keycloak
diff --git a/‎src/main/java/org/keycloak/gh/bot/labels/Status.java‎
Lines changed: 2 additions & 1 deletion b/‎src/main/java/org/keycloak/gh/bot/labels/Status.java‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/main/java/org/keycloak/gh/bot/security/command/CommandParser.java‎
Lines changed: 62 additions & 10 deletions b/‎src/main/java/org/keycloak/gh/bot/security/command/CommandParser.java‎
Lines changed: 62 additions & 10 deletions
diff --git a/‎src/main/java/org/keycloak/gh/bot/security/command/MailingListCommand.java‎
Lines changed: 4 additions & 23 deletions b/‎src/main/java/org/keycloak/gh/bot/security/command/MailingListCommand.java‎
Lines changed: 4 additions & 23 deletions
diff --git a/‎src/main/java/org/keycloak/gh/bot/security/command/SecAlertCommand.java‎
Lines changed: 75 additions & 8 deletions b/‎src/main/java/org/keycloak/gh/bot/security/command/SecAlertCommand.java‎
Lines changed: 75 additions & 8 deletions
diff --git a/‎src/main/java/org/keycloak/gh/bot/security/common/Constants.java‎
Lines changed: 6 additions & 0 deletions b/‎src/main/java/org/keycloak/gh/bot/security/common/Constants.java‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/main/java/org/keycloak/gh/bot/security/email/MailProcessor.java‎
Lines changed: 52 additions & 0 deletions b/‎src/main/java/org/keycloak/gh/bot/security/email/MailProcessor.java‎
Lines changed: 52 additions & 0 deletions
@@ -8,7 +8,8 @@ public enum Status {
     MISSING_INFORMATION,
     BUMPED_BY_BOT,
     TRIAGE,
-    REOPENED;
+    REOPENED,
+    CVE_REQUEST;
 
     @Override
     public String toString() {
 
@@ -4,27 +4,54 @@
 import org.eclipse.microprofile.config.ConfigProvider;
 import org.jboss.logging.Logger;
 import org.kohsuke.github.GHEventPayload;
+import org.kohsuke.github.GHIssueComment;
 import org.kohsuke.github.ReactionContent;
 
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 public abstract class CommandParser implements BotCommand {
 
     private static final Logger LOGGER = Logger.getLogger(CommandParser.class);
+    private static final Set<String> ACTIVE_COMMANDS = ConcurrentHashMap.newKeySet();
 
     // Absorbs all invalid trailing text to prevent parser crashes
     @Arguments
     protected List<String> unparsedArgs = new ArrayList<>();
 
     @Override
     public final void run(GHEventPayload.IssueComment issueCommentPayload) throws IOException {
-        if (isAuthorizedRepository(issueCommentPayload)) {
+        if (!isAuthorizedRepository(issueCommentPayload)) {
+            return;
+        }
+
+        String commandKey = buildCommandKey(issueCommentPayload);
+        if (!ACTIVE_COMMANDS.add(commandKey)) {
+            LOGGER.infof("Duplicate webhook detected for %s. Skipping.", commandKey);
+            return;
+        }
+
+        try {
             execute(issueCommentPayload);
+        } finally {
+            ACTIVE_COMMANDS.remove(commandKey);
         }
     }
 
+    private String buildCommandKey(GHEventPayload.IssueComment payload) {
+        String body = payload.getComment().getBody();
+        int bodyHash = body != null ? body.hashCode() : 0;
+        return getClass().getSimpleName()
+                + ":" + payload.getIssue().getNumber()
+                + ":" + bodyHash;
+    }
+
     private boolean isAuthorizedRepository(GHEventPayload.IssueComment payload) {
         String allowedRepository = ConfigProvider.getConfig()
                 .getOptionalValue("repository.privateRepository", String.class)
@@ -54,17 +81,42 @@ protected void fail(GHEventPayload.IssueComment payload, String reason) throws I
     /**
      * Ensure that a body exists and is placed on a new line.
      */
-    protected ParsedMessage extractMessage(GHEventPayload.IssueComment payload) throws IOException {
-        String[] parts = payload.getComment().getBody().trim().split("[\\r\\n]+", 2);
-
-        if (parts.length < 2 || parts[1].trim().isEmpty()) {
-            fail(payload, parts.length < 2
-                    ? "Invalid formatting. The message body MUST be placed on a new line below the command."
-                    : "Empty message body provided.");
-            return null;
+    protected Optional<ParsedMessage> extractMessage(GHEventPayload.IssueComment payload) throws IOException {
+        String commentBody = payload.getComment().getBody();
+        if (commentBody == null || commentBody.isBlank()) {
+            fail(payload, "Empty comment body.");
+            return Optional.empty();
+        }
+
+        int newlineIndex = commentBody.indexOf('\n');
+        if (newlineIndex == -1) {
+            fail(payload, "Invalid formatting. The message body MUST be placed on a new line below the command.");
+            return Optional.empty();
         }
 
