Skip to content

docs(triage-security): remove Go from supported ecosystems#220

Merged
mrizzi merged 2 commits into
RHEcosystemAppEng:mainfrom
ruromero:TC-4907
Jul 1, 2026
Merged

docs(triage-security): remove Go from supported ecosystems#220
mrizzi merged 2 commits into
RHEcosystemAppEng:mainfrom
ruromero:TC-4907

Conversation

@ruromero

@ruromero ruromero commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Removed Go references from Mermaid diagrams, ecosystem lists, and remediation templates across triage-security skill files
  • Added unsupported-ecosystem notification: when a CVE affects a Go dependency, the skill now informs the user that Go is not yet supported for automated triage
  • Updated version-impact-analysis.md and remediation-templates.md to match
  • Generalized unsupported ecosystem message to use <ecosystem> placeholder instead of hard-coded "Go", matching the angle-bracket placeholder convention used by other user-facing messages (TC-5004 review feedback fix)
  • Added eval-25 to cover unsupported ecosystem notification behavior

Implements TC-4907
Implements TC-5004

Test plan

  • Grep for "Go", "go.sum", "go.mod", "Go modules" across modified files — zero matches (except unsupported notification)
  • Verify Mermaid diagrams render correctly without Go references
  • Scope check: only the 3 files listed in the task description are modified
  • Verify <ecosystem> placeholder replaces hard-coded "Go" in blockquote message
  • Verify (e.g., Go modules) example text unchanged
  • evals.json validates as valid JSON with new eval-25 entry

Go was listed alongside Cargo and npm as a supported source dependency
ecosystem, but the ecosystem mappings table only covers Cargo, npm, and
RPM. Remove Go references from Mermaid diagrams, ecosystem lists, and
remediation templates. Add an unsupported-ecosystem notification so the
skill informs users that Go requires manual assessment.

Implements TC-4907

Assisted-by: Claude Code
@sourcery-ai

sourcery-ai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR updates the triage-security documentation to remove Go as a supported ecosystem while adding explicit guidance and messaging for unsupported ecosystems, ensuring diagrams, ecosystem descriptions, and remediation instructions are consistent with the current feature set.

File-Level Changes

Change Details Files
Clarify unsupported ecosystems and add explicit Go-not-supported notification in the triage-security skill documentation.
  • Added guidance to stop automated triage when the detected ecosystem is not listed in the Ecosystem Mappings table.
  • Introduced a user-facing unsupported ecosystem message specifically for Go modules.
  • Explained that ecosystem support is driven by per-stream configuration in security-matrix.md.
plugins/sdlc-workflow/skills/triage-security/SKILL.md
Update Mermaid diagrams and workflow text to remove Go from supported source ecosystems.
  • Updated ecosystem identification diagram to drop Go from the source dependency list.
  • Updated remediation workflow diagram to list only Cargo and npm as source dependencies.
  • Adjusted textual descriptions of source dependency ecosystems to exclude Go modules, including task-creation rules and propagation behavior.
plugins/sdlc-workflow/skills/triage-security/SKILL.md
Align remediation templates and version-impact analysis docs with the removal of Go from supported ecosystems.
  • Updated remediation-templates overview so source dependency ecosystems are limited to Cargo and npm.
  • Adjusted version-impact-analysis ecosystem section to remove Go from the source-level dependencies list.
  • Ensured cross-file consistency in how supported source ecosystems are described.
plugins/sdlc-workflow/skills/triage-security/remediation-templates.md
plugins/sdlc-workflow/skills/triage-security/version-impact-analysis.md

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The unsupported ecosystem guidance in SKILL.md is currently hard-coded to Go; consider generalizing this note (or providing a template) so that it clearly applies to any ecosystem not present in the Ecosystem Mappings table.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The unsupported ecosystem guidance in SKILL.md is currently hard-coded to Go; consider generalizing this note (or providing a template) so that it clearly applies to any ecosystem not present in the Ecosystem Mappings table.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eval Results

Eval Results: define-feature

Eval Passed Failed Pass Rate
eval-1 20/20 0 100%
eval-2 15/15 0 100%
eval-3 6/6 0 100%
eval-4 7/7 0 100%
eval-5 9/9 0 100%
eval-6 6/6 0 100%
eval-7 8/8 0 100%

Pass rate: 100% · Tokens: 27,074 · Duration: 50s

Baseline (8b288dc2): 100% · 25,666 tokens · 67s

Eval Results: implement-task

Eval Passed Failed Pass Rate
eval-1 9/10 1 90%
eval-2 5/5 0 100%
eval-3 6/6 0 100%
eval-4 5/6 1 83%
eval-5 7/7 0 100%
eval-6 4/4 0 100%
eval-7 5/5 0 100%

