MLE-29893: Add security-vulnerability-triage copilot skill

[abika5]

Jira Ticket: MLE-29893

Type of Change:

• New feature
• Bug fix
• Refactor / code improvement
• Library upgrade
• Test additions or updates
• Documentation updates
• Build / CI changes

Description:

Adds a new GitHub Copilot CLI skill at .github/copilot/skills/security-vulnerability-triage/SKILL.md that codifies the process for triaging and rescoring security vulnerability tickets (CVE, BDSA, GHSA / Dependabot) on MLCP. Previously this process lived only as ad-hoc personal Copilot instructions; moving it into the repo means anyone working on MLCP with Copilot CLI gets the same discipline, and lessons learned from past rounds (e.g. the Apache Thrift batch MLE-29365 – MLE-29372) are preserved.

Approach / Implementation Notes:

• Single SKILL.md file with frontmatter (name, description) so Copilot CLI auto-discovers it when the user mentions a CVE/BDSA ID or asks to assess vulnerability impact.
• Invocation: user supplies a Jira bug ID (MLE-*****). Step 1 validates the ticket is actually a security vulnerability (Component, label, title prefix, advisory ID in description, or CVSS score set) before proceeding.
• 9-step workflow: validate → fetch advisory → identify component → trace dep chain → reachability (javap -c) → draft comment → user review → post → update ticket (title, Calculated CVSS, priority, transition to In Review).
• 7 ground rules covering BDSA↔CVE mapping, language-binding exclusion, classpath vs runtime, comment review discipline, Jira field-update verification, and scope (security tickets only).
• Includes a Jira analysis comment template and 6 case studies (libthrift transitive trap, BDSA-score-vs-scope confusion, eager vs lazy class loading, Jira silent field failures, BDSA bundling multi-year CVEs, review discipline).

References:

• MLE-29893
• Past triage round: MLE-29365 – MLE-29372 (Apache Thrift BDSAs)
• How to Create a Security Bug

Build Validation:

• Successful compilation (N/A — documentation only)
• No new compiler warnings introduced (N/A — documentation only)

Tests Covered:

• Unit tests
• Regression suite (run locally)
• End-to-end pipeline test (optional)
• Manual validation
• Not applicable (explain why)

The change adds a single documentation artifact (SKILL.md) that Copilot CLI loads at runtime. No code paths, build outputs, or runtime behavior are affected.

Additional Notes:

• The skill lives under .github/copilot/skills/ so it's co-located with other GitHub-tooling config and travels with the repo.
• Users get the skill automatically when running Copilot CLI from this repo; no symlink setup needed.

[Copilot]

Pull request overview

Adds a new GitHub Copilot CLI skill document to standardize how MLCP security vulnerability tickets (CVE/BDSA/GHSA/Dependabot) are triaged and rescored, capturing a repeatable workflow and lessons learned so the process is consistent across engineers.

Changes:

• Introduces a new Copilot CLI skill (security-vulnerability-triage) with YAML frontmatter for auto-discovery.
• Documents a 9-step triage/rescore workflow, including dependency-chain tracing and Java reachability analysis guidance.
• Provides a Jira analysis comment template plus case studies/ground rules to reduce recurring triage errors.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[yunzvanessa]

This is incorrect, we can setup the connection between copilot and BD simply by providing the api token. This skill should ask for the BD api token and make sure to not persist it anywhere

[yunzvanessa]

I think instead of keep repeating jira bug id in this section, probably ask the user to provide a jira id at first, check whether necessary info is listed in the jira ticket, if not, stop and ask the user.

[yunzvanessa]

General comments:

I think we need some guidance on rescoring:

• Copilot should use CVSS 3.1 from first org.
• Mapping between calculated CVSS and priority.
• Ask user to review before changing calculated CVSS and priority.
• Final check on whether required Jira fields are all filled.
• The skill is slightly verbose, consider using deduplication to trim it down.

@abika5 Thank you for spending time on this skill! This is very helpful.

[SameeraPriyathamTadikonda]

Can the user connect to blackduck using token and copilot get the advisory from blackduck?

[SameeraPriyathamTadikonda]

Does user need to keep cache clean before running this workflow? Or can user specify a different Maven cache folder?

[SameeraPriyathamTadikonda]

Which step recalculates the cvss score?