Table of Contents generated with DocToc
tools/cve-tool-vulnogram/
Capability: contract:cve-authority
Kind: implementation
Vendor: Vulnogram
Organization: ASF
ASF Vulnogram CVE-allocation client. OAuth-authenticated API that allocates a CVE ID through the ASF’s Vulnogram instance and publishes the CVE record. Consumed by security-cve-allocate. See allocation.md, record.md, and bot-credits-policy.md for the protocol.
Prerequisites
- Runtime: Python 3.11+ run via
uv(thegenerate-cve-jsonandoauth-apihelpers are stdlib-only — no system install needed). - CLIs:
gh(authenticated) —generate-cve-jsonshells out to it for tracker/GitHub access. - Credentials / auth:
gh auth statusmust pass; the Vulnogram API helpers read a session token at~/.config/apache-magpie/vulnogram-session.json(mode0600, created byvulnogram-api-setup). - Network:
cveprocess.apache.org(Vulnogram session API) andapi.github.com(viagh).
Operations
This adapter implements the tools/cve-tool/ CVE-authority contract for
ASF Vulnogram. The operation details live in allocation.md
for CVE ID allocation, record.md for record state changes,
and tool.md for the shared protocol.
Configuration
Adopters select this backend with <project-config>/project.md →
cve_authority.tool: vulnogram. The same block supplies the tenant URLs,
state names, reviewer channel, and publication signal fields documented in
projects/_template/cve-allocation-config.md and
projects/_template/security-intake-config.md.