Table of Contents generated with DocToc
This directory documents the Vulnogram tool adapter — the set of capabilities the skills use when the adopting project declares Vulnogram as its CVE tool (the CNA-side system for allocating CVE IDs, maintaining CVE 5.x records, and pushing those records to cve.org).
Vulnogram is the ASF's hosted CNA tool at cveprocess.apache.org. Every ASF project reusing this framework will typically declare cve_tool: vulnogram in its manifest; for the currently active project see ../../<project-config>/project.md.
The skills use Vulnogram for three capabilities plus a CVE-JSON generator. Each has its own reference file in this directory:
| Capability | File | What it covers |
|---|---|---|
| Allocation | allocation.md | PMC-gated allocation URL + form-fill recipe + non-PMC relay flow |
| Record management | record.md | Record URL template, #source tab paste flow, DRAFT → REVIEW → PUBLIC state machine, reviewer-comment-via-email signal |
| CVE-5.x JSON generator | generate-cve-json/ | Python project (uv run-managed) that reads a tracker body and emits a paste-ready CVE-5.x JSON record in the shape Vulnogram expects |
The generator is kept here (rather than under .claude/skills/) because its output shape — in particular the CNA_private envelope with the DRAFT / REVIEW / PUBLIC state machine — is a Vulnogram-specific opinionation on top of the standard CVE-5.x schema. A different CNA tool would need a different generator (or a different wrapper around the generic schema builders).
The generic sync-security-issue, allocate-cve, and deduplicate-security-issue skills frame their CVE-tool-facing steps in project-tool-agnostic terms — “regenerate the CVE artifact via the project's CVE tool”, “walk the user through the allocation flow”, “capture the reviewer-comment signal”. They then delegate to the project's declared cve_tool:
cve_tool: vulnogram), they delegate to the recipes in this directory and to the generator under generate-cve-json/.tools/<cve-tool-name>/ directory with tool.md / allocation.md / record.md / a generator;cve_tool in its manifest;Vulnogram links are internal during the allocation + drafting window:
cveprocess.apache.org/cve5/<CVE-ID> must not appear on public surfaces (the public <upstream> PR body, public mailing-list posts, anything else non-security-team-visible) — see the “Confidentiality of the tracker repository” and “Linking CVEs” sections of ../../AGENTS.md.cve.org; the Vulnogram URL stays useful as the security team's edit surface but the public-facing link switches to cve.org.Every Vulnogram adapter invocation needs three project-scoped values. For the adopting project these are declared in ../../<project-config>/project.md:
| Key | What it controls |
|---|---|
asf_org_id | The CVE 5.x assignerOrgId (ASF's UUID). |
cna_private_owner | The CNA_private.owner field — identifies the project slug inside the ASF CNA queue. |
cna_private_userslist | The advisory-delivery list; lands in CNA_private.userslist. |
Vendor/product (for the CVE record‘s vendor / product fields), the package name, and the collection URL come from the project manifest’s Identity section and the generate-cve-json CLI flags.