Bot creating duplicated GitHub issues in keycloak-private when receiving e-mails from secalert

abstractj · abstractj · commit 78e1b90b3cb7 · 2026-04-24T17:57:14.000-03:00
Closes #69 Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>
diff --git a/src/main/java/org/keycloak/gh/bot/security/command/SecAlertCommand.java b/src/main/java/org/keycloak/gh/bot/security/command/SecAlertCommand.java
@@ -18,9 +18,10 @@
 import java.util.stream.Collectors;
 
 /**
- * Sends emails to SecAlert. Creates a new thread when no SecAlert-Thread-ID exists, otherwise replies on the existing thread.
+ * Sends emails to SecAlert. Targets secalert.email.to for the initial outreach and secalert.email.reply-to once a
+ * SecAlert-Thread-ID (captured from the reply address) is recorded on the issue.
  */
-@Command(name = "secalert", description = "Sends a new email or reply to SecAlert and tracks the thread ID")
+@Command(name = "secalert", description = "Sends a new email or reply to SecAlert and tracks the reply thread ID")
 public class SecAlertCommand extends CommandParser implements BotCommand {
 
     private static final Logger LOGGER = Logger.getLogger(SecAlertCommand.class);
@@ -30,8 +31,11 @@ public class SecAlertCommand extends CommandParser implements BotCommand {
     @Inject
     MailSender mailSender;
 
-    @ConfigProperty(name = "email.sender.secalert")
-    String secAlertEmail;
+    @ConfigProperty(name = "secalert.email.to")
+    String secAlertTo;
+
+    @ConfigProperty(name = "secalert.email.reply-to")
+    String secAlertReplyTo;
 
     @ConfigProperty(name = "google.group.target")
     String targetGroup;
@@ -59,26 +63,25 @@ private void createNewThread(GHEventPayload.IssueComment payload, String subject
             return;
         }
 
-        LOGGER.infof("Sending new SecAlert email for issue #%d, subject: %s", payload.getIssue().getNumber(), subject);
+        GHIssue issue = payload.getIssue();
+        String taggedSubject = subject + " - " + Constants.GHI_ISSUE_PREFIX + issue.getNumber();
+
+        LOGGER.infof("Sending new SecAlert email for issue #%d, subject: %s", issue.getNumber(), taggedSubject);
 
-        Optional<String> threadId = mailSender.sendNewEmail(secAlertEmail, targetGroup, subject, body);
+        Optional<String> threadId = mailSender.sendNewEmail(secAlertTo, targetGroup, taggedSubject, body);
         if (threadId.isEmpty()) {
             fail(payload, "Failed to send email to SecAlert via Gmail API.");
             return;
         }
 
-        String marker = Constants.SECALERT_THREAD_ID_PREFIX + " " + threadId.get();
-        GHIssue issue = payload.getIssue();
-        issue.comment("SecAlert email sent. " + marker);
-
         Set<String> currentLabels = issue.getLabels().stream().map(GHLabel::getName).collect(Collectors.toSet());
         if (currentLabels.contains(Status.TRIAGE.toLabel())) {
             issue.removeLabels(Status.TRIAGE.toLabel());
         }
         issue.addLabels(Status.CVE_REQUEST.toLabel());
 
         String title = issue.getTitle();
-        if (!title.startsWith(Constants.CVE_TBD_PREFIX)) {
+        if (title != null && !title.startsWith(Constants.CVE_TBD_PREFIX)) {
             issue.setTitle(Constants.CVE_TBD_PREFIX + " " + title);
         }
         success(payload);
@@ -87,7 +90,7 @@ private void createNewThread(GHEventPayload.IssueComment payload, String subject
     private void replyToExistingThread(GHEventPayload.IssueComment payload, String threadId, String body) throws IOException {
         LOGGER.infof("Replying to existing SecAlert thread %s for issue #%d", threadId, payload.getIssue().getNumber());
 
