feat(triage-security): add cross-CVE traceability links and comments to Step 4.3#223
Conversation
…to Step 4.3 When Step 4.3 detects a covering remediation from a different CVE, the skill now creates Related and Depend links and posts an explanatory comment after the engineer confirms closure. Both links include idempotency checks following the Step 4.2 pattern. Implements TC-5009 Assisted-by: Claude Code
Reviewer's GuideExtends the Step 4.3 "covering remediation exists" path in the triage-security Jira operations playbook to create idempotent cross-CVE traceability links (Related and Depend) plus a detailed comment, and updates evals to assert this behavior. Flow diagram for Step_4_3 cross_CVE traceability updatesflowchart TD
A[Engineer confirms closure of current CVE] --> B[Check issuelinks for Related link to related-cve-key]
B -->|Found| C[Log: Related link already exists — skipping]
B -->|Not found| D[Call jira.create_link with type Related between current-cve-key and related-cve-key]
C --> E[Check issuelinks for Depend link to covering-task-key]
D --> E
E -->|Found| F[Log: Depend link already exists — skipping]
E -->|Not found| G[Call jira.create_link with type Depend between current-cve-key and covering-task-key]
F --> H[Post explanatory cross-CVE comment on current CVE]
G --> H
H --> I[Transition current CVE to Closed]
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- In the new Step 4.3 idempotency checks, it might be worth explicitly stating what to do if
issuelinksis absent or not yet fetched (e.g., re-fetch vs. treat as empty) to avoid ambiguity about required preconditions for this step. - The Depend link instructions reference "same link type as standard remediation linkage in
remediation-templates.md" but don’t restate the inward/outward direction semantics; consider clarifying that the example here matches that convention exactly to prevent mismatched link orientation in future updates.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In the new Step 4.3 idempotency checks, it might be worth explicitly stating what to do if `issuelinks` is absent or not yet fetched (e.g., re-fetch vs. treat as empty) to avoid ambiguity about required preconditions for this step.
- The Depend link instructions reference "same link type as standard remediation linkage in `remediation-templates.md`" but don’t restate the inward/outward direction semantics; consider clarifying that the example here matches that convention exactly to prevent mismatched link orientation in future updates.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
There was a problem hiding this comment.
Eval Results
Eval Results: triage-security
| Eval | Passed | Failed | Pass Rate |
|---|---|---|---|
| eval-1 | 10/10 | 0 | 100% |
| eval-10 | 5/5 | 0 | 100% |
| eval-11 | 5/5 | 0 | 100% |
| eval-12 | 5/5 | 0 | 100% |
| eval-13 | 5/5 | 0 | 100% |
| eval-14 | 4/5 | 1 | 80% |
| eval-15 | 5/5 | 0 | 100% |
| eval-16 | 7/7 | 0 | 100% |
| eval-17 | 4/5 | 1 | 80% |
| eval-19 | 5/5 | 0 | 100% |
| eval-2 | 5/5 | 0 | 100% |
| eval-20 | 4/4 | 0 | 100% |
| eval-21 | 4/4 | 0 | 100% |
| eval-22 | 4/4 | 0 | 100% |
| eval-23 | 4/4 | 0 | 100% |
| eval-24 | 4/4 | 0 | 100% |
| eval-25 | 4/4 | 0 | 100% |
| eval-3 | 5/5 | 0 | 100% |
| eval-4 | 4/5 | 1 | 80% |
| eval-5 | 6/6 | 0 | 100% |
| eval-6 | 6/6 | 0 | 100% |
| eval-7 | 5/5 | 0 | 100% |
| eval-8 | 8/8 | 0 | 100% |
| eval-9 | 5/5 | 0 | 100% |
Failed Assertions
eval-14: 1 failing assertion
- Assertion: "The rpms.lock.yaml classification remains the primary signal — the SBOM result supplements but does not override it (Step 2.3.5 non-MVP enhancement)"
Evidence: "In sbom-verification.md, when the two signals disagree, the output sets 'Origin: DISPUTED -- requires manual investigation' rather than defaulting to the rpms.lock.yaml classification ('explicit install'). If rpms.lock.yaml were the primary signal that SBOM supplements but does not override, the origin should remain 'explicit install' with a supplementary note about the SBOM disagreement. Instead, the SBOM result effectively overrides the rpms.lock.yaml classification by changing the origin from 'explicit install' to 'DISPUTED'. The Interpretation section also treats both signals as co-equal, listing remediation paths for both possibilities without giving primacy to the rpms.lock.yaml determination."
eval-17: 1 failing assertion
- Assertion: "The embargo warning gate does NOT trigger for Low or Moderate severity CVEs (CVSS < 7.0) — it is skipped silently when severity is below threshold (§1.70)"
Evidence: "The eval scenario only contains a CVSS 7.5 (High) CVE. While embargo-check.md defines the threshold as 'CVSS >= 7.0' and evaluates whether it is met, there is no output demonstrating the behavior for a below-threshold CVE. No evidence exists in any output file that a Low or Moderate severity CVE would be skipped silently — only that the threshold-met case triggers the gate. The negative case (silent skip for CVSS < 7.0) is not demonstrated or explicitly stated."
eval-4: 1 failing assertion
- Assertion: "Cross-stream impact notice is NOT generated because the issue is unscoped — it covers all streams by definition (Step 8 Case B applies only to scoped issues)"
Evidence: "remediation.md line 12: 'No cross-stream impact notice (Case B) is needed because the other stream (2.2.x) is not affected.' The notice is correctly not generated, but the stated reason is wrong. The assertion requires the reason to be that the issue is unscoped (Case B applies only to scoped issues), but the output instead claims it is because the other stream is not affected -- a different and incorrect rationale that misunderstands when Case B applies."
Pass rate: 97% · Tokens: 54,253 · Duration: 138s
Generated by sdlc-workflow/run-evals v0.11.1
|
[sdlc-workflow/verify-pr] Re: @sourcery-ai[bot] review —
|
Verification Report for TC-5009 (commit d7916ff)
Overall: PASSAll checks pass. The PR correctly adds cross-CVE traceability links and comments to Step 4.3 with idempotency checks following the Step 4.2 pattern. Eval-8 expanded from 5 to 8 assertions covering the new behavior, all passing at 100%. This comment was AI-generated by sdlc-workflow/verify-pr v0.11.0. |
…e, not after confirmation The cross-CVE relationship is a factual finding that exists regardless of whether the engineer decides to close the issue. Links and comment are now created as soon as Step 4.3 confirms the overlap, before presenting the recommendation — so the engineer sees the linked issues in Jira while deciding. Implements TC-5009 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Verification Report for TC-5009 (commit d75567b)
Overall: PASSAll functional checks pass. The PR correctly adds cross-CVE traceability links and comments to Step 4.3 with idempotency checks, executing mutations at identification time rather than deferring to closure confirmation. Eval-8 (testing the PR's changes) passes 8/8. Three eval regressions (eval-4, eval-14, eval-17) are in unrelated scenarios — root-cause analysis attributes them to LLM non-determinism in assertion design (rationale-testing, signal hierarchy, negative-case-in-positive-scenario). Root-cause task TC-5017 tracks the fix. This comment was AI-generated by sdlc-workflow/verify-pr v0.11.0. |
Summary
issuelinksbefore creating)Implements TC-5009
Test plan
jira-triage-operations.mdforcreate_linkwithin Step 4.3 — should have both "Related" and "Depend" link creationissuelinksbefore creatingevals.jsonis valid JSON🤖 Generated with Claude Code
Summary by Sourcery
Document cross-CVE traceability actions in Step 4.3 of the triage-security Jira workflow, including links and comments, and extend eval coverage for this behavior.
New Features:
Tests: