Add kind/cve label after receiving the CVE ID

Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>

Author: abstractj

src/main/java/org/keycloak/gh/bot/labels/Kind.java

@@ -2,7 +2,8 @@
 
 public enum Kind {
 
-    BUG;
+    BUG,
+    CVE;
 
     @Override
     public String toString() {

src/main/java/org/keycloak/gh/bot/security/email/MailProcessor.java

@@ -9,6 +9,7 @@
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 import org.jboss.logging.Logger;
 import org.keycloak.gh.bot.GitHubInstallationProvider;
+import org.keycloak.gh.bot.labels.Kind;
 import org.keycloak.gh.bot.labels.Status;
 import org.keycloak.gh.bot.security.common.Constants;
 import org.keycloak.gh.bot.utils.Labels;
@@ -249,13 +250,19 @@ void applyCveIdFromSecAlert(GHIssue issue, String subject, String body) throws I
             issue.setTitle(newTitle);
             LOGGER.infof("Replaced %s with [%s] in issue #%d", Constants.CVE_TBD_PREFIX, cveId, issue.getNumber());
 
-            boolean hasCveRequestLabel = issue.getLabels().stream()
+            var labelNames = issue.getLabels().stream()
                     .map(GHLabel::getName)
-                    .anyMatch(Status.CVE_REQUEST.toLabel()::equals);
-            if (hasCveRequestLabel) {
+                    .toList();
+
+            if (labelNames.contains(Status.CVE_REQUEST.toLabel())) {
                 issue.removeLabels(Status.CVE_REQUEST.toLabel());
                 LOGGER.infof("Removed %s label from issue #%d", Status.CVE_REQUEST.toLabel(), issue.getNumber());
             }
+
+            if (!labelNames.contains(Kind.CVE.toLabel())) {
+                issue.addLabels(Kind.CVE.toLabel());
+                LOGGER.infof("Added %s label to issue #%d", Kind.CVE.toLabel(), issue.getNumber());
+            }
         }
     }
 

src/test/java/org/keycloak/gh/bot/security/email/MailProcessorTest.java

@@ -3,6 +3,7 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.CsvSource;
+import org.keycloak.gh.bot.labels.Kind;
 import org.keycloak.gh.bot.labels.Status;
 import org.kohsuke.github.GHIssue;
 import org.kohsuke.github.GHLabel;
@@ -102,6 +103,7 @@ void applyCveIdFromSecAlert_replacesTitleAndRemovesCveRequestLabel() throws Exce
 
         verify(issue).setTitle("[CVE-2026-9999] XSS in admin console");
         verify(issue).removeLabels(Status.CVE_REQUEST.toLabel());
+        verify(issue).addLabels(Kind.CVE.toLabel());
     }
 
     @Test
@@ -116,6 +118,7 @@ void applyCveIdFromSecAlert_doesNotRemoveLabelWhenNotPresent() throws Exception
 
         verify(issue).setTitle("[CVE-2026-9999] XSS in admin console");
         verify(issue, never()).removeLabels(Status.CVE_REQUEST.toLabel());
+        verify(issue).addLabels(Kind.CVE.toLabel());
     }
 
     @Test
@@ -128,6 +131,7 @@ void applyCveIdFromSecAlert_noOpWhenTitleDoesNotStartWithCveTbd() throws Excepti
 
         verify(issue, never()).setTitle(org.mockito.ArgumentMatchers.anyString());
         verify(issue, never()).removeLabels(org.mockito.ArgumentMatchers.any(String[].class));
+        verify(issue, never()).addLabels(org.mockito.ArgumentMatchers.any(String[].class));
     }
 
     @Test
@@ -145,5 +149,23 @@ void applyCveIdFromSecAlert_extractsCveFromBodyWhenNotInSubject() throws Excepti
 
         verify(issue).setTitle("[CVE-2026-5555] SSRF vulnerability");
         verify(issue).removeLabels(Status.CVE_REQUEST.toLabel());
+        verify(issue).addLabels(Kind.CVE.toLabel());
+    }
+
+    @Test
+    void applyCveIdFromSecAlert_doesNotAddCveKindWhenAlreadyPresent() throws Exception {
+        GHIssue issue = mock(GHIssue.class);
+        when(issue.getTitle()).thenReturn("[CVE-TBD] OIDC token leak");
+        when(issue.getNumber()).thenReturn(77);
+
+        GHLabel cveKindLabel = mock(GHLabel.class);
+        when(cveKindLabel.getName()).thenReturn(Kind.CVE.toLabel());
+        when(issue.getLabels()).thenReturn(List.of(cveKindLabel));
+
+        MailProcessor processor = new MailProcessor();
+        processor.applyCveIdFromSecAlert(issue, "CVE-2026-8888 OIDC token leak", "body");
+
+        verify(issue).setTitle("[CVE-2026-8888] OIDC token leak");
+        verify(issue, never()).addLabels(Kind.CVE.toLabel());
     }
 }