-        if (mailSender.sendThreadedEmail(threadId, secAlertEmail, targetGroup, body)) {
+        if (mailSender.sendThreadedEmail(threadId, secAlertReplyTo, targetGroup, body)) {
             success(payload);
         } else {
             fail(payload, "Failed to send reply to SecAlert thread " + threadId + ".");
diff --git a/src/main/java/org/keycloak/gh/bot/security/common/Constants.java b/src/main/java/org/keycloak/gh/bot/security/common/Constants.java
@@ -6,6 +6,9 @@ public final class Constants {
 
     public static final Pattern CVE_PATTERN = Pattern.compile("CVE-\\d{4}-\\d+");
 
+    public static final String GHI_ISSUE_PREFIX = "#GHI-";
+    public static final Pattern GHI_ISSUE_PATTERN = Pattern.compile("#GHI-(\\d{1,9})");
+
     public static final String GMAIL_THREAD_ID_PREFIX = "**Gmail-Thread-ID:**";
     public static final String SECALERT_THREAD_ID_PREFIX = "**SecAlert-Thread-ID:**";
     public static final String CVE_TBD_PREFIX = "[CVE-TBD]";
diff --git a/src/main/java/org/keycloak/gh/bot/security/email/MailProcessor.java b/src/main/java/org/keycloak/gh/bot/security/email/MailProcessor.java
@@ -14,6 +14,7 @@
 import org.keycloak.gh.bot.security.common.Constants;
 import org.keycloak.gh.bot.utils.Labels;
 import org.kohsuke.github.GHIssue;
+import org.kohsuke.github.GHIssueComment;
 import org.kohsuke.github.GHIssueState;
 import org.kohsuke.github.GHLabel;
 import org.kohsuke.github.GHRepository;
@@ -23,9 +24,11 @@
 import java.time.Duration;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import java.util.stream.Stream;
 
 @ApplicationScoped
 public class MailProcessor {
@@ -43,8 +46,8 @@ public class MailProcessor {
     @ConfigProperty(name = "repository.privateRepository")
     String repositoryName;
 
-    @ConfigProperty(name = "email.sender.secalert")
-    String secAlertEmail;
+    @ConfigProperty(name = "secalert.email.reply-to")
+    String secAlertReplyTo;
 
     @Inject
     GmailAdapter gmail;
@@ -62,6 +65,11 @@ public class MailProcessor {
             .expireAfterWrite(Duration.ofDays(7))
             .build();
 
+    private final Cache<Integer, Boolean> secAlertThreadIdCache = Caffeine.newBuilder()
+            .maximumSize(500)
+            .expireAfterWrite(Duration.ofDays(7))
+            .build();
+
     @PostConstruct
     void init() {
         this.targetGroup = TargetGroup.from(targetGroupEmail);
@@ -100,15 +108,19 @@ private void processSingleMessage(Message msgSummary, GitHub github, GHRepositor
             var msg = gmail.getMessage(msgSummary.getId());
             var headers = gmail.getHeadersMap(msg);
             var from = headers.getOrDefault("From", "");
+            var replyTo = headers.getOrDefault("Reply-To", "");
 
-            if (isFromBot(from) || !isValidGroupMessage(headers)) {
+            boolean fromSecAlert = isFromSecAlert(from, replyTo);
+
+            if (isFromBot(from) || (!fromSecAlert && !isValidGroupMessage(headers))) {
                 gmail.markAsRead(msgSummary.getId());
                 return;
             }
 
             var threadId = msg.getThreadId();
             var messageId = headers.getOrDefault("Message-ID", "").replaceAll("^<|>$", "");
-            var subject = normalizeSubject(headers.getOrDefault("Subject", "(No Subject)").trim());
+            var rawSubject = headers.getOrDefault("Subject", "(No Subject)").trim();
+            var subject = normalizeSubject(rawSubject);
 
             var body = bodySanitizer.sanitize(gmail.getBody(msg)).orElse("(No content)");
             var attachments = gmail.getAttachments(msg);
@@ -117,8 +129,10 @@ private void processSingleMessage(Message msgSummary, GitHub github, GHRepositor
 
             var issueOpt = resolveIssue(github, repository, threadId);
 
