Description
When the team requests a CVE to secalert (via a comment containing the secalert email template), the bot should parse the CVSS score from the comment and automatically assign the corresponding severity/* label to the issue. This closes the gap where issues get a CVE requested but the severity label is never applied.
Value Proposition
The team consistently includes a CVSS score in secalert request emails. Secalert almost always adopts the team's score. Despite this, severity labels are frequently forgotten, leaving triaged issues without proper severity classification. Automating this removes a manual step that is easy to forget and ensures every CVE request results in a correctly labeled issue.
Goals
- Detect when a comment contains a secalert email template (look for the
* **CVSS:** field or a CVSS:3.1 vector string)
- Parse the CVSS score and severity from the vector string or the parenthetical (e.g.,
4.3 Medium, 9.1 Critical)
- Map the severity to the corresponding label:
- Critical (9.0-10.0) →
severity/critical
- High (7.0-8.9) →
severity/high
- Medium (4.0-6.9) →
severity/medium
- Low (0.1-3.9) →
severity/low
- Apply the label automatically to the issue
- If a
severity/* label is already present, do not override it (the existing label was set intentionally)
- Automatically apply the label status/embargoed
Non-Goals
- Validating the CVSS vector or recalculating the score — trust the score as written
- Assigning severity based on non-secalert comments
- Removing or changing existing severity labels
Discussion
No response
Notes
- The secalert email template always contains a line like:
* **CVSS:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (4.3 Medium)
- A regex matching
CVSS:3\.1/[A-Z/:]+\s*\((\d+\.\d+)\s+(Critical|High|Medium|Low)\) should reliably extract both score and severity
- The bot should also handle plain-text variants without bold formatting (e.g.,
* CVSS: without **) since the template is sometimes pasted as plain text
- Consider also applying the
kind/cve label if not already present, since requesting a CVE to secalert implies CVE classification
Discussion
No response
Motivation
No response
Details
No response
Description
When the team requests a CVE to secalert (via a comment containing the secalert email template), the bot should parse the CVSS score from the comment and automatically assign the corresponding
severity/*label to the issue. This closes the gap where issues get a CVE requested but the severity label is never applied.Value Proposition
The team consistently includes a CVSS score in secalert request emails. Secalert almost always adopts the team's score. Despite this, severity labels are frequently forgotten, leaving triaged issues without proper severity classification. Automating this removes a manual step that is easy to forget and ensures every CVE request results in a correctly labeled issue.
Goals
* **CVSS:**field or a CVSS:3.1 vector string)4.3 Medium,9.1 Critical)severity/criticalseverity/highseverity/mediumseverity/lowseverity/*label is already present, do not override it (the existing label was set intentionally)Non-Goals
Discussion
No response
Notes
* **CVSS:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (4.3 Medium)CVSS:3\.1/[A-Z/:]+\s*\((\d+\.\d+)\s+(Critical|High|Medium|Low)\)should reliably extract both score and severity* CVSS:without**) since the template is sometimes pasted as plain textkind/cvelabel if not already present, since requesting a CVE to secalert implies CVE classificationDiscussion
No response
Motivation
No response
Details
No response