potiuk opened a new pull request, #385: URL: https://github.com/apache/airflow-steward/pull/385
## Summary Per Arnout Engelen's 2026-05-29 review on CVE-2026-40913: a record may only reach PUBLIC after the advisory has actually shipped to users@ / announce@ and the archived users-list URL has been added to \`references[]\`. The generator's \`compute_cna_private_state\` already enforces this on the emit side; this PR adds the symmetric guard on the push side so the merge-mode guards refuse any \`vulnogram-api-record-update\` push that carries \`state=PUBLIC\` without a vendor-advisory-tagged reference. ### Why Without this guard, an operator who hand-edits the JSON file (or pastes via Vulnogram's \`#source\` tab and then re-pushes) can flip the state to PUBLIC ahead of the actual advisory send. That's the exact failure mode Arnout flagged on CVE-2026-40913. ### Behavior - The check runs **after the references merge** so an idempotent re-push of an already-PUBLIC record (where the new JSON dropped the advisory ref for some reason) passes — the merge restores the ref. - The guard fires only when **neither** the new doc nor the merged-from-current refs include vendor-advisory. - There is intentionally **no \`--allow-state-upgrade\` override**: the sanctioned path to PUBLIC is \`vulnogram-api-record-publish\`, which fires on the archive-URL signal and inserts the vendor-advisory reference at the same time. ## Test plan - [x] New \`TestStateUpgradeToPublicGuard\` class with 6 cases (without-advisory refused; with-advisory allowed; merged-from-current restores ref; replace-references drops ref and refuses; REVIEW pushes unaffected; error message names the sanctioned path) - [x] Two existing references-merge tests adjusted to use \`state=REVIEW\` since they test references behavior, not state — scoping noted in docstrings - [x] Full oauth-api suite: 92 / 92 passed 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