-            if (issueOpt.isEmpty() && isFromSecAlert(from)) {
-                issueOpt = resolveIssueBySecAlertThread(github, repository, threadId);
+            if (issueOpt.isEmpty() && fromSecAlert) {
+                issueOpt = resolveIssueByGhiTag(repository, rawSubject)
+                        .or(() -> resolveIssueBySecAlertThreadId(github, repository, threadId));
+                issueOpt.ifPresent(issue -> issueCache.put(threadId, issue.getNumber()));
             }
 
             if (issueOpt.isPresent()) {
@@ -129,8 +143,9 @@ private void processSingleMessage(Message msgSummary, GitHub github, GHRepositor
                 }
                 appendComment(issue, from, body, attachmentSection);
 
-                if (isFromSecAlert(from)) {
+                if (fromSecAlert) {
                     applyCveIdFromSecAlert(issue, subject, body);
+                    recordSecAlertThreadIdIfMissing(issue, threadId);
                 }
             } else {
                 var newIssue = createNewIssue(repository, threadId, subject, from, body, attachmentSection);
@@ -218,25 +233,76 @@ private boolean isFromBot(String from) {
         return from != null && from.toLowerCase().contains(botEmail.toLowerCase());
     }
 
-    private boolean isFromSecAlert(String from) {
-        return from != null && from.toLowerCase().contains(secAlertEmail.toLowerCase());
+    private boolean isFromSecAlert(String from, String replyTo) {
+        String needle = secAlertReplyTo.toLowerCase();
+        return Stream.of(from, replyTo)
+                .filter(Objects::nonNull)
+                .anyMatch(header -> header.toLowerCase().contains(needle));
     }
 
-    private Optional<GHIssue> resolveIssueBySecAlertThread(GitHub github, GHRepository repository, String threadId) {
+    private Optional<GHIssue> resolveIssueBySecAlertThreadId(GitHub github, GHRepository repository, String threadId) {
         try {
-            var query = "repo:%s \"%s %s\" is:issue in:comments".formatted(
-                    repositoryName, Constants.SECALERT_THREAD_ID_PREFIX, threadId);
+            var expectedMarker = Constants.SECALERT_THREAD_ID_PREFIX + " " + threadId;
+            var query = "repo:%s \"%s\" is:issue in:comments".formatted(repositoryName, expectedMarker);
             var iterator = github.searchIssues().q(query).list().iterator();
-            if (iterator.hasNext()) {
+            while (iterator.hasNext()) {
                 int issueNumber = iterator.next().getNumber();
-                return Optional.ofNullable(repository.getIssue(issueNumber));
+                var issue = repository.getIssue(issueNumber);
+                if (hasExactSecAlertThreadId(issue, expectedMarker)) {
+                    issueCache.put(threadId, issueNumber);
+                    return Optional.of(issue);
+                }
             }
         } catch (Exception e) {
-            LOGGER.warnf(e, "GitHub search failed for SecAlert thread %s", threadId);
+            LOGGER.warnf(e, "GitHub search by SecAlert-Thread-ID failed for thread %s", threadId);
         }
         return Optional.empty();
     }
 
+    private boolean hasExactSecAlertThreadId(GHIssue issue, String expectedMarker) throws IOException {
+        for (GHIssueComment c : issue.queryComments().list()) {
+            String body = c.getBody();
+            if (body != null && body.trim().equals(expectedMarker)) {
+                secAlertThreadIdCache.put(issue.getNumber(), Boolean.TRUE);
+                return true;
+            }
+        }
+        return false;
+    }
+
+    Optional<GHIssue> resolveIssueByGhiTag(GHRepository repository, String subject) {
+        if (subject == null) return Optional.empty();
+        Matcher matcher = Constants.GHI_ISSUE_PATTERN.matcher(subject);
+        if (!matcher.find()) {
+            return Optional.empty();
+        }
+        int issueNumber = Integer.parseInt(matcher.group(1));
+        try {
+            return Optional.ofNullable(repository.getIssue(issueNumber));
+        } catch (IOException e) {
+            LOGGER.warnf(e, "Failed to fetch issue #%d referenced by SecAlert subject tag", issueNumber);
+            return Optional.empty();
+        }
+    }
+
+    void recordSecAlertThreadIdIfMissing(GHIssue issue, String threadId) throws IOException {
+        if (threadId == null || threadId.isBlank()) return;
+        int issueNumber = issue.getNumber();
+        if (Boolean.TRUE.equals(secAlertThreadIdCache.getIfPresent(issueNumber))) {
+            return;
+        }
+        for (GHIssueComment c : issue.queryComments().list()) {
+            String body = c.getBody();
+            if (body != null && body.contains(Constants.SECALERT_THREAD_ID_PREFIX)) {
+                secAlertThreadIdCache.put(issueNumber, Boolean.TRUE);
+                return;
+            }
+        }
+        issue.comment(Constants.SECALERT_THREAD_ID_PREFIX + " " + threadId);
+        secAlertThreadIdCache.put(issueNumber, Boolean.TRUE);
+        LOGGER.infof("Recorded %s %s on issue #%d", Constants.SECALERT_THREAD_ID_PREFIX, threadId, issueNumber);
+    }
+
     void applyCveIdFromSecAlert(GHIssue issue, String subject, String body) throws IOException {
         String cveId = extractCveId(subject);
         if (cveId == null) {
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -46,7 +46,8 @@ google.group.target=keycloak-security@googlegroups.com
 # --- Google Group Target ---
 #Sync interval for checking e-mails
 bot.email.sync.interval=10m
-email.sender.secalert=secalert@redhat.com
+secalert.email.to=secalert@redhat.com
+secalert.email.reply-to=secalert@redhat.atlassian.net
 
