer of the project.
- The vulnerability's issue is [confidential](../project/issues/confidential_issues.md).

## Submit a CVE ID request

To submit a CVE ID request:

1. Go to the vulnerability's issue and select **Create CVE ID Request**. The new issue page of
   the [GitLab CVE project](https://gitlab.com/gitlab-org/cves) opens.

   ![CVE ID request button](img/cve_id_request_button_v13_4.png)

1. In the **Title** box, enter a brief description of the vulnerability.

1. In the **Description** box, enter the following details:

   - A detailed description of the vulnerability
   - The project's vendor and name
   - Impacted versions
   - Fixed versions
   - The vulnerability class (a [CWE](https://cwe.mitre.org/data/index.html) identifier)
   - A [CVSS v3 vector](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)

   ![New CVE ID request issue](img/new_cve_request_issue_v14_4.png)

GitLab updates your CVE ID request issue when:

- Your submission is assigned a CVE.
- Your CVE is published.
- MITRE is notified that your CVE is published.
- MITRE has added your CVE in the NVD feed.

## CVE assignment

After a CVE identifier is assigned, you can reference it as required. Details of the vulnerability
submitted in the CVE ID request are published according to your schedule.