blob: 48010064d156cd199453465c17a6999c18d7b56d [file] [view]
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)*
- [TODO: `<Project Name>` — scope labels](#todo-project-name--scope-labels)
- [Scope → CVE product / package-name table](#scope-%E2%86%92-cve-product--package-name-table)
- [Default `packageName` and vendor](#default-packagename-and-vendor)
- [Closing dispositions (not scope labels)](#closing-dispositions-not-scope-labels)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
# TODO: `<Project Name>` — scope labels
Every tracker gets **exactly one** scope label at Step 5 of the
handling process (valid/invalid consensus landed). The scope:
- pins the tracker to one product the CVE will be allocated against;
- drives the release train the fix backports to (see
[`release-trains.md`](release-trains.md));
- determines the milestone format (see
[`milestones.md`](milestones.md));
- maps to the `product` / `packageName` of the CVE record (see the
table below).
TODO: list the project's scope labels, one row per label. If a report
affects more than one scope, the `sync-security-issue` skill surfaces
this as a blocker and the triager splits the report into per-scope
trackers.
## Scope → CVE product / package-name table
| Tracker scope label | CVE product | CVE container `packageName` | Collection URL |
|---|---|---|---|
| TODO: e.g. `foo` | TODO: e.g. `Apache Foo` | TODO: e.g. `apache-foo` | TODO: e.g. `https://pypi.python.org` |
## Default `packageName` and vendor
- `vendor`: TODO — usually from the `project.md → Identity` block.
- Default `packageName` for untagged / uncertain reports: TODO.
These defaults are declared in [`project.md`](project.md) under
*Identity* and *CVE tooling*; the CVE-JSON generator reads them from
there.
## Closing dispositions (not scope labels)
`invalid`, `not CVE worthy`, `duplicate`, and `wontfix` are **closing
dispositions**, not scope labels. They are set at Step 5 or Step 6
of the process when the tracker leaves the flow without a CVE. They
do not imply a product and never end up in the CVE-tool product
field. These are part of the generic lifecycle — see
[`../../tools/github/labels.md`](../../tools/github/labels.md).