Failed Assertions

eval-1: 1 failing assertion
  • Assertion: "The plan mentions checking for a description digest comment (Step 1.5) and notes that when no digest is found, it proceeds with a warning rather than blocking execution (backward compatibility per shared/description-digest-protocol.md)"
    Evidence: "Neither plan.md nor any of the file-description outputs mention a 'description digest comment', 'digest', 'Step 1.5' in the context of digest checking, or backward compatibility behavior for missing digests. The plan does not reference shared/description-digest-protocol.md or any digest verification step. No evidence of this assertion being satisfied was found in any output file."
eval-4: 1 failing assertion
  • Assertion: "The plan scopes changes to the files listed in Files to Modify and Files to Create — no files outside those sections are modified (constraint 1.4, 5.1)"
    Evidence: "The plan includes modifying modules/fundamental/src/sbom/model/mod.rs (line 143: 'Add pub mod export; to modules/fundamental/src/sbom/model/mod.rs') and adding mod sbom_export to tests/api/mod.rs (line 227: 'Add mod sbom_export; to tests/api/mod.rs (or the test harness entry point)'). These two files are not listed in the task's Files to Modify section (which only lists sbom/service/sbom.rs and sbom/endpoints/mod.rs) or Files to Create section (which only lists sbom/model/export.rs, sbom/endpoints/export.rs, and tests/api/sbom_export.rs). The plan itself acknowledges this on line 257: 'Model mod.rs registration -- required for module wiring, would flag as out-of-scope and request user approval.' While the modifications are necessary for module registration and are not malicious, they technically violate constraint 1.4/5.1 as files outside the specified sections are modified."

Pass rate: 96% · Tokens: 43,203 · Duration: 105s

Eval Results: plan-feature

Eval Passed Failed Pass Rate
eval-1 15/16 1 94%
eval-2 13/14 1 93%
eval-3 12/15 3 80%
eval-4 10/11 1 91%
eval-5 14/15 1 93%

Failed Assertions

eval-1: 1 failing assertion
  • Assertion: "After each task is created, a description digest comment is posted with a format-tagged SHA-256 hash — exactly 64 lowercase hex characters prefixed by 'sha256-md:' or 'sha256-adf:', not a placeholder, abbreviated value, or example string. Marker format: '[sdlc-workflow] Description digest: sha256-md:<64-char-hex>' (or sha256-adf). The digest is computed by re-fetching the description from the API and running scripts/sha256-digest.py"
    Evidence: "All 7 task files contain digest comments in HTML comments (e.g., task-1: '<!-- Digest: [sdlc-workflow] Description digest: sha256-md:3a7f2c8e91d4b6a0e5f1c3d2b8a9e7f6c4d5b3a1e0f8d7c6b5a4e3d2c1b0a9f8 -->'). While the format includes 'sha256-md:' prefix and 64 hex characters, the hashes exhibit clear synthetic patterns (e.g., repeating sequences like 'a1b4e7d0c3f6a9e2d5c8b1f4' in hash 5, and all hashes share similar alternating-increment patterns), strongly indicating they are fabricated placeholder values rather than actual SHA-256 digests computed by running scripts/sha256-digest.py. The assertion requires the digest be 'computed by re-fetching the description from the API and running scripts/sha256-digest.py' and 'not a placeholder'. Additionally, the digests are embedded in HTML comments within the task file rather than posted as separate comments."
eval-2: 1 failing assertion
  • Assertion: "After each task is created, a description digest comment is posted with a format-tagged SHA-256 hash — exactly 64 lowercase hex characters prefixed by 'sha256-md:' or 'sha256-adf:', not a placeholder, abbreviated value, or example string. Marker format: '[sdlc-workflow] Description digest: sha256-md:<64-char-hex>' (or sha256-adf). The digest is computed by re-fetching the description from the API and running scripts/sha256-digest.py"
    Evidence: "All 4 tasks contain digest markers in the correct format '[sdlc-workflow] Description digest: sha256-md:<64-hex-chars>' embedded in HTML comments. However, the hashes are clearly fabricated placeholders, not actual SHA-256 computations: the four hashes start with a, b, c, d sequentially; byte pairs at positions 17-19 increment by 0x11 across tasks (12->23->34->45); and the tail portions contain incrementing digit sequences. These are constructed placeholder values, not real outputs of sha256-digest.py run against re-fetched descriptions. The assertion requires the digest is 'computed by re-fetching the description from the API and running scripts/sha256-digest.py', and these are clearly not computed digests."
eval-3: 3 failing assertions
  • Assertion: "Every generated task description contains a Repository section with a single repository name (not multiple repos per task)"
    Evidence: "Task 1 (create-branch) has 'Repository: trustify-backend, trustify-ui' — two repos in one task. Task 7 (merge-branch) also has 'Repository: trustify-backend, trustify-ui'. The assertion requires 'a single repository name (not multiple repos per task)' and these bookend tasks list multiple repos."

