Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .claude/skills/allocate-cve/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ description: |
Walk a security team member through allocating a CVE for an
<tracker> tracking issue. Prints the ASF Vulnogram
allocation URL and a CVE-ready title (the issue title stripped of
redundant `Apache Airflow:`, `[ Security Report ]`, trailing
redundant `<vendor>: <product>:` (e.g. `Apache Airflow:`), `[ Security Report ]`, trailing
version parens and similar noise), waits for the allocated CVE ID
(allocation is PMC-gated — non-PMC triagers relay to a PMC
member), and then updates the tracker in place: fills in the
Expand Down
2 changes: 1 addition & 1 deletion .claude/skills/import-security-issue-from-pr/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -277,7 +277,7 @@ Start from `pr.title`. Strip:
- `[skip ci]`, `[ci-skip]`, `[skip-ci]` markers.
- Trailing `(#NNNN)` and `[#NNNN]`.

Do **not** add `Apache Airflow:` prefix — that lives in the CVE
Do **not** add `<vendor>: <product>:` (e.g. `Apache Airflow:`) prefix — that lives in the CVE
title, not the tracker title (the
[`allocate-cve`](../allocate-cve/SKILL.md) skill normalises for
the CVE record). Tracker titles in `<tracker>` are
Expand Down
4 changes: 2 additions & 2 deletions .claude/skills/import-security-issue/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -191,7 +191,7 @@ report:
Use the canonical candidate-listing query template from
[`tools/gmail/search-queries.md`](../../../tools/gmail/search-queries.md#import-security-issue--candidate-listing-query);
substitute the adopting project's `<security-list-domain>` (Airflow:
`security.airflow.apache.org`) and the project's GitHub-notification
`<security-list-domain>`) and the project's GitHub-notification
exclusions — both declared in
[`<project-config>/project.md`](../../../<project-config>/project.md#gmail-and-ponymail).

Expand Down Expand Up @@ -427,7 +427,7 @@ fuzzy-match search against existing issues on three orthogonal keys:
some other tracker already discusses the same code surface — often
a partial overlap, possibly a duplicate.
3. **Subject root-cause keywords**: strip `[SECURITY]`, `[Security
Report]`, `Re:`, `Fwd:`, `FW:`, `Airflow:` / `Apache Airflow:`
Report]`, `Re:`, `Fwd:`, `FW:`, `Airflow:` / `<vendor>: <product>:` (e.g. `Apache Airflow:`)
prefixes from the root message's subject, then take the remaining
3–5 noun-phrase tokens (for example
`"RCE BaseSerialization.deserialize next_kwargs"`) and search:
Expand Down
2 changes: 1 addition & 1 deletion .claude/skills/invalidate-security-issue/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ Scan `tracker.comments[]` for posts that argue **why** the report
is not a security issue. Strong signals:

