Table of Contents generated with DocToc

Tool: Vulnogram

This directory documents the Vulnogram tool adapter — the set of capabilities the skills use when the adopting project declares Vulnogram as its CVE tool (the CNA-side system for allocating CVE IDs, maintaining CVE 5.x records, and pushing those records to cve.org).

Vulnogram is the ASF's hosted CNA tool at cveprocess.apache.org. Every ASF project reusing this framework will typically declare cve_tool: vulnogram in its manifest; for the currently active project see ../../<project-config>/project.md.

What this tool provides

The skills use Vulnogram for three capabilities plus a CVE-JSON generator. Each has its own reference file in this directory:

CapabilityFileWhat it covers
Allocationallocation.mdPMC-gated allocation URL + form-fill recipe + non-PMC relay flow
Record managementrecord.mdRecord URL template, #source tab paste flow, DRAFTREVIEWPUBLIC state machine, reviewer-comment-via-email signal
CVE-5.x JSON generatorgenerate-cve-json/Python project (uv run-managed) that reads a tracker body and emits a paste-ready CVE-5.x JSON record in the shape Vulnogram expects

The generator is kept here (rather than under .claude/skills/) because its output shape — in particular the CNA_private envelope with the DRAFT / REVIEW / PUBLIC state machine — is a Vulnogram-specific opinionation on top of the standard CVE-5.x schema. A different CNA tool would need a different generator (or a different wrapper around the generic schema builders).

How the generic skills address the CVE tool

The generic sync-security-issue, allocate-cve, and deduplicate-security-issue skills frame their CVE-tool-facing steps in project-tool-agnostic terms — “regenerate the CVE artifact via the project's CVE tool”, “walk the user through the allocation flow”, “capture the reviewer-comment signal”. They then delegate to the project's declared cve_tool:

  • For Airflow (cve_tool: vulnogram), they delegate to the recipes in this directory and to the generator under generate-cve-json/.
  • For a hypothetical project using a different CNA tool (a private Vulnogram instance, an in-house CNA system, a commercial CVE management platform), that project would:
    1. create a sibling tools/<cve-tool-name>/ directory with tool.md / allocation.md / record.md / a generator;
    2. flip cve_tool in its manifest;
    3. keep the generic skill logic unchanged.

Confidentiality

Vulnogram links are internal during the allocation + drafting window:

  • Before an advisory is sent, links to cveprocess.apache.org/cve5/<CVE-ID> must not appear on public surfaces (the public <upstream> PR body, public mailing-list posts, anything else non-security-team-visible) — see the “Confidentiality of the tracker repository” and “Linking CVEs” sections of ../../AGENTS.md.
  • After publication the CVE record is world-readable at cve.org; the Vulnogram URL stays useful as the security team's edit surface but the public-facing link switches to cve.org.

Per-project configuration

Every Vulnogram adapter invocation needs three project-scoped values. For the adopting project these are declared in ../../<project-config>/project.md:

KeyWhat it controls
asf_org_idThe CVE 5.x assignerOrgId (ASF's UUID).
cna_private_ownerThe CNA_private.owner field — identifies the project slug inside the ASF CNA queue.
cna_private_userslistThe advisory-delivery list; lands in CNA_private.userslist.

Vendor/product (for the CVE record‘s vendor / product fields), the package name, and the collection URL come from the project manifest’s Identity section and the generate-cve-json CLI flags.