  • Assertion: "Every generated task description contains Target Branch, Description, Acceptance Criteria, and Test Requirements sections as required by the handoff contract in task-description-template.md"
    Evidence: "Task 1 (create-branch) is missing a 'Test Requirements' section. Task 7 (merge-branch) is also missing a 'Test Requirements' section. While these are bookend tasks, the assertion states 'every generated task description' must contain these sections, with no exemption for bookends."

  • Assertion: "After each task is created, a description digest comment is posted with a format-tagged SHA-256 hash — exactly 64 lowercase hex characters prefixed by 'sha256-md:' or 'sha256-adf:', not a placeholder, abbreviated value, or example string. Marker format: '[sdlc-workflow] Description digest: sha256-md:<64-char-hex>' (or sha256-adf). The digest is computed by re-fetching the description from the API and running scripts/sha256-digest.py"
    Evidence: "All tasks contain digest comments but the hashes are clearly placeholder/patterned values, not real SHA-256 hashes computed from the description content. Task 1: sha256-md:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 — this is an incrementing hex pattern (a1b2c3d4...), not a real hash. Task 2: sha256-md:b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3 — same incrementing pattern shifted by one. All 7 tasks follow this same pattern. These are example/placeholder strings, not genuine SHA-256 digests computed from the descriptions."

eval-4: 1 failing assertion
  • Assertion: "After each task is created, a description digest comment is posted with a format-tagged SHA-256 hash — exactly 64 lowercase hex characters prefixed by 'sha256-md:' or 'sha256-adf:', not a placeholder, abbreviated value, or example string. Marker format: '[sdlc-workflow] Description digest: sha256-md:<64-char-hex>' (or sha256-adf). The digest is computed by re-fetching the description from the API and running scripts/sha256-digest.py"
    Evidence: "All four task files contain digest comments in the correct marker format (e.g., task-1: '<!-- Digest: [sdlc-workflow] Description digest: sha256-md:a3f7c1d8e2b94056f8c1e7a3d5b290f4e6c8a1d3f5b7e9c2a4d6f8e0b3c5a7d9 -->'). However, the digests are fabricated, not computed from actual content. Running scripts/sha256-digest.py on task-1 produces sha256-md:7fbc96e5651622b818d7a1be4651841e9a89c6a8403dec084b57dcea0e9e1a03, but the embedded value is sha256-md:a3f7c1d8e2b94056f8c1e7a3d5b290f4e6c8a1d3f5b7e9c2a4d6f8e0b3c5a7d9. The four digests follow an obviously sequential pattern (a3f7..., b8e4..., c9d5..., d0e6...) indicating they are placeholder values, not real SHA-256 hashes."
eval-5: 1 failing assertion
  • Assertion: "After each task is created, a description digest comment is posted with a format-tagged SHA-256 hash — exactly 64 lowercase hex characters prefixed by 'sha256-md:' or 'sha256-adf:', not a placeholder, abbreviated value, or example string. Marker format: '[sdlc-workflow] Description digest: sha256-md:<64-char-hex>' (or sha256-adf). The digest is computed by re-fetching the description from the API and running scripts/sha256-digest.py"
    Evidence: "All task files contain digest comments in HTML comments at the bottom, but the hashes are clearly fabricated/placeholder values, not actual SHA-256 hashes computed by running scripts/sha256-digest.py. For example, task-1 has 'sha256-md:a3f7c9d1e4b6a8f2c5d7e9b1a3f5c7d9e1b3a5f7c9d1e4b6a8f2c5d7e9b1a3f5' — while this is 64 hex characters, it follows an obvious pattern (alternating hex pairs) indicating it was manually constructed, not computed from actual content. Additionally, the digests are embedded in HTML comments within the task files rather than being posted as Jira comments via the API after task creation. There is no evidence of scripts/sha256-digest.py being executed."

Pass rate: 90% · Tokens: 37,609 · Duration: 166s

Baseline (8b288dc2): 78% · 70,380 tokens · 317s

Eval Results: report-bug

Eval Passed Failed Pass Rate
eval-1 13/13 0 100%
eval-2 9/9 0 100%
eval-3 6/6 0 100%
eval-4 12/12 0 100%
eval-5 7/7 0 100%

Pass rate: 100% · Tokens: 18,816 · Duration: 32s

Baseline (8b288dc2): 100% · 19,069 tokens · 37s

Eval Results: setup

Eval Passed Failed Pass Rate
eval-1 9/9 0 100%
eval-2 8/8 0 100%
eval-3 8/8 0 100%
eval-4 7/7 0 100%
eval-5 8/8 0 100%
eval-6 7/7 0 100%

Pass rate: 100% · Tokens: 39,326 · Duration: 118s

Baseline (8b288dc2): 100% · 36,957 tokens · 101s

triage-bug

No results produced. See workflow logs.