-        return new ParsedMessage(parts[0].trim().replaceAll("\\s+", " ").toLowerCase(), parts[1].trim());
+        String rawCommand = commentBody.substring(0, newlineIndex);
+        String commandLine = rawCommand.trim().replaceAll("\\s+", " ");
+        String body = commentBody.substring(newlineIndex + 1).trim();
+
+        if (body.isEmpty()) {
+            fail(payload, "Empty message body provided.");
+            return Optional.empty();
+        }
+
+        return Optional.of(new ParsedMessage(commandLine, body));
+    }
+
+    protected Optional<String> findThreadId(GHEventPayload.IssueComment payload, Pattern pattern) throws IOException {
+        for (GHIssueComment comment : payload.getIssue().queryComments().list()) {
+            String body = comment.getBody();
+            if (body == null) continue;
+
+            Matcher matcher = pattern.matcher(body);
+            if (matcher.find()) {
+                return Optional.of(matcher.group(1));
+            }
+        }
+        return Optional.empty();
     }
 
     protected record ParsedMessage(String commandLine, String body) {
 
@@ -7,11 +7,9 @@
 import org.keycloak.gh.bot.security.common.Constants;
 import org.keycloak.gh.bot.security.email.MailSender;
 import org.kohsuke.github.GHEventPayload;
-import org.kohsuke.github.GHIssueComment;
 
 import java.io.IOException;
 import java.util.Optional;
-import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 /**
@@ -32,39 +30,22 @@ public class MailingListCommand extends CommandParser implements BotCommand {
 
     @Override
     protected void execute(GHEventPayload.IssueComment payload) throws IOException {
-        ParsedMessage msg = extractMessage(payload);
-        if (msg == null) return;
+        Optional<ParsedMessage> msg = extractMessage(payload);
+        if (msg.isEmpty()) return;
 
-        if (!msg.commandLine().equals("@security reply")) {
-            fail(payload, "Invalid command signature. Extra text found on the command line.");
-            return;
-        }
-
-        Optional<String> threadId = findGmailThreadId(payload);
+        Optional<String> threadId = findThreadId(payload, THREAD_ID_PATTERN);
         if (threadId.isEmpty()) {
             fail(payload, "Gmail Thread ID not found in issue comments. Cannot reply without a linked email thread.");
             return;
         }
 
         LOGGER.infof("Sending reply to Gmail thread %s for issue #%d", threadId.get(), payload.getIssue().getNumber());
 
-        if (mailSender.sendReply(threadId.get(), msg.body(), targetGroup)) {
+        if (mailSender.sendReply(threadId.get(), msg.get().body(), targetGroup)) {
             success(payload);
         } else {
             fail(payload, "Failed to send reply via Gmail API.");
         }
     }
 
-    private Optional<String> findGmailThreadId(GHEventPayload.IssueComment payload) throws IOException {
-        for (GHIssueComment comment : payload.getIssue().queryComments().list()) {
-            String body = comment.getBody();
-            if (body == null) continue;
-
-            Matcher matcher = THREAD_ID_PATTERN.matcher(body);
-            if (matcher.find()) {
-                return Optional.of(matcher.group(1));
-            }
-        }
-        return Optional.empty();
-    }
 }
@@ -1,26 +1,93 @@
 package org.keycloak.gh.bot.security.command;
 
 import com.github.rvesse.airline.annotations.Command;
+import jakarta.inject.Inject;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
 import org.jboss.logging.Logger;
+import org.keycloak.gh.bot.labels.Status;
+import org.keycloak.gh.bot.security.common.Constants;
+import org.keycloak.gh.bot.security.email.MailSender;
 import org.kohsuke.github.GHEventPayload;
+import org.kohsuke.github.GHIssue;
+import org.kohsuke.github.GHLabel;
 
 import java.io.IOException;
+import java.util.Optional;
+import java.util.Set;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
 
