(airflow-steward) branch main updated: import: distinguish GHSA-relay notifications from tracker-mirror notifications (#151)

[potiuk]

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git


The following commit(s) were added to refs/heads/main by this push:
     new 2c40af0  import: distinguish GHSA-relay notifications from 
tracker-mirror notifications (#151)
2c40af0 is described below

commit 2c40af06e96e115938245ea7965a24c12b674e44
Author: Jarek Potiuk <ja...@potiuk.com>
AuthorDate: Thu May 14 13:05:23 2026 +0200

    import: distinguish GHSA-relay notifications from tracker-mirror 
notifications (#151)
    
    Updates security-issue-import Step 1 + the canonical candidate-listing
    query template so GHSA-relayed inbound reports (sent from
    notificati...@github.com with [<upstream>] ... (GHSA-...) subject form)
    are no longer blanket-excluded.
    
    GitHub uses notificati...@github.com for two categories:
    
      1. Tracker-mirror chatter (subject [<tracker-repo>] ...) — these are
         not import candidates; caught at Step 2 threadId dedup against
         existing tracker bodies.
      2. GHSA-relayed inbound reports (subject [<upstream>] ...) — these
         ARE valid import candidates and must reach Step 3 classification.
    
    The previous blanket -from:notificati...@github.com exclusion dropped
    both categories. The fix is to drop only the dedicated mirror noreply
    addresses (per the project's declared <tracker-repo>@noreply.github.com
    form) and rely on Step 2 dedup for the remaining mirror chatter.
    
    Motivation: in a 2026-05-14 import sweep against airflow-s/airflow-s,
    four GHSA-relayed reports from Lokhesh Ujhoodha (yogisawes...@gmail.com,
    @Lougarou) were missed by the default 14-day candidate query because
    the standard exclusion -from:notificati...@github.com dropped them
    alongside the tracker mirror notifications. The reporter had been told
    by ASF Security to split his consolidated report into separate GHSAs
    and complied — but the resulting GHSA-notification threads weren't
    surfaced as import candidates.
    
    Adopters must update their project.md mirror-sender declarations to
    remove the blanket -from:notificati...@github.com line and keep only
    the dedicated <tracker-repo>@noreply.github.com mirror sender.
    
    Co-authored-by: Claude Opus 4.7 (1M context) <nore...@anthropic.com>
---
 .claude/skills/security-issue-import/SKILL.md | 28 +++++++++++++++++++++++++++
 tools/gmail/search-queries.md                 | 27 +++++++++++++++++++++-----
 2 files changed, 50 insertions(+), 5 deletions(-)

diff --git a/.claude/skills/security-issue-import/SKILL.md 
b/.claude/skills/security-issue-import/SKILL.md
index 5b58eb4..fd87e5f 100644
--- a/.claude/skills/security-issue-import/SKILL.md
+++ b/.claude/skills/security-issue-import/SKILL.md
@@ -325,6 +325,34 @@ bookkeeping emails are filtered out at Step 3 by subject 
pattern
 instead — see the `cve-tool-bookkeeping` row of the classification
 table.
 
+**Do not exclude `-from:notificati...@github.com` wholesale.** GitHub
+uses this address for **two distinct categories** of messages:
+
+1. **Tracker-mirror notifications** — when an action lands on a
+   tracker issue (comment, label, close), GitHub emails every
+   subscriber. These arrive with subject `[<tracker-repo>] ...`
+   and are *not* import candidates — they describe an existing
+   tracker.
+2. **GHSA-relayed reports** — when a reporter files a GitHub
+   Security Advisory against `<upstream>`, GitHub emails
+   `notificati...@github.com → security@<project>.apache.org`
+   with subject `[<upstream>] ... (GHSA-...)`. **These are**
+   import candidates.
+
+Filter the mirror notifications at Step 1 only by the project's
+declared dedicated `noreply` mirror addresses (e.g.
+`<tracker-repo>@noreply.github.com`, declared in
+[`<project-config>/project.md`](../../../<project-config>/project.md#gmail-and-ponymail)).
+**Do not blanket-exclude `notificati...@github.com`** — the
+remaining tracker-mirror chatter on `notificati...@github.com` is
+caught at Step 2 (threadId dedup against existing tracker bodies)
+and Step 2-bis (already-answered detection).
+
+The canonical query template in
+[`tools/gmail/search-queries.md`](../../../tools/gmail/search-queries.md#security-issue-import--candidate-listing-query)
+omits the blanket exclusion; project-specific `<project-config>/project.md`
+declarations enumerate dedicated mirror noreply senders only.
+
 Adjust the time window per the user's selector (`since:` → `newer_than:`
 or `after:`; `import all` → `newer_than:90d`).
 
diff --git a/tools/gmail/search-queries.md b/tools/gmail/search-queries.md
index ed39b62..bb91aa7 100644
--- a/tools/gmail/search-queries.md
+++ b/tools/gmail/search-queries.md
@@ -54,8 +54,8 @@ Placeholder convention:
 
 The project's tracker repo mirrors GitHub issue activity onto its
 security list, producing a large volume of bot messages that match
-most content searches. Every skill that searches beyond a pure list
-scan excludes the mirror senders up front:
+most content searches. Skills that do **content searches** (not the
+import candidate-listing query) exclude the mirror senders up front:
 
 ```text
 -from:notificati...@github.com
@@ -64,6 +64,13 @@ scan excludes the mirror senders up front:
 -from:security-nore...@github.com
 ```
 
+**Exception — `security-issue-import` candidate listing.** That
+specific query removes `-from:notificati...@github.com` from the
+exclusion list so GHSA-relayed inbound reports (sent from
+`notificati...@github.com` with `[<upstream>] ... (GHSA-...)`
+subject form) are not dropped along with the tracker-mirror
+chatter. See the `security-issue-import` query template below.
+
 For projects that host their tracker elsewhere (or do not mirror to
 the list), trim or replace these as needed.
 
@@ -72,17 +79,27 @@ the list), trim or replace these as needed.
 ### `security-issue-import` — candidate-listing query
 
 Inbound threads that might be new reports, minus GitHub-notification
-bots, within a time window:
+mirror-bots, within a time window:
 
 ```text
 list:<security-list-domain>
-  -from:notificati...@github.com
-  -from:nore...@github.com
   -from:<tracker-noreply>
+  -from:nore...@github.com
   -from:security-nore...@github.com
   newer_than:30d
 ```
 
+**Do not exclude `-from:notificati...@github.com` in the
+candidate-listing query.** GitHub uses that address for two
+categories: tracker-mirror chatter (subject form `[<tracker-repo>]
+...`) which is what we want to filter, **and** GHSA-relayed inbound
+reports (subject form `[<upstream>] ... (GHSA-...)`) which are
+import candidates. The mirror chatter is caught by Step 2 threadId
+dedup; the GHSA relays are valid candidates and must reach Step 3
+classification. The `<tracker-noreply>` exclusion (e.g.
+`<tracker-repo>@noreply.github.com`) handles the dedicated mirror-
+noreply sender, which is what we actually want to drop.
+
 **Do not exclude `-from:secur...@apache.org`.** That address is used
 for CVE-tool bookkeeping *and* for ASF-security-team forwarding of
 inbound reports *and* for ad-hoc ASF Security discussion.