diff --git a/bugbot/rules/security_unhide_dups.py b/bugbot/rules/security_unhide_dups.py
new file mode 100644
index 000000000..3f2e35812
--- /dev/null
+++ b/bugbot/rules/security_unhide_dups.py
@@ -0,0 +1,74 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this file,
+# You can obtain one at http://mozilla.org/MPL/2.0/.
+
+from libmozdata.bugzilla import Bugzilla
+
+from bugbot import utils
+from bugbot.bzcleaner import BzCleaner
+
+
+class SecurityUnhideDups(BzCleaner):
+ """Security bugs that could be un-hidden"""
+
+ def description(self):
+ return "Security bugs that are marked as duplicates of already-public bugs"
+
+ def filter_no_nag_keyword(self):
+ return False
+
+ def get_summary(self, bug):
+ # This will prevent the default behavior of hiding the summary of
+ # security bugs.
+ return bug["summary"]
+
+ def handle_bug(self, bug, data):
+ data[str(bug["id"])] = bug
+
+ return bug
+
+ def get_bz_params(self, date):
+ params = {
+ "include_fields": ["dupe_of"],
+ "resolution": "DUPLICATE",
+ "f1": "bug_group",
+ "o1": "substring",
+ "v1": "core-security",
+ }
+
+ return params
+
+ def get_bugs(self, date="today", bug_ids=[], chunk_size=None):
+ bugs = super().get_bugs(date, bug_ids, chunk_size)
+
+ # Filter out bugs that are not marked as duplicates of open security bugs
+ public_sec_bugs = set()
+
+ def bug_handler(bug):
+ if (
+ bug["resolution"] != "---"
+ and not bug["groups"]
+ and any(keyword.startswith("sec-") for keyword in bug["keywords"])
+ ):
+ public_sec_bugs.add(bug["id"])
+
+ bugs_to_query = {bug["dupe_of"] for bug in bugs.values()}
+ Bugzilla(
+ bugs_to_query,
+ include_fields=["id", "resolution", "keywords", "groups"],
+ bughandler=bug_handler,
+ ).wait()
+
+ bugs = {
+ bug_id: bug
+ for bug_id, bug in bugs.items()
+ if bug["dupe_of"] in public_sec_bugs
+ }
+
+ self.query_url = utils.get_bz_search_url({"bug_id": ",".join(bugs.keys())})
+
+ return bugs
+
+
+if __name__ == "__main__":
+ SecurityUnhideDups().run()
diff --git a/configs/rules.json b/configs/rules.json
index c74d38695..e767f3d9c 100644
--- a/configs/rules.json
+++ b/configs/rules.json
@@ -440,6 +440,10 @@
],
"additional_receivers": ["fbraun@mozilla.com", "tritter@mozilla.com"]
},
+ "security_unhide_dups": {
+ "must_run": ["Mon"],
+ "additional_receivers": ["dveditz@mozilla.com", "fbraun@mozilla.com"]
+ },
"close_intermittents": {
"must_run": ["Mon", "Wed", "Fri"],
"sec": false
diff --git a/scripts/cron_run_weekdays.sh b/scripts/cron_run_weekdays.sh
index a7e4b6e9d..e6b89c975 100755
--- a/scripts/cron_run_weekdays.sh
+++ b/scripts/cron_run_weekdays.sh
@@ -175,6 +175,9 @@ python -m bugbot.rules.severity_migration --production
# Detect bugs with small crash volume
python -m bugbot.rules.crash_small_volume --production
+# Send a list with security bugs that could be un-hidden
+python -m bugbot.rules.security_unhide_dups --production
+
# Suggest increasing the severity when duplicate bugs have higher severity
python -m bugbot.rules.severity_higher_dups --production
diff --git a/templates/security_unhide_dups.html b/templates/security_unhide_dups.html
new file mode 100644
index 000000000..29df19cbd
--- /dev/null
+++ b/templates/security_unhide_dups.html
@@ -0,0 +1,21 @@
+
+ The following security {{ plural('bug is', data, pword='bugs are') }} marked as duplicates of already-public {{ plural('bug', data) }}:
+
+
+
+
+ | Bug |
+ Summary |
+
+
+
+ {% for i, (bugid, summary) in enumerate(data) -%}
+
+ |
+ {{ bugid }}
+ |
+ {{ summary | e }} |
+
+ {% endfor -%}
+
+