This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git


The following commit(s) were added to refs/heads/main by this push:
     new 7e04a8ef feat(project-agnosticism): add cve-allocation-config.md 
capability-flag vocabulary (#562)
7e04a8ef is described below

commit 7e04a8ef3ce1b8a43ca5e4ceb7be5d4251f5925f
Author: Justin Mclean <[email protected]>
AuthorDate: Sat Jun 27 06:15:03 2026 +1000

    feat(project-agnosticism): add cve-allocation-config.md capability-flag 
vocabulary (#562)
    
    Documents the three workflow-diverging capability flags for the
    security-cve-allocate skill: cve_authority.tool (vulnogram /
    mitre-form / cve-org-direct / ghsa / none), governance.cve_allocation_gate
    (pmc-member / security-team-member / maintainer / none), and
    cve_authority.reviewer_channel (mailing-list / github-pr / none).
    
    Closes the third and final gap in project-agnosticism.md Known Gaps
    ("capability-flag vocabulary is defined only for release-management"):
    capability-flags-committer-intake and capability-flags-security-intake
    cover the other two gaps; this branch covers CVE allocation.
    
    Generated-by: Claude (Opus 4.7)
---
 projects/_template/cve-allocation-config.md | 197 ++++++++++++++++++++++++++++
 1 file changed, 197 insertions(+)