-@Command(name = "secalert", description = "Handles security alerts and multiline replies")
-public class SecAlertCommand extends CommandParser implements BotCommand { //Required due to a bug on Airline
+/**
+ * Sends emails to SecAlert. Creates a new thread when no SecAlert-Thread-ID exists, otherwise replies on the existing thread.
+ */
+@Command(name = "secalert", description = "Sends a new email or reply to SecAlert and tracks the thread ID")
+public class SecAlertCommand extends CommandParser implements BotCommand {
 
     private static final Logger LOGGER = Logger.getLogger(SecAlertCommand.class);
+    private static final Pattern SECALERT_THREAD_ID_PATTERN = Pattern.compile(
+            Pattern.quote(Constants.SECALERT_THREAD_ID_PREFIX) + "\\s*([a-f0-9]+)");
+
+    @Inject
+    MailSender mailSender;
+
+    @ConfigProperty(name = "email.sender.secalert")
+    String secAlertEmail;
+
+    @ConfigProperty(name = "google.group.target")
+    String targetGroup;
 
     @Override
     protected void execute(GHEventPayload.IssueComment payload) throws IOException {
-        ParsedMessage msg = extractMessage(payload);
-        if (msg == null) return;
+        Optional<ParsedMessage> msg = extractMessage(payload);
+        if (msg.isEmpty()) return;
+
+        String subject = String.join(" ", unparsedArgs);
+        String body = msg.get().body();
+
+        Optional<String> existingThreadId = findThreadId(payload, SECALERT_THREAD_ID_PATTERN);
+
+        if (existingThreadId.isPresent()) {
+            replyToExistingThread(payload, existingThreadId.get(), body);
+        } else {
+            createNewThread(payload, subject, body);
+        }
+    }
+
+    private void createNewThread(GHEventPayload.IssueComment payload, String subject, String body) throws IOException {
+        if (subject.isEmpty()) {
+            fail(payload, "Subject is required for the first SecAlert email. Usage: @security secalert <subject>");
+            return;
+        }
+
+        LOGGER.infof("Sending new SecAlert email for issue #%d, subject: %s", payload.getIssue().getNumber(), subject);
+
+        Optional<String> threadId = mailSender.sendNewEmail(secAlertEmail, targetGroup, subject, body);
+        if (threadId.isEmpty()) {
+            fail(payload, "Failed to send email to SecAlert via Gmail API.");
+            return;
+        }
+
+        String marker = Constants.SECALERT_THREAD_ID_PREFIX + " " + threadId.get();
+        GHIssue issue = payload.getIssue();
+        issue.comment("SecAlert email sent. " + marker);
+
+        Set<String> currentLabels = issue.getLabels().stream().map(GHLabel::getName).collect(Collectors.toSet());
+        if (currentLabels.contains(Status.TRIAGE.toLabel())) {
+            issue.removeLabels(Status.TRIAGE.toLabel());
+        }
+        issue.addLabels(Status.CVE_REQUEST.toLabel());
+
+        issue.setTitle(Constants.CVE_TBD_PREFIX + " " + issue.getTitle());
+        success(payload);
+    }
+
+    private void replyToExistingThread(GHEventPayload.IssueComment payload, String threadId, String body) throws IOException {
+        LOGGER.infof("Replying to existing SecAlert thread %s for issue #%d", threadId, payload.getIssue().getNumber());
 
-        if (msg.commandLine().equals("@security secalert")) {
-            LOGGER.infof("New Message to secalert:\n%s", msg.body());
+        if (mailSender.sendThreadedEmail(threadId, secAlertEmail, targetGroup, body)) {
             success(payload);
         } else {
-            fail(payload, "Invalid command. Extra text found on the command line.");
+            fail(payload, "Failed to send reply to SecAlert thread " + threadId + ".");
         }
     }
-}
+}
@@ -1,8 +1,14 @@
 package org.keycloak.gh.bot.security.common;
 
