diff --git a/evals/triage-security/evals.json b/evals/triage-security/evals.json index 7b33b0460..243b076f5 100644 --- a/evals/triage-security/evals.json +++ b/evals/triage-security/evals.json @@ -109,7 +109,10 @@ "Step 4.3 filters search results by matching PS Component (customfield_10669 = pscomponent:org/rhtpa-ui) and Stream (customfield_10832 = rhtpa-2.2)", "Step 4.3 traverses issuelinks on TC-8008 to find remediation task TC-8009 via the 'Depend' link type", "Step 4.3 compares the remediation task's bump version (1.9.0) against the current CVE's fix threshold (1.8.2) and determines the fix is already covered", - "Triage outcome recommends closing the issue because existing remediation task TC-8009 already bumps axios past the fix threshold — no new remediation task is created" + "Triage outcome recommends closing the issue because existing remediation task TC-8009 already bumps axios past the fix threshold — no new remediation task is created", + "Step 4.3 creates a Related link between the current CVE (TC-8010) and the related CVE (TC-8008) with an idempotency check on existing issuelinks before creating", + "Step 4.3 creates a Depend link from the covering remediation task (TC-8009) to the current CVE (TC-8010) with an idempotency check on existing issuelinks before creating", + "A comment is posted on the current CVE documenting the cross-CVE overlap finding — including the related CVE key (TC-8008), covering task key (TC-8009), library (axios), bump version (1.9.0), and fix threshold (1.8.2)" ] }, { diff --git a/plugins/sdlc-workflow/skills/triage-security/jira-triage-operations.md b/plugins/sdlc-workflow/skills/triage-security/jira-triage-operations.md index 555815762..15d6d77c0 100644 --- a/plugins/sdlc-workflow/skills/triage-security/jira-triage-operations.md +++ b/plugins/sdlc-workflow/skills/triage-security/jira-triage-operations.md @@ -227,6 +227,71 @@ entirely. If no ProdSec Jira account ID is configured, omit the @mention silently. - **If a covering remediation exists:** + + Create traceability links and post an explanatory comment as soon as the + overlap is confirmed (these record a factual relationship and must not be + deferred to a closure decision): + + a. **Create Related link** between the current CVE and the related CVE + (idempotent — check existing `issuelinks` first, same pattern as + Step 4.2): + + Check the current issue's `issuelinks` array (already fetched in + Step 1) for an existing link where `type.name` is `"Related"` and + `inwardIssue.key` or `outwardIssue.key` matches the related CVE key. + + If a matching link exists, skip and log: + > "Related link to [related-cve-key] already exists — skipping" + + If no matching link exists, create the link: + ``` + jira.create_link( + inwardIssue: , + outwardIssue: , + type: "Related" + ) + ``` + + b. **Create Depend link** from the covering remediation task to the + current CVE (same link type as standard remediation linkage in + `remediation-templates.md`): + + Check the current issue's `issuelinks` array for an existing link + where `type.name` is `"Depend"` and `inwardIssue.key` or + `outwardIssue.key` matches the covering task key. + + If a matching link exists, skip and log: + > "Depend link to [covering-task-key] already exists — skipping" + + If no matching link exists, create the link: + ``` + jira.create_link( + inwardIssue: , + outwardIssue: , + type: "Depend" + ) + ``` + + c. **Post a comment** on the current CVE documenting the cross-CVE + overlap finding. If a ProdSec Jira account ID is configured, include + an @mention before the Comment Footnote: + ``` + Cross-CVE overlap: existing remediation task [covering-task-key] (from + [related-CVE-ID] / [related-cve-key]) already bumps [library] to + [version], which meets or exceeds this CVE's fix threshold + ([fix-version]). + + Links created: + - Related: [current-cve-key] ↔ [related-cve-key] (same upstream component) + - Depend: [current-cve-key] → [covering-task-key] (covering remediation) + + [ProdSec @mention if configured] + [Comment Footnote] + ``` + + MUST include the Comment Footnote (see SKILL.md). + + Then present the finding and recommendation to the engineer: ``` Existing remediation task [task-key] (from [related-CVE-ID]) already bumps [library] to [version], which meets or exceeds this CVE's fix threshold