Table of Contents generated with DocToc
<Project Name> — CVE title normalisationThe CVE record's title field is scoped to the product by the CNA container (e.g. Apache <Project>, Apache <Project> <Component> Provider), so the title pasted into the CVE-tool allocation form should be the bare description — no project prefix, no redundant version suffix, no reporter-added tag like [ Security Report ].
The security-cve-allocate skill reads this file for the exact strip cascade to apply to the tracker title before pasting it into the allocation form.
If this project's titles are already normalised (reporters don't prepend <Project>: or add bracketed tags), you can leave this file with a note to that effect and the skill will skip the stripping step. Otherwise, list the regex cascade below.
TODO: one rule per bullet, applied in order. Typical patterns:
security / important tag — ^[ \t]*(?:\[[^\]]*\b(?:Security|Important)\b[^\]]*\]|\([^)]*\b(?:Security|Important)\b[^)]*\))[ \t:|\-–—]* Matches any square- or round-bracketed leading tag whose body contains the word security or important (case-insensitive) — e.g. [Security Report], (Security Issue), [ Security Vulnerability ], [IMPORTANT], (Important — please read). Followed by an optional separator. Apply with re.IGNORECASE.^[ \t]*Security (Report|Issue|Vulnerability|Bug)[ \t:|\-–—]+<Project Name> (optional version, optional separator) — TODOSecurity Issue | tag.in <Project Name> — TODO[ \t]*\(GHSA-[\w-]+\)\.?[ \t]*$[ \t]*(?:\[(?:ZDRES|HUNTR|GHSL)-[\w-]+\]|\((?:ZDRES|HUNTR|GHSL)-[\w-]+\))\.?[ \t]*$ Strips trailing IDs from known external trackers — (ZDRES-223), [HUNTR-456], (GHSL-2024-001) — in either bracket style. Extend the alternation per project when a new reporter brand surfaces (e.g. SNYK-…, BDSA-…, internal bug-bounty platforms).[ \t]*\([^)]*split from #\d+[^)]*\)\.?[ \t]*$., collapse internal whitespace.TODO: keep the transform inline in the skill, do not create a separate Python project. A typical cascade looks like:
[ Security Report ] or similar harness prefix.<vendor>: <product>: (e.g. the project's own “Apache Foo:” prefix that the CVE tool re-applies).(<= 1.2.3).Re: if the original report came in by email and was retitled with the reply prefix.The result is the bare vulnerability description that goes into the CVE record's title field. Document the cascade your project uses in this file once you settle on it.
Show the stripped title and the original title side by side in the security-cve-allocate proposal so the user can spot any over-stripping before pasting into the CVE tool. If the strip collapses the title to fewer than 3 words, surface that as a warning and propose a manual override — over-stripping is worse than leaving one redundant word in.