+import java.util.regex.Pattern;
+
 public final class Constants {
 
+    public static final Pattern CVE_PATTERN = Pattern.compile("CVE-\\d{4}-\\d+");
+
     public static final String GMAIL_THREAD_ID_PREFIX = "**Gmail-Thread-ID:**";
+    public static final String SECALERT_THREAD_ID_PREFIX = "**SecAlert-Thread-ID:**";
+    public static final String CVE_TBD_PREFIX = "[CVE-TBD]";
     public static final String ISSUE_DESCRIPTION_TEMPLATE = "_Thread originally started in the keycloak-security mailing list. Replace the content here with a proper CVE description._";
     public static final String ATTACHMENTS_FOOTER = "\n_Attachments are not uploaded for security reasons. [View them in Google Groups](%s)_";
 
 
@@ -21,6 +21,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 @ApplicationScoped
@@ -39,6 +40,9 @@ public class MailProcessor {
     @ConfigProperty(name = "repository.privateRepository")
     String repositoryName;
 
+    @ConfigProperty(name = "email.sender.secalert")
+    String secAlertEmail;
+
     @Inject
     GmailAdapter gmail;
 
@@ -110,13 +114,21 @@ private void processSingleMessage(Message msgSummary, GitHub github, GHRepositor
 
             var issueOpt = resolveIssue(github, repository, threadId);
 
+            if (issueOpt.isEmpty() && isFromSecAlert(from)) {
+                issueOpt = resolveIssueBySecAlertThread(github, repository, threadId);
+            }
+
             if (issueOpt.isPresent()) {
                 var issue = issueOpt.get();
                 if (issue.getState() == GHIssueState.CLOSED) {
                     issue.reopen();
                     LOGGER.infof("Reopened existing closed issue #%d for thread %s", issue.getNumber(), threadId);
                 }
                 appendComment(issue, from, body, attachmentSection);
+
+                if (isFromSecAlert(from)) {
+                    applyCveIdFromSecAlert(issue, subject, body);
+                }
             } else {
                 var newIssue = createNewIssue(repository, threadId, subject, from, body, attachmentSection);
                 issueCache.put(threadId, newIssue.getNumber());
@@ -203,6 +215,46 @@ private boolean isFromBot(String from) {
         return from != null && from.toLowerCase().contains(botEmail.toLowerCase());
     }
 
+    private boolean isFromSecAlert(String from) {
+        return from != null && from.toLowerCase().contains(secAlertEmail.toLowerCase());
+    }
+
+    private Optional<GHIssue> resolveIssueBySecAlertThread(GitHub github, GHRepository repository, String threadId) {
+        try {
+            var query = "repo:%s \"%s %s\" is:issue in:comments".formatted(
+                    repositoryName, Constants.SECALERT_THREAD_ID_PREFIX, threadId);
+            var iterator = github.searchIssues().q(query).list().iterator();
+            if (iterator.hasNext()) {
+                int issueNumber = iterator.next().getNumber();
+                return Optional.ofNullable(repository.getIssue(issueNumber));
+            }
+        } catch (Exception e) {
+            LOGGER.warnf(e, "GitHub search failed for SecAlert thread %s", threadId);
+        }
+        return Optional.empty();
+    }
+
+    private void applyCveIdFromSecAlert(GHIssue issue, String subject, String body) throws IOException {
+        String cveId = extractCveId(subject);
+        if (cveId == null) {
+            cveId = extractCveId(body);
+        }
+        if (cveId == null) return;
+
+        String title = issue.getTitle();
+        if (title != null && title.startsWith(Constants.CVE_TBD_PREFIX)) {
+            String newTitle = title.replace(Constants.CVE_TBD_PREFIX, "[" + cveId + "]");
+            issue.setTitle(newTitle);
+            LOGGER.infof("Replaced %s with [%s] in issue #%d", Constants.CVE_TBD_PREFIX, cveId, issue.getNumber());
+        }
+    }
+
+    static String extractCveId(String text) {
+        if (text == null) return null;
+        Matcher matcher = Constants.CVE_PATTERN.matcher(text);
+        return matcher.find() ? matcher.group() : null;
+    }
+
     private boolean isValidGroupMessage(Map<String, String> headers) {
         if (targetGroup.matchesListId(headers.get("List-ID"))) {
             return true;