potiuk opened a new pull request, #388:
URL: https://github.com/apache/airflow-steward/pull/388
## Summary
Fourth of 5 PRs converting the security skill family from
Airflow/ASF-coupled to a generic framework with ASF as the
default-configured option. **This is the biggest skill-side PR.**
Two commits in this PR (kept separate for reviewability):
1. **`chore`** — mechanical rename `tools/vulnogram/` →
`tools/cve-tool-vulnogram/`. 40 files updated via search-and-
replace + docs row repositioned + stale venvs cleaned.
No behaviour change.
2. **`feat`** — substantive content lift. 4 skills + 2 docs
rewritten to read the `cve_authority` config block + speak
in tool-agnostic state verbs (`allocated` → `review-ready`
→ `publish-ready` → `public`).
**Byte-equivalent for the airflow-s adopter.** `cve_authority.tool:
vulnogram` (the ASF default) resolves `<cve-tool>` to
`cve-tool-vulnogram`. Vulnogram-native `DRAFT`/`REVIEW`/`READY`/
`PUBLIC` states are preserved as named-example asides. Every
Vulnogram CLI (`vulnogram-api-setup`, `vulnogram-api-check`,
`vulnogram-api-record-update`, `vulnogram-api-record-fetch`) is
still named where the operator's command-line invocation actually
fires.
## Per-target lifts
| Target | Lines | Highlights |
|---|---|---|
| `security-cve-allocate` | +222/-137 | Frontmatter speaks of
`governance.cve_allocation_gate` + configured `<cve-tool>` allocation URL. Body
reads `cve_authority.allocate_url` / `.record_url_template` /
`.source_tab_url_template` / `.emits_allocation_email`. PMC-only golden rule →
`governance.cve_allocation_gate` + `governance.roster_url`. Rollup template
uses `<record-url>`/`<source-tab-url>` tokens. |
| `security-issue-sync` Steps 5b/5c | +139/-91 | **Largest single section.**
Step 5b reframes push as `push_update(cve_id, fields, state_transition=None)`;
replaces `DRAFT`/`REVIEW`/`READY`/`PUBLIC` with state verbs. `publish()` called
via `cve_authority.publication_propagation`. Step 5c generalises
variant-template table to `tools/<cve-tool>/...` paths. |
| `security-issue-invalidate` Step 0 | +29/-1 | Hard-stop CVE-state check
lifts from `DRAFT`/`REVIEW`/`REJECTED` to generic state verbs. Retract flow →
adapter's `retract()` method. |
| `security-issue-deduplicate` | +54/-6 | Dedup-when-both-have-CVE branch
speaks state verbs. Merge-of-credits → `<cve-tool>`'s `push_update()`. |
| `docs/security/process.md` Steps 12-14 | +96/-53 | Allocate / update /
publish steps reference `cve_authority.*` + `<cve-tool>` methods + state verbs.
|
| `docs/security/roles.md` | +50/-27 | Role descriptions lift
Vulnogram-specific OAuth + state-machine references; PMC →
governance-authorisation. |
**Aggregate**: 6 files in the content commit, +590/-315 lines.
Plus the mechanical rename touching 40 files.
## The contract
`tools/cve-tool/README.md` (landed in
[#381](https://github.com/apache/airflow-steward/pull/381)) is
now the canonical contract: every skill body references
`push_update`, `fetch_current_state`, `publish`, `retract`,
`allocate`. The Vulnogram adapter at
`tools/cve-tool-vulnogram/` is one implementation; alternative
adapters (CVE.org direct, MITRE form, GHSA-only) plug in via
`cve_authority.tool` without skill-body changes.
## What is *not* in this PR
PR5 picks up:
- `docs/security/threat-model.md`
- `docs/security/forwarder-routing-policy.md`
- `docs/security/how-to-fix-a-security-issue.md`
- `docs/security/new-members-onboarding.md`
- Final scrub: any remaining literal `@potiuk` / `@raboof` /
`Apache Airflow` / `airflow | providers | chart` in skill
bodies and templates.
## Test plan
- [x] `uv run --project tools/skill-and-tool-validator
skill-and-tool-validate`
clean (5 advisory soft warnings, none hard, all on files
outside PR4 scope).
- [x] `pytest` clean for the validator (218 tests).
- [x] All pre-commit hooks pass.
- [ ] Spot-read the rendered `security-cve-allocate` and
`security-issue-sync` Step 5b/5c on GitHub to confirm the
contract-layer prose reads correctly and the Vulnogram
named-example asides land where they should.
- [ ] Confirm the airflow-s adopter, with
`cve_authority.tool: vulnogram` (the ASF default), still
resolves to the same behaviour as today
(byte-equivalence invariant).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
