diff --git a/.claude/skills/allocate-cve/SKILL.md b/.claude/skills/allocate-cve/SKILL.md index b6c6c6db..402188a3 100644 --- a/.claude/skills/allocate-cve/SKILL.md +++ b/.claude/skills/allocate-cve/SKILL.md @@ -369,7 +369,7 @@ user to confirm. Numbered items: 4. **Regenerate the CVE JSON attachment** in the tracker body by running ```bash - uv run --project tools/vulnogram/generate-cve-json generate-cve-json --attach + uv run --project /tools/vulnogram/generate-cve-json generate-cve-json --attach ``` This is how the CVE record first gets seeded with the allocated ID. The remediation-developer credit (if any) comes from the @@ -440,7 +440,7 @@ spaces inside the block, one blank line after Allocated via the ASF Vulnogram form at ; the CVE ID is now the canonical reference in every downstream artifact (CVE JSON, advisory email, credit lines, cross-links). Scope `` → product `` → `packageName` ``. -Vulnogram paste-ready JSON was regenerated from the current body state (CWE ``, severity ``, affected ``, `` credits, `` references) and embedded in the issue body. Re-run `uv run --project tools/vulnogram/generate-cve-json generate-cve-json --attach` after any body change to keep the JSON in sync. +Vulnogram paste-ready JSON was regenerated from the current body state (CWE ``, severity ``, affected ``, `` credits, `` references) and embedded in the issue body. Re-run `uv run --project /tools/vulnogram/generate-cve-json generate-cve-json --attach` after any body change to keep the JSON in sync. ``` @@ -488,7 +488,7 @@ partial failures stay legible: repos//issues/comments/ --input …`), or create the rollup (`gh issue comment --repo --body-file `) if none exists yet. -4. `uv run --project tools/vulnogram/generate-cve-json generate-cve-json --attach` +4. `uv run --project /tools/vulnogram/generate-cve-json generate-cve-json --attach` — embeds the CVE JSON in the body. 5. Create draft on the original thread (reporter notification, if applicable) via the project's configured drafting backend — see diff --git a/.claude/skills/deduplicate-security-issue/SKILL.md b/.claude/skills/deduplicate-security-issue/SKILL.md index bce58ecd..8fea8865 100644 --- a/.claude/skills/deduplicate-security-issue/SKILL.md +++ b/.claude/skills/deduplicate-security-issue/SKILL.md @@ -396,7 +396,7 @@ After confirmation, apply **sequentially** (never in parallel): (GitHub's `duplicate` close-reason is not exposed by `gh` on all versions; `not planned` combined with the `duplicate` label carries the same signal) -6. `uv run --project tools/vulnogram/generate-cve-json generate-cve-json --attach` +6. `uv run --project /tools/vulnogram/generate-cve-json generate-cve-json --attach` — the *Remediation developer* body field is the source of truth for remediation-developer credits (populated by the `sync-security-issue` skill from the linked PR's author); no CLI diff --git a/.claude/skills/sync-security-issue/SKILL.md b/.claude/skills/sync-security-issue/SKILL.md index b2e1cfb5..3c3b9d0e 100644 --- a/.claude/skills/sync-security-issue/SKILL.md +++ b/.claude/skills/sync-security-issue/SKILL.md @@ -1709,7 +1709,7 @@ In every other case — including already-published CVEs — regenerate. The minimum command, from the `` clone root: ```bash -uv run --project tools/vulnogram/generate-cve-json generate-cve-json --attach +uv run --project /tools/vulnogram/generate-cve-json generate-cve-json --attach ``` That alone is enough. The script reads every template field from the @@ -1757,7 +1757,7 @@ reason; the same scoping rule applies if you ever need to resolve the author by hand. ```bash -uv run --project tools/vulnogram/generate-cve-json generate-cve-json --attach +uv run --project /tools/vulnogram/generate-cve-json generate-cve-json --attach ``` If the *"Remediation developer"* field is empty at regeneration time diff --git a/AGENTS.md b/AGENTS.md index d4d92597..22c9b1c4 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -286,6 +286,7 @@ the active configuration before executing any command: | Placeholder | Resolves to | Source | |---|---|---| | `` | The adopting project's `.apache-steward/` directory in its tracker repo. | Filesystem convention. | +| `` | The framework's root — i.e. this repository. In adopting projects, `/apache-steward/` (the submodule path); in framework standalone, `.