 repository.mainRepository=keycloak/keycloak
 # For sensitive data the bot will only process emails and commands if installed on this repository
diff --git a/src/test/java/org/keycloak/gh/bot/security/command/SecAlertCommandTest.java b/src/test/java/org/keycloak/gh/bot/security/command/SecAlertCommandTest.java
@@ -23,6 +23,7 @@
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
 
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.mockito.ArgumentMatchers.*;
 import static org.mockito.Mockito.*;
 
@@ -40,7 +41,8 @@ void setUp() throws Exception {
         command = new SecAlertCommand();
 
         setField(command, "mailSender", mailSender);
-        setField(command, "secAlertEmail", "secalert@redhat.com");
+        setField(command, "secAlertTo", "secalert@redhat.com");
+        setField(command, "secAlertReplyTo", "secalert@redhat.atlassian.net");
         setField(command, "targetGroup", "keycloak-security@googlegroups.com");
 
         payload = mock(GHEventPayload.IssueComment.class);
@@ -59,21 +61,21 @@ void setUp() throws Exception {
     // --- New thread (no existing SecAlert-Thread-ID) ---
 
     @Test
-    void newThread_sendsEmailWithSubjectAndPostsThreadId() throws Exception {
+    void newThread_sendsEmailWithGhiTaggedSubject() throws Exception {
         when(comment.getBody()).thenReturn("@security secalert CVE-2026-1234 XSS in admin console\n\nPlease triage this vulnerability.");
         setupSubject("CVE-2026-1234", "XSS", "in", "admin", "console");
         setupIssueComments("Some unrelated comment");
         setupIssueLabels(Status.TRIAGE.toLabel());
         when(issue.getTitle()).thenReturn("Wildcard Redirect URI vulnerability");
         when(mailSender.sendNewEmail("secalert@redhat.com", "keycloak-security@googlegroups.com",
-                "CVE-2026-1234 XSS in admin console", "Please triage this vulnerability."))
+                "CVE-2026-1234 XSS in admin console - #GHI-42", "Please triage this vulnerability."))
                 .thenReturn(Optional.of("19c48d1ecb33de98"));
 
         command.run(payload);
 
         verify(mailSender).sendNewEmail("secalert@redhat.com", "keycloak-security@googlegroups.com",
-                "CVE-2026-1234 XSS in admin console", "Please triage this vulnerability.");
-        verify(issue).comment("SecAlert email sent. " + Constants.SECALERT_THREAD_ID_PREFIX + " 19c48d1ecb33de98");
+                "CVE-2026-1234 XSS in admin console - #GHI-42", "Please triage this vulnerability.");
+        verify(issue, never()).comment(anyString());
         verify(issue).removeLabels(Status.TRIAGE.toLabel());
         verify(issue).addLabels(Status.CVE_REQUEST.toLabel());
         verify(issue).setTitle("[CVE-TBD] Wildcard Redirect URI vulnerability");
@@ -120,6 +122,7 @@ void newThread_blocksDuplicateWebhookViaInMemoryGuard() throws Exception {
         setupSubject("Race", "Condition");
         setupIssueComments();
         setupIssueLabels(Status.TRIAGE.toLabel());
+        when(issue.getTitle()).thenReturn("Some title");
 
