| <!-- SPDX-License-Identifier: Apache-2.0 |
| https://www.apache.org/licenses/LICENSE-2.0 --> |
| |
| <!-- START doctoc generated TOC please keep comment here to allow auto update --> |
| <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --> |
| **Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)* |
| |
| - [CVE allocation — capability-flag vocabulary](#cve-allocation--capability-flag-vocabulary) |
| - [Overview](#overview) |
| - [Capability flags](#capability-flags) |
| - [`cve_authority.tool`](#cve_authoritytool) |
| - [`governance.cve_allocation_gate`](#governancecve_allocation_gate) |
| - [`cve_authority.reviewer_channel`](#cve_authorityreviewer_channel) |
| - [Configuring the flags](#configuring-the-flags) |
| - [Non-ASF adopter quick-start](#non-asf-adopter-quick-start) |
| - [Cross-references](#cross-references) |
| |
| <!-- END doctoc generated TOC please keep comment here to allow auto update --> |
| |
| <!-- SPDX-License-Identifier: Apache-2.0 |
| https://www.apache.org/licenses/LICENSE-2.0 --> |
| |
| # CVE allocation — capability-flag vocabulary |
| |
| This file is the **standalone vocabulary reference** for the three |
| workflow-diverging capability flags that the `security-cve-allocate` |
| skill branches on. It is the CVE-allocation counterpart to the |
| [`release-management-config.md`](release-management-config.md) Backends |
| section, which documents the equivalent flags for the release-management |
| family. |
| |
| The flag *values* are declared in `<project-config>/project.md` under |
| the `cve_authority:` and `governance:` YAML blocks (see |
| [§ CVE authority](project.md#cve-authority) and |
| [§ Governance](project.md#governance)). This file explains the full |
| allowed-value set for each flag, the workflow implications of each choice, |
| and the non-ASF adoption paths. |
| |
| ## Overview |
| |
| The `security-cve-allocate` skill is the allocation-step gate in the |
| security-issue lifecycle. It diverges at three decision points that differ |
| by ecosystem: |
| |
| 1. **Which CNA tool** allocates the CVE record (`cve_authority.tool`). |
| 2. **Who is authorised** to trigger allocation (`governance.cve_allocation_gate`). |
| 3. **Where the draft record is reviewed** before publication |
| (`cve_authority.reviewer_channel`). |
| |
| All three are capability flags: an ASF TLP adopter leaves them at their |
| defaults and the skill behaves identically to how it runs in the reference |
| `<org>/<repo>` adopter. A non-ASF adopter overrides one or more flags to |
| match their CNA program, and the skill emits backend-appropriate recipes |
| without any skill-body edits. |
| |
| ## Capability flags |
| |
| | Flag | ASF default | Location in `project.md` | |
| |---|---|---| |
| | `cve_authority.tool` | `vulnogram` | `### CVE authority` → `tool:` | |
| | `governance.cve_allocation_gate` | `pmc-member` | `### Governance` → `cve_allocation_gate:` | |
| | `cve_authority.reviewer_channel` | `mailing-list` | `### CVE authority` → `reviewer_channel:` | |
| |
| ### `cve_authority.tool` |
| |
| Selects the CNA tool adapter the skill uses to allocate and manage CVE |
| records. |
| |
| | Value | Description | When to use | |
| |---|---|---| |
| | `vulnogram` | ASF-hosted [Vulnogram](https://cveprocess.apache.org/) instance. The skill prints the allocation URL (`cve_authority.allocate_url`), the user pastes the stripped title, and Vulnogram auto-emails the assigner list on submission. The adapter lives under `tools/cve-tool-vulnogram/`. | ASF TLP default. Any project whose CNA is the ASF CNA (`f0158376-9dc2-43b6-827c-5f631a4d8d09`). Also valid for projects on any other Vulnogram tenant — override `allocate_url`, `record_url_template`, and `source_tab_url_template` in `project.md` to point at the tenant's URLs. | |
| | `mitre-form` | MITRE CNA web form (`https://cveform.mitre.org/`). The skill produces a paste-ready MITRE submission body the operator submits manually. No API; the form is the allocation surface. | Projects that are sub-CNAs of MITRE's root CNA and do not have their own Vulnogram instance. Typically research groups or small foundations not yet running their own CNA program. | |
