blob: ce2ec1e4aca21e05b184748c5f3b22f75916e6c0 [file] [view]
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)*
- [Tool: Vulnogram](#tool-vulnogram)
- [What this tool provides](#what-this-tool-provides)
- [How the generic skills address the CVE tool](#how-the-generic-skills-address-the-cve-tool)
- [Confidentiality](#confidentiality)
- [Per-project configuration](#per-project-configuration)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
# Tool: Vulnogram
This directory documents the **Vulnogram** tool adapter — the set of
capabilities the skills use when the adopting project declares Vulnogram
as its **CVE tool** (the CNA-side system for allocating CVE IDs,
maintaining CVE 5.x records, and pushing those records to `cve.org`).
Vulnogram is the ASF's hosted CNA tool at
[`cveprocess.apache.org`](https://cveprocess.apache.org/). Every ASF
project reusing this framework will typically declare
`cve_tool: vulnogram` in its manifest; for the currently active
project see
[`../../<project-config>/project.md`](../../<project-config>/project.md#cve-tooling).
## What this tool provides
The skills use Vulnogram for three capabilities plus a CVE-JSON
generator. Each has its own reference file in this directory:
| Capability | File | What it covers |
|---|---|---|
| Allocation | [`allocation.md`](allocation.md) | PMC-gated allocation URL + form-fill recipe + non-PMC relay flow |
| Record management | [`record.md`](record.md) | Record URL template, `#source` tab paste flow, `DRAFT` → `REVIEW` → `PUBLIC` state machine, reviewer-comment-via-email signal |
| CVE-5.x JSON generator | [`generate-cve-json/`](generate-cve-json/) | Python project (`uv run`-managed) that reads a tracker body and emits a paste-ready CVE-5.x JSON record in the shape Vulnogram expects |
The generator is kept here (rather than under `.claude/skills/`)
because its output shape — in particular the `CNA_private` envelope
with the `DRAFT` / `REVIEW` / `PUBLIC` state machine — is a
Vulnogram-specific opinionation on top of the standard CVE-5.x schema.
A different CNA tool would need a different generator (or a different
wrapper around the generic schema builders).
## How the generic skills address the CVE tool
The generic `sync-security-issue`, `allocate-cve`, and
`deduplicate-security-issue` skills frame their CVE-tool-facing steps
in project-tool-agnostic terms — *"regenerate the CVE artifact via
the project's CVE tool"*, *"walk the user through the allocation
flow"*, *"capture the reviewer-comment signal"*. They then delegate
to the project's declared `cve_tool`:
- For Airflow (`cve_tool: vulnogram`), they delegate to the recipes in
this directory and to the generator under `generate-cve-json/`.
- For a hypothetical project using a different CNA tool (a private
Vulnogram instance, an in-house CNA system, a commercial CVE
management platform), that project would:
1. create a sibling `tools/<cve-tool-name>/` directory with
`tool.md` / `allocation.md` / `record.md` / a generator;
2. flip `cve_tool` in its manifest;
3. keep the generic skill logic unchanged.
## Confidentiality
Vulnogram links are internal during the allocation + drafting window:
- Before an advisory is sent, links to
`cveprocess.apache.org/cve5/<CVE-ID>` **must not** appear on public
surfaces (the public `<upstream>` PR body, public mailing-list
posts, anything else non-security-team-visible) — see the
*"Confidentiality of the tracker repository"* and *"Linking CVEs"*
sections of [`../../AGENTS.md`](../../AGENTS.md).
- After publication the CVE record is world-readable at
[`cve.org`](https://cve.org); the Vulnogram URL stays useful as the
security team's edit surface but the public-facing link switches to
`cve.org`.
## Per-project configuration
Every Vulnogram adapter invocation needs three project-scoped values.
For the adopting project these are declared in
[`../../<project-config>/project.md`](../../<project-config>/project.md#cve-tooling):
| Key | What it controls |
|---|---|
| `asf_org_id` | The CVE 5.x `assignerOrgId` (ASF's UUID). |
| `cna_private_owner` | The `CNA_private.owner` field — identifies the project slug inside the ASF CNA queue. |
| `cna_private_userslist` | The advisory-delivery list; lands in `CNA_private.userslist`. |
Vendor/product (for the CVE record's `vendor` / `product` fields),
the package name, and the collection URL come from the project
manifest's *Identity* section and the `generate-cve-json` CLI flags.