Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .claude/skills/allocate-cve/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -369,7 +369,7 @@ user to confirm. Numbered items:
4. **Regenerate the CVE JSON attachment** in the tracker body by
running
```bash
uv run --project tools/vulnogram/generate-cve-json generate-cve-json <N> --attach
uv run --project <framework>/tools/vulnogram/generate-cve-json generate-cve-json <N> --attach
```
This is how the CVE record first gets seeded with the allocated
ID. The remediation-developer credit (if any) comes from the
Expand Down Expand Up @@ -440,7 +440,7 @@ spaces inside the block, one blank line after

Allocated via the ASF Vulnogram form at <https://cveprocess.apache.org/allocatecve>; the CVE ID is now the canonical reference in every downstream artifact (CVE JSON, advisory email, credit lines, cross-links). Scope `<scope label>` → product `<product>` → `packageName` `<packageName>`.

Vulnogram paste-ready JSON was regenerated from the current body state (CWE `<CWE>`, severity `<severity>`, affected `<affected versions>`, `<N>` credits, `<N>` references) and embedded in the issue body. Re-run `uv run --project tools/vulnogram/generate-cve-json generate-cve-json <N> --attach` after any body change to keep the JSON in sync.
Vulnogram paste-ready JSON was regenerated from the current body state (CWE `<CWE>`, severity `<severity>`, affected `<affected versions>`, `<N>` credits, `<N>` references) and embedded in the issue body. Re-run `uv run --project <framework>/tools/vulnogram/generate-cve-json generate-cve-json <N> --attach` after any body change to keep the JSON in sync.

</details>
```
Expand Down Expand Up @@ -488,7 +488,7 @@ partial failures stay legible:
repos/<tracker>/issues/comments/<id> --input …`), or create
the rollup (`gh issue comment <N> --repo <tracker>
--body-file <tmp>`) if none exists yet.
4. `uv run --project tools/vulnogram/generate-cve-json generate-cve-json <N> --attach`
4. `uv run --project <framework>/tools/vulnogram/generate-cve-json generate-cve-json <N> --attach`
— embeds the CVE JSON in the body.
5. Create draft on the original thread (reporter notification, if
applicable) via the project's configured drafting backend — see
Expand Down
2 changes: 1 addition & 1 deletion .claude/skills/deduplicate-security-issue/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -396,7 +396,7 @@ After confirmation, apply **sequentially** (never in parallel):
(GitHub's `duplicate` close-reason is not exposed by `gh` on
all versions; `not planned` combined with the `duplicate` label
carries the same signal)
6. `uv run --project tools/vulnogram/generate-cve-json generate-cve-json <keep> --attach`
6. `uv run --project <framework>/tools/vulnogram/generate-cve-json generate-cve-json <keep> --attach`
— the *Remediation developer* body field is the source of truth
for remediation-developer credits (populated by the
`sync-security-issue` skill from the linked PR's author); no CLI
Expand Down
4 changes: 2 additions & 2 deletions .claude/skills/sync-security-issue/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -1709,7 +1709,7 @@ In every other case — including already-published CVEs — regenerate.
The minimum command, from the `<tracker>` clone root:

```bash
uv run --project tools/vulnogram/generate-cve-json generate-cve-json <N> --attach
uv run --project <framework>/tools/vulnogram/generate-cve-json generate-cve-json <N> --attach
```

That alone is enough. The script reads every template field from the
Expand Down Expand Up @@ -1757,7 +1757,7 @@ reason; the same scoping rule applies if you ever need to resolve
the author by hand.

```bash
uv run --project tools/vulnogram/generate-cve-json generate-cve-json <N> --attach
uv run --project <framework>/tools/vulnogram/generate-cve-json generate-cve-json <N> --attach
```

If the *"Remediation developer"* field is empty at regeneration time
Expand Down
1 change: 1 addition & 0 deletions AGENTS.md
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,7 @@ the active configuration before executing any command:
| Placeholder | Resolves to | Source |
|---|---|---|
| `<project-config>` | The adopting project's `.apache-steward/` directory in its tracker repo. | Filesystem convention. |
| `<framework>` | The framework's root — i.e. this repository. In adopting projects, `<project-config>/apache-steward/` (the submodule path); in framework standalone, `.` (the repository root). Used in `uv run` and other invocations that need to address the framework's `tools/<name>/` subtrees from a path the agent can resolve at the agent's current `cwd`. | Filesystem convention. |
| `<tracker>` | The GitHub slug of the tracker repo (example: `airflow-s/airflow-s` for the Apache Airflow security team). | `<project-config>/project.md` → `tracker_repo` |
| `<upstream>` | The GitHub slug of the upstream codebase the fixes land in (example: `apache/airflow`). | `<project-config>/project.md` → `upstream_repo` |
| `<security-list>` | The project's security mailing list (example: `security@airflow.apache.org`). | `<project-config>/project.md` → `mailing_lists.security` |
Expand Down
20 changes: 17 additions & 3 deletions tools/vulnogram/generate-cve-json/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,20 +38,34 @@ workflow for the project itself.

## Run

From the repository root:
From the framework's root (this repository when running standalone;
the `.apache-steward/apache-steward/` submodule path inside an
adopting tracker repo):

```bash
uv run --project tools/vulnogram/generate-cve-json generate-cve-json <ISSUE-NUMBER> [options]
```

Skill files reference the same invocation via the `<framework>`
placeholder so the path resolves in either context:

```bash
uv run --project <framework>/tools/vulnogram/generate-cve-json generate-cve-json <ISSUE-NUMBER>
```

`<framework>` substitutes to `.apache-steward/apache-steward` in
adopting projects and to `.` (the repository root) in framework
standalone — see the placeholder convention in
[`AGENTS.md`](../../../AGENTS.md#placeholder-convention-used-in-skill-files).

Equivalent forms:

```bash
# as a module
uv run --project tools/vulnogram/generate-cve-json python -m generate_cve_json <ISSUE-NUMBER>
uv run --project <framework>/tools/vulnogram/generate-cve-json python -m generate_cve_json <ISSUE-NUMBER>

# from inside the project dir
cd tools/vulnogram/generate-cve-json
cd <framework>/tools/vulnogram/generate-cve-json
uv run generate-cve-json <ISSUE-NUMBER>
```

Expand Down
6 changes: 3 additions & 3 deletions tools/vulnogram/generate-cve-json/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ prepares the (cached) virtualenv on first use and reuses it on later
runs:

```bash
uv run --project tools/vulnogram/generate-cve-json generate-cve-json <N> \
uv run --project <framework>/tools/vulnogram/generate-cve-json generate-cve-json <N> \
--output /tmp/<CVE-ID>.json \
--version-start <earliest-affected-version>
```
Expand All @@ -273,7 +273,7 @@ needed in the normal flow. For a fix that landed in `3.2.2` and was
first introduced in `3.0.0`, for example:

```bash
uv run --project tools/vulnogram/generate-cve-json generate-cve-json 232 \
uv run --project <framework>/tools/vulnogram/generate-cve-json generate-cve-json 232 \
--output /tmp/CVE-2026-40913.json \
--version-start 3.0.0
```
Expand Down Expand Up @@ -375,7 +375,7 @@ If the user also wants the JSON *attached* to the tracking issue itself
add `--attach` to the invocation:

```bash
uv run --project tools/vulnogram/generate-cve-json generate-cve-json 232 \
uv run --project <framework>/tools/vulnogram/generate-cve-json generate-cve-json 232 \
--output /tmp/CVE-2026-40913.json \
--version-start 3.0.0 \
--attach
Expand Down