         CountDownLatch emailBlocked = new CountDownLatch(1);
         CountDownLatch secondCallDone = new CountDownLatch(1);
@@ -133,11 +136,13 @@ void newThread_blocksDuplicateWebhookViaInMemoryGuard() throws Exception {
         SecAlertCommand secondCommand = new SecAlertCommand();
         secondCommand.unparsedArgs = new ArrayList<>(List.of("Race", "Condition"));
         setField(secondCommand, "mailSender", mailSender);
-        setField(secondCommand, "secAlertEmail", "secalert@redhat.com");
+        setField(secondCommand, "secAlertTo", "secalert@redhat.com");
+        setField(secondCommand, "secAlertReplyTo", "secalert@redhat.atlassian.net");
         setField(secondCommand, "targetGroup", "keycloak-security@googlegroups.com");
 
+        var firstThreadError = new java.util.concurrent.atomic.AtomicReference<Throwable>();
         Thread firstThread = new Thread(() -> {
-            try { command.run(payload); } catch (IOException e) { throw new RuntimeException(e); }
+            try { command.run(payload); } catch (Exception e) { firstThreadError.set(e); }
         });
         firstThread.start();
 
@@ -146,6 +151,7 @@ void newThread_blocksDuplicateWebhookViaInMemoryGuard() throws Exception {
         secondCallDone.countDown();
         firstThread.join(5000);
 
+        assertNull(firstThreadError.get(), "First thread threw an exception");
         verify(mailSender, times(1)).sendNewEmail(anyString(), anyString(), anyString(), anyString());
     }
 
@@ -176,16 +182,16 @@ void newThread_reactsWithThumbsDownWhenSubjectMissing() throws Exception {
     // --- Reply on existing thread (SecAlert-Thread-ID found) ---
 
     @Test
-    void existingThread_repliesWithoutSubject() throws Exception {
+    void existingThread_repliesToSecAlertReplyToAddress() throws Exception {
         when(comment.getBody()).thenReturn("@security secalert\n\nThis is a follow-up reply.");
-        setupIssueComments("SecAlert email sent. " + Constants.SECALERT_THREAD_ID_PREFIX + " abc123def456");
-        when(mailSender.sendThreadedEmail("abc123def456", "secalert@redhat.com",
+        setupIssueComments(Constants.SECALERT_THREAD_ID_PREFIX + " abc123def456");
+        when(mailSender.sendThreadedEmail("abc123def456", "secalert@redhat.atlassian.net",
                 "keycloak-security@googlegroups.com", "This is a follow-up reply."))
                 .thenReturn(true);
 
         command.run(payload);
 
-        verify(mailSender).sendThreadedEmail("abc123def456", "secalert@redhat.com",
+        verify(mailSender).sendThreadedEmail("abc123def456", "secalert@redhat.atlassian.net",
                 "keycloak-security@googlegroups.com", "This is a follow-up reply.");
         verify(mailSender, never()).sendNewEmail(anyString(), anyString(), anyString(), anyString());
         verify(issue, never()).removeLabels(any(String[].class));
@@ -196,7 +202,7 @@ void existingThread_repliesWithoutSubject() throws Exception {
     @Test
     void existingThread_reactsWithThumbsDownWhenReplyFails() throws Exception {
         when(comment.getBody()).thenReturn("@security secalert\n\nFailed reply.");
-        setupIssueComments("SecAlert email sent. " + Constants.SECALERT_THREAD_ID_PREFIX + " abc123");
+        setupIssueComments(Constants.SECALERT_THREAD_ID_PREFIX + " abc123");
         when(mailSender.sendThreadedEmail(anyString(), anyString(), anyString(), anyString())).thenReturn(false);
 
         command.run(payload);
diff --git a/src/test/java/org/keycloak/gh/bot/security/email/MailProcessorTest.java b/src/test/java/org/keycloak/gh/bot/security/email/MailProcessorTest.java