| | `cve-org-direct` | CVE.org CVE Services REST API (`https://cveawg.mitre.org/api/`). The skill calls the API with the adopter's org ID and API key (stored in `.apache-magpie-overrides/user.md` → `cve_api_key`). The allocation and record-update steps are fully automated — no copy-paste. | Projects that have their own CNA org registered with MITRE and hold CVE Services API credentials. Non-ASF foundations with an active CNA programme. | |
| | `ghsa` | GitHub Security Advisory (GHSA) only. The skill opens or updates a GHSA on the upstream repo via `gh api` without allocating a separate CVE ID. The GHSA slug (`GHSA-xxxx-yyyy-zzzz`) is the canonical public identifier; MITRE may later assign a CVE ID from the GHSA, but that is outside the skill's scope. | Projects that opt out of CNA participation in favour of GHSA-only disclosure. Common for small GitHub-hosted projects where GitHub's CVE-review programme covers the disclosure channel. | |
| | `none` | No formal CVE allocation. The skill skips the allocation step and produces only a disclosure advisory (milestone notification, advisory text). Nothing is submitted to any CNA. | Projects that do not participate in any CNA programme and whose security policy does not require CVE IDs. Typically very early-stage projects or internal tooling. | |
| |
| **ASF TLP constraint**: ASF top-level projects are sub-CNAs under the |
| ASF CNA. Switching `cve_authority.tool` away from `vulnogram` requires |
| approval from the ASF Security team. Apache Incubator podlings may use |
| `none` or `ghsa` during incubation and switch to `vulnogram` at |
| graduation. |
| |
| ### `governance.cve_allocation_gate` |
| |
| Controls which operators are authorised to trigger the CVE allocation |
| step (Step 3 of `security-cve-allocate`). The skill checks this gate |
| against the running user's `role_flags` in |
| `.apache-magpie-overrides/user.md` and against the roster source declared |
| in `governance.roster_url`. Users who do not pass the gate receive a |
| **relay message** to forward to an authorised member instead of a |
| self-service allocation recipe. |
| |
| | Value | Description | When to use | |
| |---|---|---| |
| | `pmc-member` | ASF PMC membership, verified via ASF OAuth into Vulnogram. The CVE tool's allocation button is disabled for non-PMC users; the relay message targets currently-authorised PMC members listed at `governance.roster_url`. | ASF TLP default. Any project whose CNA program restricts allocation to a governance committee. | |
| | `security-team-member` | Any member of the security team, as declared in `roster.source`. Broader than `pmc-member` — suitable when the full triage team holds allocation rights. The relay message targets the security team on `<security-list>`. | Non-ASF adopters whose CNA does not restrict allocation to a formal governance committee. Common for projects where the security team and the governance body largely overlap, or where the CNA simply requires "an authorised team member". | |
| | `maintainer` | Any project committer (anyone with write access to `<upstream>`). No formal authority gate — the skill issues a self-service recipe to any operator with tracker access. The relay path is not used. | Small projects where the distinction between security-team member and committer is not maintained, or projects whose CNA programme has no allocation gate at all. | |
| | `none` | No gate. The skill does not check authority and produces a self-service recipe for every operator. | Projects using `cve_authority.tool: ghsa` (GitHub handles authority natively) or `tool: none` (no CNA submission). Inappropriate for any project that actually submits to a CNA. | |
| |
| ### `cve_authority.reviewer_channel` |
| |
| Where the draft CVE record — after allocation but before publication — is |
| reviewed by the security team. This is the "human-review gate" before |
| the CNA publishes the record publicly. |
| |
| | Value | Description | When to use | |
| |---|---|---| |
| | `mailing-list` | Review discussion happens on `governance.private_governance_list` (for ASF: `private@<project>.apache.org`). The skill drafts an email to that list containing the CVE JSON link and the record's current state. | ASF TLP default. Any project with a private mailing list for governance discussions. Preserves a thread-based audit trail. | |
