justinmclean opened a new issue, #179: URL: https://github.com/apache/airflow-steward/issues/179
## Summary The ASF `security_committers` policy (https://www.apache.org/security/committers.html) states: > `[email protected]` can help determine if a report requires > multiple CVE IDs or if multiple reports should be merged under > a single CVE ID. The `security-issue-deduplicate` skill handles the case where one tracker has a CVE and the other does not correctly (keep the one with the CVE). However when **both** trackers already have a CVE allocated, the skill's rollup comment template reads: > CVE: [CVE-N-M] stays allocated here; [#drop] being closed as > duplicate. The skill silently picks one CVE to keep and closes the other tracker — with no instruction to deprecate or reject the dropped CVE ID via the ASF Security Team. Abandoned RESERVED CVE IDs left on `cveprocess.apache.org` without being explicitly rejected create noise in the CNA queue and may confuse downstream consumers. ## What should happen When both trackers carry a `cve allocated` label, the skill should: 1. **Hard-stop before the merge proposal** and surface an explicit blocker: "Both trackers have CVE IDs allocated — contact `[email protected]` before merging to determine which ID to keep and which to reject." 2. Only proceed with the merge after the user confirms that `[email protected]` has been consulted and one ID has been designated for rejection. 3. After the merge lands, include a checklist item: "Reject the dropped CVE ID (`CVE-YYYY-NNNNN`) in Vulnogram and confirm with `[email protected]`." ## Required change In `security-issue-deduplicate`, Step 2 (kept/dropped selection): add a guard that checks whether *both* trackers carry the `cve allocated` label or a populated *CVE tool link* body field, and if so surfaces the blocker above before building the merge proposal. ## Policy reference - https://www.apache.org/security/committers.html — "CVE IDs" section ## Notes The single-CVE case (one tracker has it, the other doesn't) is already handled correctly and needs no change. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