diff --git a/projects/_template/cve-allocation-config.md 
b/projects/_template/cve-allocation-config.md
new file mode 100644
index 00000000..282519f3
--- /dev/null
+++ b/projects/_template/cve-allocation-config.md
@@ -0,0 +1,197 @@
+<!-- START doctoc generated TOC please keep comment here to allow auto update 
-->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+**Table of Contents**  *generated with 
[DocToc](https://github.com/thlorenz/doctoc)*
+
+- [CVE allocation — capability-flag 
vocabulary](#cve-allocation--capability-flag-vocabulary)
+  - [Overview](#overview)
+  - [Capability flags](#capability-flags)
+    - [`cve_authority.tool`](#cve_authoritytool)
+    - [`governance.cve_allocation_gate`](#governancecve_allocation_gate)
+    - [`cve_authority.reviewer_channel`](#cve_authorityreviewer_channel)
+  - [Configuring the flags](#configuring-the-flags)
+  - [Non-ASF adopter quick-start](#non-asf-adopter-quick-start)
+  - [Cross-references](#cross-references)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
+<!-- SPDX-License-Identifier: Apache-2.0
+     https://www.apache.org/licenses/LICENSE-2.0 -->
+
+# CVE allocation — capability-flag vocabulary
+
+This file is the **standalone vocabulary reference** for the three
+workflow-diverging capability flags that the `security-cve-allocate`
+skill branches on. It is the CVE-allocation counterpart to the
+[`release-management-config.md`](release-management-config.md) Backends
+section, which documents the equivalent flags for the release-management
+family.
+
+The flag *values* are declared in `<project-config>/project.md` under
+the `cve_authority:` and `governance:` YAML blocks (see
+[§ CVE authority](project.md#cve-authority) and
+[§ Governance](project.md#governance)). This file explains the full
+allowed-value set for each flag, the workflow implications of each choice,
+and the non-ASF adoption paths.
+
+## Overview
+
+The `security-cve-allocate` skill is the allocation-step gate in the
+security-issue lifecycle. It diverges at three decision points that differ
+by ecosystem:
+
+1. **Which CNA tool** allocates the CVE record (`cve_authority.tool`).
+2. **Who is authorised** to trigger allocation 
(`governance.cve_allocation_gate`).
+3. **Where the draft record is reviewed** before publication
+   (`cve_authority.reviewer_channel`).
+
+All three are capability flags: an ASF TLP adopter leaves them at their
+defaults and the skill behaves identically to how it runs today in
+`airflow-s/airflow-s`. A non-ASF adopter overrides one or more flags to
+match their CNA program, and the skill emits backend-appropriate recipes
+without any skill-body edits.
+
+## Capability flags
+
+| Flag | ASF default | Location in `project.md` |
+|---|---|---|
+| `cve_authority.tool` | `vulnogram` | `### CVE authority` → `tool:` |
+| `governance.cve_allocation_gate` | `pmc-member` | `### Governance` → 
`cve_allocation_gate:` |
+| `cve_authority.reviewer_channel` | `mailing-list` | `### CVE authority` → 
`reviewer_channel:` |
+
+### `cve_authority.tool`
+
+Selects the CNA tool adapter the skill uses to allocate and manage CVE
+records.
+
+| Value | Description | When to use |
+|---|---|---|
+| `vulnogram` | ASF-hosted [Vulnogram](https://cveprocess.apache.org/) 
instance. The skill prints the allocation URL (`cve_authority.allocate_url`), 
the user pastes the stripped title, and Vulnogram auto-emails the assigner list 
on submission. The adapter lives under `tools/cve-tool-vulnogram/`. | ASF TLP 
default. Any project whose CNA is the ASF CNA 
(`f0158376-9dc2-43b6-827c-5f631a4d8d09`). Also valid for projects on any other 
Vulnogram tenant — override `allocate_url`, `record_url_temp [...]
+| `mitre-form` | MITRE CNA web form (`https://cveform.mitre.org/`). The skill 
produces a paste-ready MITRE submission body the operator submits manually. No 
API; the form is the allocation surface. | Projects that are sub-CNAs of 
MITRE's root CNA and do not have their own Vulnogram instance. Typically 
research groups or small foundations not yet running their own CNA program. |
+| `cve-org-direct` | CVE.org CVE Services REST API 
(`https://cveawg.mitre.org/api/`). The skill calls the API with the adopter's 
org ID and API key (stored in `.apache-magpie-overrides/user.md` → 
`cve_api_key`). The allocation and record-update steps are fully automated — no 
copy-paste. | Projects that have their own CNA org registered with MITRE and 
hold CVE Services API credentials. Non-ASF foundations with an active CNA 
programme. |
+| `ghsa` | GitHub Security Advisory (GHSA) only. The skill opens or updates a 
GHSA on the upstream repo via `gh api` without allocating a separate CVE ID. 
The GHSA slug (`GHSA-xxxx-yyyy-zzzz`) is the canonical public identifier; MITRE 
may later assign a CVE ID from the GHSA, but that is outside the skill's scope. 
| Projects that opt out of CNA participation in favour of GHSA-only disclosure. 
Common for small GitHub-hosted projects where GitHub's CVE-review programme 
covers the disclosure [...]
+| `none` | No formal CVE allocation. The skill skips the allocation step and 
produces only a disclosure advisory (milestone notification, advisory text). 
Nothing is submitted to any CNA. | Projects that do not participate in any CNA 
programme and whose security policy does not require CVE IDs. Typically very 
early-stage projects or internal tooling. |
+
+**ASF TLP constraint**: ASF top-level projects are sub-CNAs under the
+ASF CNA. Switching `cve_authority.tool` away from `vulnogram` requires
+approval from the ASF Security team. Apache Incubator podlings may use
+`none` or `ghsa` during incubation and switch to `vulnogram` at
+graduation.
+
+### `governance.cve_allocation_gate`
+
+Controls which operators are authorised to trigger the CVE allocation
+step (Step 3 of `security-cve-allocate`). The skill checks this gate
+against the running user's `role_flags` in
+`.apache-magpie-overrides/user.md` and against the roster source declared
+in `governance.roster_url`. Users who do not pass the gate receive a
+**relay message** to forward to an authorised member instead of a
+self-service allocation recipe.
+
+| Value | Description | When to use |
+|---|---|---|
+| `pmc-member` | ASF PMC membership, verified via ASF OAuth into Vulnogram. 