| | `github-pr` | Review happens as a draft PR on the tracker repo. The skill opens or updates a PR with the CVE JSON diff for team members to approve. | Adopters who prefer PR-based review workflows (approvals, inline comments) over mailing-list threads. Requires the tracker repo to be readable by all reviewers. | |
| | `none` | No formal review gate between allocation and publication. The skill proceeds directly to the "push record to CNA tool" step. | Projects using `cve_authority.tool: ghsa` (GitHub's advisory review is the gate) or `tool: none`. Also appropriate for `cve-org-direct` adopters whose CNA programme permits immediate publication without a separate review window. | |
| |
| ## Configuring the flags |
| |
| The flag values live in `<project-config>/project.md`. To adopt: |
| |
| 1. Copy `projects/_template/project.md` → `<project-config>/project.md` |
| if you have not already done so. |
| 2. In the `### CVE authority` YAML block, set `cve_authority.tool` to |
| the value matching your CNA programme. |
| 3. In the `### Governance` YAML block, set `governance.cve_allocation_gate` |
| to the value matching your authority model. |
| 4. In the `### CVE authority` YAML block, set |
| `cve_authority.reviewer_channel` to the value matching your review |
| workflow. |
| 5. Update the remaining `cve_authority.*` URL fields |
| (`allocate_url`, `record_url_template`, `source_tab_url_template`, |
| `email_preview_url_template`) to point at your CNA tool's endpoints, or |
| leave them blank / `null` if the chosen `tool` value does not use those |
| fields (e.g. `ghsa` and `none` need no URL config). |
| |
| ASF default (no changes needed for a fresh ASF TLP adopter): |
| |
| ```yaml |
| cve_authority: |
| tool: vulnogram |
| reviewer_channel: mailing-list |
| # ... URL fields already filled in with ASF Vulnogram endpoints |
| |
| governance: |
| cve_allocation_gate: pmc-member |
| ``` |
| |
| Non-ASF example (GHSA-only, no formal gate): |
| |
| ```yaml |
| cve_authority: |
| tool: ghsa |
| reviewer_channel: none |
| allocate_url: null |
| record_url_template: https://github.com/<upstream>/security/advisories/<GHSA-ID> |
| source_tab_url_template: null |
| email_preview_url_template: null |
| |
| governance: |
| cve_allocation_gate: maintainer |
| ``` |
| |
| Non-ASF example (own CNA, CVE.org direct API, PR-based review): |
| |
| ```yaml |
| cve_authority: |
| tool: cve-org-direct |
| reviewer_channel: github-pr |
| allocate_url: https://cveawg.mitre.org/api/cve-id |
| record_url_template: https://cveawg.mitre.org/api/cve/<CVE-ID> |
| source_tab_url_template: null |
| email_preview_url_template: null |
| |
| governance: |
| cve_allocation_gate: security-team-member |
| ``` |
| |
| ## Non-ASF adopter quick-start |
| |
| Pick the row matching your situation: |
| |
| | Situation | `cve_authority.tool` | `governance.cve_allocation_gate` | `cve_authority.reviewer_channel` | |
| |---|---|---|---| |
| | ASF TLP | `vulnogram` | `pmc-member` | `mailing-list` | |
| | ASF podling (pre-graduation) | `none` or `ghsa` | `maintainer` | `none` | |
| | Non-ASF, own CNA (Vulnogram tenant) | `vulnogram` (override URLs) | `security-team-member` | `mailing-list` | |
| | Non-ASF, own CNA (CVE.org API) | `cve-org-direct` | `security-team-member` | `github-pr` or `mailing-list` | |
| | Non-ASF, MITRE sub-CNA (no tool) | `mitre-form` | `security-team-member` | `mailing-list` | |
| | Non-ASF, GHSA only | `ghsa` | `maintainer` | `none` | |
| | No formal CVE programme | `none` | `none` | `none` | |
| |
| ## Cross-references |
| |
| - [`project.md`](project.md) — the `cve_authority:` and `governance:` |
| YAML blocks where the flag values are declared and stored. |
| - [`security-model.md`](security-model.md) — project security policy URL |
| and the disclosure timeline the CVE workflow enforces. |
| - `tools/cve-tool-vulnogram/` — ASF default CNA tool adapter (Vulnogram). |
| - `tools/cve-org/` — CVE.org / CVE Services API helpers (for |
| `cve-org-direct`). |
| - `security-cve-allocate` skill — the skill that reads and branches on |
| these flags at run time. |
| - [`release-management-config.md`](release-management-config.md) — the |
| parallel backend-flag vocabulary for the release-management family, |
| which established the pattern this file follows. |