` (the repository root). Used in `uv run` and other invocations that need to address the framework's `tools//` subtrees from a path the agent can resolve at the agent's current `cwd`. | Filesystem convention. | | `` | The GitHub slug of the tracker repo (example: `airflow-s/airflow-s` for the Apache Airflow security team). | `/project.md` → `tracker_repo` | | `` | The GitHub slug of the upstream codebase the fixes land in (example: `apache/airflow`). | `/project.md` → `upstream_repo` | | `` | The project's security mailing list (example: `security@airflow.apache.org`). | `/project.md` → `mailing_lists.security` | diff --git a/tools/vulnogram/generate-cve-json/README.md b/tools/vulnogram/generate-cve-json/README.md index 7376d666..cd030d02 100644 --- a/tools/vulnogram/generate-cve-json/README.md +++ b/tools/vulnogram/generate-cve-json/README.md @@ -38,20 +38,34 @@ workflow for the project itself. ## Run -From the repository root: +From the framework's root (this repository when running standalone; +the `.apache-steward/apache-steward/` submodule path inside an +adopting tracker repo): ```bash uv run --project tools/vulnogram/generate-cve-json generate-cve-json [options] ``` +Skill files reference the same invocation via the `` +placeholder so the path resolves in either context: + +```bash +uv run --project /tools/vulnogram/generate-cve-json generate-cve-json +``` + +`` substitutes to `.apache-steward/apache-steward` in +adopting projects and to `.` (the repository root) in framework +standalone — see the placeholder convention in +[`AGENTS.md`](../../../AGENTS.md#placeholder-convention-used-in-skill-files). + Equivalent forms: ```bash # as a module -uv run --project tools/vulnogram/generate-cve-json python -m generate_cve_json +uv run --project /tools/vulnogram/generate-cve-json python -m generate_cve_json # from inside the project dir -cd tools/vulnogram/generate-cve-json +cd /tools/vulnogram/generate-cve-json uv run generate-cve-json ``` diff --git a/tools/vulnogram/generate-cve-json/SKILL.md b/tools/vulnogram/generate-cve-json/SKILL.md index c2765dde..cbc8275b 100644 --- a/tools/vulnogram/generate-cve-json/SKILL.md +++ b/tools/vulnogram/generate-cve-json/SKILL.md @@ -259,7 +259,7 @@ prepares the (cached) virtualenv on first use and reuses it on later runs: ```bash -uv run --project tools/vulnogram/generate-cve-json generate-cve-json \ +uv run --project /tools/vulnogram/generate-cve-json generate-cve-json \ --output /tmp/.json \ --version-start ``` @@ -273,7 +273,7 @@ needed in the normal flow. For a fix that landed in `3.2.2` and was first introduced in `3.0.0`, for example: ```bash -uv run --project tools/vulnogram/generate-cve-json generate-cve-json 232 \ +uv run --project /tools/vulnogram/generate-cve-json generate-cve-json 232 \ --output /tmp/CVE-2026-40913.json \ --version-start 3.0.0 ``` @@ -375,7 +375,7 @@ If the user also wants the JSON *attached* to the tracking issue itself add `--attach` to the invocation: ```bash -uv run --project tools/vulnogram/generate-cve-json generate-cve-json 232 \ +uv run --project /tools/vulnogram/generate-cve-json generate-cve-json 232 \ --output /tmp/CVE-2026-40913.json \ --version-start 3.0.0 \ --attach