The CVE tool's allocation button is disabled for non-PMC users; the relay 
message targets currently-authorised PMC members listed at 
`governance.roster_url`. | ASF TLP default. Any project whose CNA program 
restricts allocation to a governance committee. |
+| `security-team-member` | Any member of the security team, as declared in 
`roster.source`. Broader than `pmc-member` — suitable when the full triage team 
holds allocation rights. The relay message targets the security team on 
`<security-list>`. | Non-ASF adopters whose CNA does not restrict allocation to 
a formal governance committee. Common for projects where the security team and 
the governance body largely overlap, or where the CNA simply requires "an 
authorised team member". |
+| `maintainer` | Any project committer (anyone with write access to 
`<upstream>`). No formal authority gate — the skill issues a self-service 
recipe to any operator with tracker access. The relay path is not used. | Small 
projects where the distinction between security-team member and committer is 
not maintained, or projects whose CNA programme has no allocation gate at all. |
+| `none` | No gate. The skill does not check authority and produces a 
self-service recipe for every operator. | Projects using `cve_authority.tool: 
ghsa` (GitHub handles authority natively) or `tool: none` (no CNA submission). 
Inappropriate for any project that actually submits to a CNA. |
+
+### `cve_authority.reviewer_channel`
+
+Where the draft CVE record — after allocation but before publication — is
+reviewed by the security team. This is the "human-review gate" before
+the CNA publishes the record publicly.
+
+| Value | Description | When to use |
+|---|---|---|
+| `mailing-list` | Review discussion happens on 
`governance.private_governance_list` (for ASF: `private@<project>.apache.org`). 
The skill drafts an email to that list containing the CVE JSON link and the 
record's current state. | ASF TLP default. Any project with a private mailing 
list for governance discussions. Preserves a thread-based audit trail. |
+| `github-pr` | Review happens as a draft PR on the tracker repo. The skill 
opens or updates a PR with the CVE JSON diff for team members to approve. | 
Adopters who prefer PR-based review workflows (approvals, inline comments) over 
mailing-list threads. Requires the tracker repo to be readable by all 
reviewers. |
+| `none` | No formal review gate between allocation and publication. The skill 
proceeds directly to the "push record to CNA tool" step. | Projects using 
`cve_authority.tool: ghsa` (GitHub's advisory review is the gate) or `tool: 
none`. Also appropriate for `cve-org-direct` adopters whose CNA programme 
permits immediate publication without a separate review window. |
+
+## Configuring the flags
+
+The flag values live in `<project-config>/project.md`. To adopt:
+
+1. Copy `projects/_template/project.md` → `<project-config>/project.md`
+   if you have not already done so.
+2. In the `### CVE authority` YAML block, set `cve_authority.tool` to
+   the value matching your CNA programme.
+3. In the `### Governance` YAML block, set `governance.cve_allocation_gate`
+   to the value matching your authority model.
+4. In the `### CVE authority` YAML block, set
+   `cve_authority.reviewer_channel` to the value matching your review
+   workflow.
+5. Update the remaining `cve_authority.*` URL fields
+   (`allocate_url`, `record_url_template`, `source_tab_url_template`,
+   `email_preview_url_template`) to point at your CNA tool's endpoints, or
+   leave them blank / `null` if the chosen `tool` value does not use those
+   fields (e.g. `ghsa` and `none` need no URL config).
+
+ASF default (no changes needed for a fresh ASF TLP adopter):
+
+```yaml
+cve_authority:
+  tool: vulnogram
+  reviewer_channel: mailing-list
+  # ... URL fields already filled in with ASF Vulnogram endpoints
+
+governance:
+  cve_allocation_gate: pmc-member
+```
+
+Non-ASF example (GHSA-only, no formal gate):
+
+```yaml
+cve_authority:
+  tool: ghsa
+  reviewer_channel: none
+  allocate_url: null
+  record_url_template: 
https://github.com/<upstream>/security/advisories/<GHSA-ID>
+  source_tab_url_template: null
+  email_preview_url_template: null
+
+governance:
+  cve_allocation_gate: maintainer
+```
+
+Non-ASF example (own CNA, CVE.org direct API, PR-based review):
+
+```yaml
+cve_authority:
+  tool: cve-org-direct
+  reviewer_channel: github-pr
+  allocate_url: https://cveawg.mitre.org/api/cve-id
+  record_url_template: https://cveawg.mitre.org/api/cve/<CVE-ID>
+  source_tab_url_template: null
+  email_preview_url_template: null
+
+governance:
+  cve_allocation_gate: security-team-member
+```
+
+## Non-ASF adopter quick-start
+
+Pick the row matching your situation:
+
+| Situation | `cve_authority.tool` | `governance.cve_allocation_gate` | 
`cve_authority.reviewer_channel` |
+|---|---|---|---|
+| ASF TLP | `vulnogram` | `pmc-member` | `mailing-list` |
+| ASF podling (pre-graduation) | `none` or `ghsa` | `maintainer` | `none` |
+| Non-ASF, own CNA (Vulnogram tenant) | `vulnogram` (override URLs) | 
`security-team-member` | `mailing-list` |
+| Non-ASF, own CNA (CVE.org API) | `cve-org-direct` | `security-team-member` | 
`github-pr` or `mailing-list` |
+| Non-ASF, MITRE sub-CNA (no tool) | `mitre-form` | `security-team-member` | 
`mailing-list` |
+| Non-ASF, GHSA only | `ghsa` | `maintainer` | `none` |
+| No formal CVE programme | `none` | `none` | `none` |
+
+## Cross-references
+
+- [`project.md`](project.md) — the `cve_authority:` and `governance:`
+  YAML blocks where the flag values are declared and stored.
+- [`security-model.md`](security-model.md) — project security policy URL
+  and the disclosure timeline the CVE workflow enforces.
+- `tools/cve-tool-vulnogram/` — ASF default CNA tool adapter (Vulnogram).
+- `tools/cve-org/` — CVE.org / CVE Services API helpers (for
+  `cve-org-direct`).
+- `security-cve-allocate` skill — the skill that reads and branches on
+  these flags at run time.
+- [`release-management-config.md`](release-management-config.md) — the
+  parallel backend-flag vocabulary for the release-management family,
+  which established the pattern this file follows.

Reply via email to