- Citations of the
[Apache Airflow Security Model](https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html)
[Apache Airflow Security Model](<security-model-url>)
(full URL, anchor links, paraphrases).
- Phrases like *"this is by design"*, *"out of scope"*,
*"documented behavior"*, *"requires X privileges already"*,
Expand Down
8 changes: 4 additions & 4 deletions .claude/skills/sync-security-issue/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -701,7 +701,7 @@ before the archive indexes it.
**Search recipe.** Use the CVE-review-comment query templates in
[`tools/gmail/search-queries.md`](../../../tools/gmail/search-queries.md#sync-security-issue--cve-review-comment-search);
substitute the adopting project's `<security-list-domain>` (Airflow:
`security.airflow.apache.org`, declared in
`<security-list-domain>`, declared in
[`<project-config>/project.md`](../../../<project-config>/project.md#gmail-and-ponymail))
and run via `search_threads` per
[`tools/gmail/operations.md`](../../../tools/gmail/operations.md#search-threads).
Expand Down Expand Up @@ -1480,7 +1480,7 @@ the actual person, in this order:
```
mcp__ponymail__search_list(
list: "dev",
domain: "airflow.apache.org",
domain: "<project-domain>",
subject: "[RESULT][VOTE]",
query: "<version-or-wave-token>",
timespan: "lte=14d"
Expand Down Expand Up @@ -1517,7 +1517,7 @@ line so the handoff is unambiguous:
> Allocate a CVE via the [`allocate-cve`](../allocate-cve/SKILL.md)
> skill. It opens the ASF Vulnogram form at
> <https://cveprocess.apache.org/allocatecve>, pre-computes a CVE-ready
> title (stripped of `Apache Airflow:` / `[ Security Report ]` / version
> title (stripped of `<vendor>: <product>:` (e.g. `Apache Airflow:`) / `[ Security Report ]` / version
> noise), and — once you paste back the allocated `CVE-YYYY-NNNNN` ID —
> wires it into the tracker (body field, label, status comment, CVE
> JSON embed).
Expand Down Expand Up @@ -1849,7 +1849,7 @@ finalising the recap.
[`AGENTS.md`](../../../AGENTS.md) for the full rationale.
- **Never paraphrase the Security Model** in the draft email. Link to the
relevant chapter on
`https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html`
`<security-model-url>`
instead, following the editorial guidance in [`AGENTS.md`](../../../AGENTS.md).
- **Never name or describe other ASF projects' vulnerabilities** in any
tracker-destined surface — rollup entry bodies, status comments, issue
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -1067,7 +1067,7 @@ for the `<PROJECT>` placeholder used throughout the framework (see

| Project | Directory | Index | Manifest |
|---|---|---|---|
| [Apache Airflow](https://airflow.apache.org/) | [`projects/airflow/`](projects/airflow/) | [`<project-config>/README.md`](<project-config>/README.md) | [`<project-config>/project.md`](<project-config>/project.md) |
| [Apache Airflow](<project-website>/) | [`projects/airflow/`](projects/airflow/) | [`<project-config>/README.md`](<project-config>/README.md) | [`<project-config>/project.md`](<project-config>/project.md) |

Add a new project by copying
[`projects/_template/`](projects/_template/) into
Expand Down
2 changes: 1 addition & 1 deletion tools/gmail/operations.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ mcp__claude_ai_Gmail__search_threads(
Substitute the `<security-list-domain>` with the domain suffix of the
project manifest's `security_list` (for
`<security-list>`, the value is
`security.airflow.apache.org`).
`<security-list-domain>`).

A non-empty result means Gmail is connected and indexed; an empty
result means either the account does not subscribe, or the MCP is
Expand Down
4 changes: 2 additions & 2 deletions tools/gmail/ponymail-archive.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ Placeholder convention:
*Mailing lists* section).
- `<list-domain>` — the list's domain component (for
`<security-list>`, the value is
`security.airflow.apache.org`); used inside the URL's query
`<security-list-domain>`); used inside the URL's query
string.

## URL shapes
Expand Down Expand Up @@ -75,7 +75,7 @@ https://lists.apache.org/api/thread.lua?list=<list-local>&domain=<list-domain>&q
```

Where `<list-local>` is the portion before the `@` (e.g. `users`)
and `<list-domain>` is the portion after (e.g. `airflow.apache.org`).
and `<list-domain>` is the portion after (e.g. `<project-domain>`).

Request via `gh api <url>` (authenticates as the user — helpful for
private lists if they ever open up) or plain `curl -s <url>` for
Expand Down
4 changes: 2 additions & 2 deletions tools/gmail/search-queries.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ Placeholder convention:
[`../../<project-config>/project.md`](../../<project-config>/project.md#mailing-lists)).
- `<security-list-domain>` — the domain suffix of that list (for
`<security-list>`, the value is
`security.airflow.apache.org`). Gmail's `list:` operator uses the
`<security-list-domain>`). Gmail's `list:` operator uses the
domain form, not the plain address.
- `<dev-list>` — the project's public release-vote list (for Airflow,
`<dev-list>`).
Expand All @@ -41,7 +41,7 @@ Placeholder convention:

| Operator | Purpose |
|---|---|
| `list:<domain>` | Match messages sent to a mailing list. Domain form — `list:security.airflow.apache.org`, not `list:<security-list>`. |
| `list:<domain>` | Match messages sent to a mailing list. Domain form — `list:<security-list-domain>`, not `list:<security-list>`. |
| `from:<addr>` / `-from:<addr>` | Match (or exclude) a sender. |
| `to:<addr>` / `cc:<addr>` | Match a recipient / copy-recipient. |
| `subject:"<substring>"` | Match a substring in the subject line (quoted for multi-word). |
Expand Down
12 changes: 6 additions & 6 deletions tools/ponymail/operations.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,12 +39,12 @@ Placeholder convention used below:

- `<list>` — list prefix without the `@` (e.g. `security`, `dev`,
`users`, `announce`, `private`).
- `<domain>` — list domain (e.g. `airflow.apache.org`,
`security.airflow.apache.org`). The PonyMail API treats
- `<domain>` — list domain (e.g. `<project-domain>`,
`<security-list-domain>`). The PonyMail API treats
`<security-list>` as `list: "security"` + `domain:
"airflow.apache.org"`; a few private lists use a dedicated
subdomain (`security.airflow.apache.org`), in which case `list:
"security"` + `domain: "security.airflow.apache.org"` is the
"<project-domain>"`; a few private lists use a dedicated
subdomain (`<security-list-domain>`), in which case `list:
"security"` + `domain: "<security-list-domain>"` is the
right split.
- `<tid>` — opaque PonyMail thread identifier, returned by
`search_list` and `get_email`.
Expand Down Expand Up @@ -121,7 +121,7 @@ Returns the full `{ domain → { list → message_count } }` map the
MCP can see with the current session. Use cases:

- **Sanity-check** that the session sees the private lists the
project relies on (e.g. `security.airflow.apache.org` →
project relies on (e.g. `<security-list-domain>` →
`security`). If an expected list is missing, the session's LDAP
groups do not include membership for that list and downstream
queries will return empty.
Expand Down
2 changes: 1 addition & 1 deletion tools/ponymail/tool.md
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,7 @@ mcp__ponymail__list_lists()

The result is a `{ domain → { list → message_count } }` map. For an
Airflow security-team triager, you should see
`security.airflow.apache.org` → `{ security: <count> }` — proof that
`<security-list-domain>` → `{ security: <count> }` — proof that
the session has PMC-level LDAP access. If you only see public lists
(`dev`, `users`, `announce`), the LDAP group membership is not being
recognised; contact ASF Infra.
Expand Down
2 changes: 1 addition & 1 deletion tools/vulnogram/allocation.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ source is the ASF project page,

| Vulnogram form field | Source in the tracker |
|---|---|
| **Title** | Tracker title, passed through the project's title-normalisation cascade (for Airflow, `<project-config>/title-normalization.md`). The CNA container already scopes the title to the product, so any project prefix (`Apache Airflow:` etc.) must be stripped before pasting. |
| **Title** | Tracker title, passed through the project's title-normalisation cascade (for Airflow, `<project-config>/title-normalization.md`). The CNA container already scopes the title to the product, so any project prefix (`<vendor>: <product>:` (e.g. `Apache Airflow:`) etc.) must be stripped before pasting. |
| **Product** | Derived from the tracker's scope label via the per-project scope → product mapping (for Airflow, `<project-config>/scope-labels.md`). |
| **CWE** | Tracker body's *cwe* field (role-name — `<project-config>/project.md` declares the concrete GitHub heading for this project). `_No response_` → the allocator fills it at form time. |
| **Affected versions** | Tracker body's *affected-versions* field. |
Expand Down
2 changes: 1 addition & 1 deletion tools/vulnogram/generate-cve-json/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ diff the two to see what the tool has added / what you changed by hand.
`CVE tool link` field has not yet been filled in, or retarget the
JSON to a different CVE ID.
- `--title "Apache Airflow: …"` — override the CVE title. Default is
the GitHub issue title with an `Apache Airflow: ` prefix when it
the GitHub issue title with an `<vendor>: <product>:` (e.g. `Apache Airflow:`) prefix when it
does not already start with that phrase.
- `--version-start X.Y.Z` — override the start of the affected version
range (the `affected[].versions[].version` field). Default is the
Expand Down