Currently this bot can automatically assigns CVE IDs to GHSAs through the CVE API. However, sometimes a GHSA report is rejected by core developers or withdrawn by the reporter. In this case we need a way for the bot to be instructed to "withdraw" a CVE ID. Today that's done manually exclusively by CVE admins.
To enable any collaborators to reject a CVE ID (which is a
- Create a phrase that instructs the bot to reject the CVE ID (
@psrt-ghsa-bot reject <CVE ID>?)
- Anyone in the collaborators list (
python/psrt and collaborating_users, and _teams) can use the above phrase to trigger a CVE ID rejection.
- Must not work if the CVE ID has been published or if the GHSA is still open.
This requires the bot to be able to get a list of comments in a GHSA to take commands.
Currently this bot can automatically assigns CVE IDs to GHSAs through the CVE API. However, sometimes a GHSA report is rejected by core developers or withdrawn by the reporter. In this case we need a way for the bot to be instructed to "withdraw" a CVE ID. Today that's done manually exclusively by CVE admins.
To enable any collaborators to reject a CVE ID (which is a
@psrt-ghsa-bot reject <CVE ID>?)python/psrtandcollaborating_users, and_teams) can use the above phrase to trigger a CVE ID rejection.This requires the bot to be able to get a list of comments in a GHSA to take commands.