Table of Contents generated with DocToc

tools/cve-tool-vulnogram/

Capability: contract:cve-authority

Kind: implementation

Vendor: Vulnogram

Organization: ASF

ASF Vulnogram CVE-allocation client. OAuth-authenticated API that allocates a CVE ID through the ASF’s Vulnogram instance and publishes the CVE record. Consumed by security-cve-allocate. See allocation.md, record.md, and bot-credits-policy.md for the protocol.

Prerequisites

  • Runtime: Python 3.11+ run via uv (the generate-cve-json and oauth-api helpers are stdlib-only — no system install needed).
  • CLIs: gh (authenticated) — generate-cve-json shells out to it for tracker/GitHub access.
  • Credentials / auth: gh auth status must pass; the Vulnogram API helpers read a session token at ~/.config/apache-magpie/vulnogram-session.json (mode 0600, created by vulnogram-api-setup).
  • Network: cveprocess.apache.org (Vulnogram session API) and api.github.com (via gh).

Operations

This adapter implements the tools/cve-tool/ CVE-authority contract for ASF Vulnogram. The operation details live in allocation.md for CVE ID allocation, record.md for record state changes, and tool.md for the shared protocol.

Configuration

Adopters select this backend with <project-config>/project.mdcve_authority.tool: vulnogram. The same block supplies the tenant URLs, state names, reviewer channel, and publication signal fields documented in projects/_template/cve-allocation-config.md and projects/_template/security-intake-config.md.

Suggest a change