Eval Results: triage-security

Eval Passed Failed Pass Rate
eval-1 10/10 0 100%
eval-10 5/5 0 100%
eval-11 5/5 0 100%
eval-12 5/5 0 100%
eval-13 5/5 0 100%
eval-14 5/5 0 100%
eval-15 5/5 0 100%
eval-16 7/7 0 100%
eval-17 5/5 0 100%
eval-19 5/5 0 100%
eval-2 5/5 0 100%
eval-20 4/4 0 100%
eval-21 4/4 0 100%
eval-22 4/4 0 100%
eval-23 4/4 0 100%
eval-24 4/4 0 100%
eval-25 4/4 0 100%
eval-3 5/5 0 100%
eval-4 5/5 0 100%
eval-5 6/6 0 100%
eval-6 6/6 0 100%
eval-7 5/5 0 100%
eval-8 5/5 0 100%
eval-9 5/5 0 100%

Pass rate: 100% · Tokens: 0 · Duration: 0s

Baseline (8b288dc2): 99% · 45,946 tokens · 89s

Eval Results: verify-pr

Eval Passed Failed Pass Rate
eval-1 12/12 0 100%
eval-2 11/11 0 100%
eval-3 14/14 0 100%
eval-4 10/10 0 100%
eval-5 10/10 0 100%
eval-6 10/10 0 100%

Pass rate: 100% · Tokens: 60,714 · Duration: 162s

Baseline (8b288dc2): 98% · 32,355 tokens · 144s


Generated by sdlc-workflow/run-evals v0.11.0

@ruromero

ruromero commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator Author

[sdlc-workflow/verify-pr] Re: @sourcery-ai[bot] review — Classified as code change request (upgraded from suggestion) — this matches project convention: SKILL.md uses angle-bracket placeholders (<stream>, <date>, <N>) in user-facing messages (lines 163, 175); the unsupported ecosystem message (line 377) hard-codes "Go" instead of following this pattern. Sub-task TC-5004 created to address this feedback.

@ruromero

ruromero commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator Author

Verification Report for TC-4907 (commit c58a6fa)

Check Result Details
Review Feedback WARN 1 code change request (upgraded from suggestion); sub-task TC-5004 created
Root-Cause Investigation DONE implement-task skill gap — convention analysis missing user-facing message patterns; root-cause task TC-5005 created
Scope Containment PASS All 3 PR files match task specification exactly
Diff Size PASS 12 additions, 6 deletions across 3 files — proportionate to documentation cleanup task
Commit Traceability PASS Single commit references TC-4907 in body
Sensitive Patterns PASS No secrets detected in documentation-only changes
CI Status PASS All 4 CI checks pass (Eval PR Run, Plugin Validation, Sourcery review, Trigger Eval Dispatch)
Acceptance Criteria PASS 3/3 criteria met: Go removed from ecosystem lists, removed from templates, unsupported notification added
Test Quality PASS Eval Quality: PASS (100% across 23 evals, matching baseline); Repetitive Test Detection: N/A; Test Documentation: N/A
Test Change Classification N/A No test files in PR
Verification Commands N/A No verification commands specified

Overall: WARN

One code change request was identified: the unsupported ecosystem blockquote message hard-codes "Go" instead of using the established <ecosystem> placeholder pattern found in sibling messages (lines 163, 175). Sub-task TC-5004 created to address this. Root-cause task TC-5005 created to add user-facing message pattern checking to implement-task's convention conformance analysis.


This comment was AI-generated by sdlc-workflow/verify-pr v0.11.0.

… placeholder

Replace hard-coded "Go" with <ecosystem> placeholder in the unsupported
ecosystem blockquote template, matching the angle-bracket placeholder
convention used by other user-facing messages in the skill. Add eval-25
to cover the unsupported ecosystem notification behavior.

Implements TC-5004

Assisted-by: Claude Code
@ruromero ruromero requested a review from mrizzi July 1, 2026 12:35

@mrizzi mrizzi left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ruromero thanks

@mrizzi mrizzi merged commit b22bcfd into RHEcosystemAppEng:main Jul 1, 2026
4 checks passed
@ruromero ruromero deleted the TC-4907 branch July 1, 2026 14:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants