Skip to content

feat(triage-security): add cross-CVE traceability links and comments to Step 4.3#223

Merged
mrizzi merged 2 commits into
RHEcosystemAppEng:mainfrom
ruromero:TC-5009
Jul 2, 2026
Merged

feat(triage-security): add cross-CVE traceability links and comments to Step 4.3#223
mrizzi merged 2 commits into
RHEcosystemAppEng:mainfrom
ruromero:TC-5009

Conversation

@ruromero

@ruromero ruromero commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Adds Related and Depend link creation to Step 4.3's "covering remediation exists" path, executed after engineer confirms closure
  • Both links include idempotency checks following the existing Step 4.2 pattern (check issuelinks before creating)
  • Posts an explanatory comment on the current CVE documenting the cross-CVE overlap finding with all relevant details
  • Adds 3 eval assertions to eval 8 covering the traceability behavior

Implements TC-5009

Test plan

  • Grep jira-triage-operations.md for create_link within Step 4.3 — should have both "Related" and "Depend" link creation
  • Grep for idempotency check pattern within Step 4.3 — should check existing issuelinks before creating
  • Verify the comment template includes related CVE key, covering task key, library, bump version, and fix threshold
  • Verify eval 8 assertions cover cross-CVE traceability (Related link, Depend link, and comment)
  • Validate evals.json is valid JSON

🤖 Generated with Claude Code

Summary by Sourcery

Document cross-CVE traceability actions in Step 4.3 of the triage-security Jira workflow, including links and comments, and extend eval coverage for this behavior.

New Features:

  • Define creation of Related and Depend Jira issue links for cross-CVE remediation coverage in Step 4.3.
  • Specify posting of an explanatory cross-CVE overlap comment on the current CVE, including remediation and linkage details.

Tests:

  • Add eval coverage asserting Related link, Depend link, and comment behavior for cross-CVE traceability in eval 8 and update evals configuration JSON accordingly.

…to Step 4.3

When Step 4.3 detects a covering remediation from a different CVE, the
skill now creates Related and Depend links and posts an explanatory
comment after the engineer confirms closure. Both links include
idempotency checks following the Step 4.2 pattern.

Implements TC-5009

Assisted-by: Claude Code
@sourcery-ai

sourcery-ai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Reviewer's Guide

Extends the Step 4.3 "covering remediation exists" path in the triage-security Jira operations playbook to create idempotent cross-CVE traceability links (Related and Depend) plus a detailed comment, and updates evals to assert this behavior.

Flow diagram for Step_4_3 cross_CVE traceability updates

flowchart TD
  A[Engineer confirms closure of current CVE] --> B[Check issuelinks for Related link to related-cve-key]
  B -->|Found| C[Log: Related link already exists — skipping]
  B -->|Not found| D[Call jira.create_link with type Related between current-cve-key and related-cve-key]

  C --> E[Check issuelinks for Depend link to covering-task-key]
  D --> E

  E -->|Found| F[Log: Depend link already exists — skipping]
  E -->|Not found| G[Call jira.create_link with type Depend between current-cve-key and covering-task-key]

  F --> H[Post explanatory cross-CVE comment on current CVE]
  G --> H

  H --> I[Transition current CVE to Closed]
Loading

File-Level Changes

Change Details Files
Add cross-CVE traceability behavior to Step 4.3 when a covering remediation exists.
  • Extend Step 4.3 instructions to, after engineer-confirmed closure, create a Related link between the current CVE and the related CVE using the existing issuelinks-based idempotency pattern from Step 4.2.
  • Add guidance to create a Depend link from the current CVE to the covering remediation task, reusing the standard remediation link type and guarding with an issuelinks idempotency check.
  • Document a required comment template on the current CVE that explains the cross-CVE overlap, enumerates both links, and includes library, bump version, fix threshold, optional ProdSec @mention, and the mandatory Comment Footnote.
plugins/sdlc-workflow/skills/triage-security/jira-triage-operations.md
Update triage-security evals to cover new cross-CVE traceability behavior.
  • Add eval 8 assertions verifying creation of the Related link, Depend link, and explanatory comment for the cross-CVE overlap case.
  • Ensure evals.json remains valid JSON after adding the new assertions.
evals/triage-security/evals.json

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • In the new Step 4.3 idempotency checks, it might be worth explicitly stating what to do if issuelinks is absent or not yet fetched (e.g., re-fetch vs. treat as empty) to avoid ambiguity about required preconditions for this step.
  • The Depend link instructions reference "same link type as standard remediation linkage in remediation-templates.md" but don’t restate the inward/outward direction semantics; consider clarifying that the example here matches that convention exactly to prevent mismatched link orientation in future updates.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- In the new Step 4.3 idempotency checks, it might be worth explicitly stating what to do if `issuelinks` is absent or not yet fetched (e.g., re-fetch vs. treat as empty) to avoid ambiguity about required preconditions for this step.
- The Depend link instructions reference "same link type as standard remediation linkage in `remediation-templates.md`" but don’t restate the inward/outward direction semantics; consider clarifying that the example here matches that convention exactly to prevent mismatched link orientation in future updates.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eval Results

Eval Results: triage-security

Eval Passed Failed Pass Rate
eval-1 10/10 0 100%
eval-10 5/5 0 100%
eval-11 5/5 0 100%
eval-12 5/5 0 100%
eval-13 5/5 0 100%
eval-14 4/5 1 80%
eval-15 5/5 0 100%
eval-16 7/7 0 100%
eval-17 4/5 1 80%
eval-19 5/5 0 100%
eval-2 5/5 0 100%
eval-20 4/4 0 100%
eval-21 4/4 0 100%
eval-22 4/4 0 100%
eval-23 4/4 0 100%
eval-24 4/4 0 100%
eval-25 4/4 0 100%
eval-3 5/5 0 100%
eval-4 4/5 1 80%
eval-5 6/6 0 100%
eval-6 6/6 0 100%
eval-7 5/5 0 100%
eval-8 8/8 0 100%
eval-9 5/5 0 100%

Failed Assertions

eval-14: 1 failing assertion
  • Assertion: "The rpms.lock.yaml classification remains the primary signal — the SBOM result supplements but does not override it (Step 2.3.5 non-MVP enhancement)"
    Evidence: "In sbom-verification.md, when the two signals disagree, the output sets 'Origin: DISPUTED -- requires manual investigation' rather than defaulting to the rpms.lock.yaml classification ('explicit install'). If rpms.lock.yaml were the primary signal that SBOM supplements but does not override, the origin should remain 'explicit install' with a supplementary note about the SBOM disagreement. Instead, the SBOM result effectively overrides the rpms.lock.yaml classification by changing the origin from 'explicit install' to 'DISPUTED'. The Interpretation section also treats both signals as co-equal, listing remediation paths for both possibilities without giving primacy to the rpms.lock.yaml determination."
eval-17: 1 failing assertion
  • Assertion: "The embargo warning gate does NOT trigger for Low or Moderate severity CVEs (CVSS < 7.0) — it is skipped silently when severity is below threshold (§1.70)"
    Evidence: "The eval scenario only contains a CVSS 7.5 (High) CVE. While embargo-check.md defines the threshold as 'CVSS >= 7.0' and evaluates whether it is met, there is no output demonstrating the behavior for a below-threshold CVE. No evidence exists in any output file that a Low or Moderate severity CVE would be skipped silently — only that the threshold-met case triggers the gate. The negative case (silent skip for CVSS < 7.0) is not demonstrated or explicitly stated."
eval-4: 1 failing assertion
  • Assertion: "Cross-stream impact notice is NOT generated because the issue is unscoped — it covers all streams by definition (Step 8 Case B applies only to scoped issues)"
    Evidence: "remediation.md line 12: 'No cross-stream impact notice (Case B) is needed because the other stream (2.2.x) is not affected.' The notice is correctly not generated, but the stated reason is wrong. The assertion requires the reason to be that the issue is unscoped (Case B applies only to scoped issues), but the output instead claims it is because the other stream is not affected -- a different and incorrect rationale that misunderstands when Case B applies."

Pass rate: 97% · Tokens: 54,253 · Duration: 138s


Generated by sdlc-workflow/run-evals v0.11.1

@ruromero

ruromero commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator Author

[sdlc-workflow/verify-pr] Re: @sourcery-ai[bot] review —

  1. (review-body-4612633936-1) "explicitly stating what to do if issuelinks is absent or not yet fetched" — Classified as suggestion — the new Step 4.3 sub-steps follow the identical pattern established in Step 4.2 (lines 137–138), which references issuelinks as "already fetched in Step 1" without a null guard. Adding one here but not in Step 4.2 would be inconsistent. No sub-task created.

  2. (review-body-4612633936-2) "consider clarifying that the example here matches that convention exactly" — Classified as suggestion — the create_link examples explicitly show the argument ordering (inwardIssue/outwardIssue) which matches the convention used throughout the file. No CONVENTIONS.md exists requiring additional clarification. No sub-task created.

@ruromero

ruromero commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator Author

Verification Report for TC-5009 (commit d7916ff)

Check Result Details
Review Feedback PASS 2 suggestions from sourcery-ai; no code change requests
Root-Cause Investigation N/A No defects identified
Scope Containment PASS PR files exactly match task-specified files
Diff Size PASS 67 lines across 2 files; proportionate to task scope
Commit Traceability PASS Single commit references TC-5009
Sensitive Patterns PASS No secrets detected
CI Status PASS All 4 CI checks pass
Acceptance Criteria PASS 5/5 criteria met
Test Quality PASS Eval Quality: 100% (24/24 evals, 129 assertions, 0 regressions)
Test Change Classification N/A No test files in PR
Verification Commands N/A No verification commands specified

Overall: PASS

All checks pass. The PR correctly adds cross-CVE traceability links and comments to Step 4.3 with idempotency checks following the Step 4.2 pattern. Eval-8 expanded from 5 to 8 assertions covering the new behavior, all passing at 100%.


This comment was AI-generated by sdlc-workflow/verify-pr v0.11.0.

…e, not after confirmation

The cross-CVE relationship is a factual finding that exists regardless of
whether the engineer decides to close the issue. Links and comment are now
created as soon as Step 4.3 confirms the overlap, before presenting the
recommendation — so the engineer sees the linked issues in Jira while
deciding.

Implements TC-5009

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ruromero

ruromero commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator Author

Verification Report for TC-5009 (commit d75567b)

Check Result Details
Review Feedback PASS 2 suggestions from sourcery-ai; no code change requests
Root-Cause Investigation DONE 3 eval assertion failures investigated; root-cause task TC-5017 created
Scope Containment PASS PR files match task-specified files exactly (2/2)
Diff Size PASS 70 lines across 2 files; proportionate to task scope
Commit Traceability PASS Both commits reference TC-5009
Sensitive Patterns PASS No secrets detected
CI Status PASS All 4 CI checks pass
Acceptance Criteria PASS 5/5 criteria met
Test Quality WARN Eval Quality: 97% (126/129 assertions); 3 regressions in eval-4, eval-14, eval-17 — all unrelated to Step 4.3 changes; sub-tasks TC-5014, TC-5015, TC-5016 created
Test Change Classification N/A No test files in PR
Verification Commands N/A No verification commands specified

Overall: PASS

All functional checks pass. The PR correctly adds cross-CVE traceability links and comments to Step 4.3 with idempotency checks, executing mutations at identification time rather than deferring to closure confirmation. Eval-8 (testing the PR's changes) passes 8/8.

Three eval regressions (eval-4, eval-14, eval-17) are in unrelated scenarios — root-cause analysis attributes them to LLM non-determinism in assertion design (rationale-testing, signal hierarchy, negative-case-in-positive-scenario). Root-cause task TC-5017 tracks the fix.


This comment was AI-generated by sdlc-workflow/verify-pr v0.11.0.

@ruromero ruromero requested a review from mrizzi July 1, 2026 23:40

@mrizzi mrizzi left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ruromero thanks for enhanced traceability 👍

@mrizzi mrizzi merged commit 57240b6 into RHEcosystemAppEng:main Jul 2, 2026
4 checks passed
@ruromero ruromero deleted the TC-5009 branch July 2, 2026 07:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants