blob: 1df69ab2233d287405beee208518deaf3ec62866 [file] [view]
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)*
- [Vulnogram — CVE allocation](#vulnogram--cve-allocation)
- [Allocation URL](#allocation-url)
- [PMC-gated access](#pmc-gated-access)
- [Form fields and where the skill sources them](#form-fields-and-where-the-skill-sources-them)
- [After the CVE is allocated](#after-the-cve-is-allocated)
- [Fatal mis-allocation — wrong product](#fatal-mis-allocation--wrong-product)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
# Vulnogram — CVE allocation
The Vulnogram-side mechanics of CVE allocation (step 6 of the generic
handling process in [`../../README.md`](../../README.md)). The generic
flow of *"walk the triager through an allocation, capture the ID,
wire it into the tracker"* lives in the
[`allocate-cve`](../../.claude/skills/allocate-cve/SKILL.md) skill;
this file documents the **Vulnogram-specific** parts that skill reads.
Per-project configuration (allocation URL, record URL template, org
ID) lives in
[`../../<project-config>/project.md`](../../<project-config>/project.md#cve-tooling).
## Allocation URL
```
https://cveprocess.apache.org/allocatecve
```
Opens an ASF-OAuth-protected form. The CVE ID is minted immediately
on successful submission and written back onto Vulnogram's
`cveprocess.apache.org/cve5/<CVE-ID>` record page with the state
`DRAFT`.
## PMC-gated access
The submit button on the Vulnogram allocation form is **PMC-gated on
the server side**: the form loads for any ASF-authenticated user,
but submission is rejected unless the user is a PMC member of the
project the allocation is against. This is not something the skill
can work around — a non-PMC user who clicks *Allocate* sees the
button grey out.
**Practical consequence.** The `allocate-cve` skill asks up front
*"are you a PMC member?"*:
- **PMC** — recipe is self-service: click the URL, paste the title,
fill the form, hit *Allocate*, paste the `CVE-YYYY-NNNNN` back.
- **Non-PMC** — recipe becomes a **relay message** the user posts as
a comment on the tracker (`@`-mentioning a PMC member) or sends
on the project's `security_list`. The PMC member reads the relay,
clicks through, allocates, and posts the ID back. The original
triager (or the PMC member) can then re-invoke `allocate-cve` with
the CVE ID as an override to resume from the wire-back step.
Concrete PMC-member handles live in the project's roster file (for
Airflow, `<project-config>/release-trains.md`); the canonical live
source is the ASF project page,
`https://projects.apache.org/committee.html?<project>`.
## Form fields and where the skill sources them
| Vulnogram form field | Source in the tracker |
|---|---|
| **Title** | Tracker title, passed through the project's title-normalisation cascade (for Airflow, `<project-config>/title-normalization.md`). The CNA container already scopes the title to the product, so any project prefix (`<vendor>: <product>:` (e.g. `Apache Airflow:`) etc.) must be stripped before pasting. |
| **Product** | Derived from the tracker's scope label via the per-project scope → product mapping (for Airflow, `<project-config>/scope-labels.md`). |
| **CWE** | Tracker body's *cwe* field (role-name — `<project-config>/project.md` declares the concrete GitHub heading for this project). `_No response_` → the allocator fills it at form time. |
| **Affected versions** | Tracker body's *affected-versions* field. |
| **Summary** | Tracker body's *public-summary* field. |
| **Reporter credits** | Tracker body's *reporter-credit* field. |
The `allocate-cve` skill renders this mapping as a numbered recipe
the user copy-pastes into the form in one pass.
## After the CVE is allocated
Once the PMC member has reported the `CVE-YYYY-NNNNN` back, the
`allocate-cve` skill wires it into the tracker in one coordinated
pass — the generic steps (populate the *cve-tool-link* body field,
add the `cve allocated` label, post a status-change comment,
regenerate the CVE JSON attachment, draft a reporter status update)
are tool-agnostic; the Vulnogram-specific output is:
- The *cve-tool-link* body field gets the concrete URL built from
the project manifest's `cve_tool_record_url_template` —
`https://cveprocess.apache.org/cve5/<CVE-ID>` for ASF projects.
- The regenerated CVE JSON attachment carries the allocated CVE ID
inside a `CNA_private` envelope with `state: "DRAFT"`; the
subsequent release-manager workflow (see [`record.md`](record.md))
moves it through `REVIEW` → `PUBLIC`.
## Fatal mis-allocation — wrong product
Allocating a CVE against the wrong product (e.g. `apache-airflow`
when the fix actually lives in `apache-airflow-providers-smtp`) is a
multi-hour cleanup involving Vulnogram support and the release
manager. The `allocate-cve` skill's Step 1 blocker checks refuse to
proceed without a scope label precisely because of this — see the
skill file for the hard-check details.