From d7916ff0371963d5f6b2a263a5dced36faf91f38 Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Wed, 1 Jul 2026 22:21:28 +0200 Subject: [PATCH 1/2] feat(triage-security): add cross-CVE traceability links and comments to Step 4.3 When Step 4.3 detects a covering remediation from a different CVE, the skill now creates Related and Depend links and posts an explanatory comment after the engineer confirms closure. Both links include idempotency checks following the Step 4.2 pattern. Implements TC-5009 Assisted-by: Claude Code --- evals/triage-security/evals.json | 5 +- .../triage-security/jira-triage-operations.md | 62 +++++++++++++++++++ 2 files changed, 66 insertions(+), 1 deletion(-) diff --git a/evals/triage-security/evals.json b/evals/triage-security/evals.json index 7b33b0460..a3b90f8d1 100644 --- a/evals/triage-security/evals.json +++ b/evals/triage-security/evals.json @@ -109,7 +109,10 @@ "Step 4.3 filters search results by matching PS Component (customfield_10669 = pscomponent:org/rhtpa-ui) and Stream (customfield_10832 = rhtpa-2.2)", "Step 4.3 traverses issuelinks on TC-8008 to find remediation task TC-8009 via the 'Depend' link type", "Step 4.3 compares the remediation task's bump version (1.9.0) against the current CVE's fix threshold (1.8.2) and determines the fix is already covered", - "Triage outcome recommends closing the issue because existing remediation task TC-8009 already bumps axios past the fix threshold — no new remediation task is created" + "Triage outcome recommends closing the issue because existing remediation task TC-8009 already bumps axios past the fix threshold — no new remediation task is created", + "After engineer confirms closure, Step 4.3 creates a Related link between the current CVE (TC-8010) and the related CVE (TC-8008) with an idempotency check on existing issuelinks before creating", + "After engineer confirms closure, Step 4.3 creates a Depend link from the covering remediation task (TC-8009) to the current CVE (TC-8010) with an idempotency check on existing issuelinks before creating", + "A comment is posted on the current CVE documenting the cross-CVE overlap finding — including the related CVE key (TC-8008), covering task key (TC-8009), library (axios), bump version (1.9.0), and fix threshold (1.8.2)" ] }, { diff --git a/plugins/sdlc-workflow/skills/triage-security/jira-triage-operations.md b/plugins/sdlc-workflow/skills/triage-security/jira-triage-operations.md index 555815762..738055e3f 100644 --- a/plugins/sdlc-workflow/skills/triage-security/jira-triage-operations.md +++ b/plugins/sdlc-workflow/skills/triage-security/jira-triage-operations.md @@ -235,6 +235,68 @@ entirely. Recommendation: Close this issue — the fix is already covered by [task-key]. [ProdSec @mention if configured] ``` + + **After engineer confirms closure**, create traceability links and post an + explanatory comment before transitioning to Closed: + + a. **Create Related link** between the current CVE and the related CVE + (idempotent — check existing `issuelinks` first, same pattern as + Step 4.2): + + Check the current issue's `issuelinks` array (already fetched in + Step 1) for an existing link where `type.name` is `"Related"` and + `inwardIssue.key` or `outwardIssue.key` matches the related CVE key. + + If a matching link exists, skip and log: + > "Related link to [related-cve-key] already exists — skipping" + + If no matching link exists, create the link: + ``` + jira.create_link( + inwardIssue: , + outwardIssue: , + type: "Related" + ) + ``` + + b. **Create Depend link** from the covering remediation task to the + current CVE (same link type as standard remediation linkage in + `remediation-templates.md`): + + Check the current issue's `issuelinks` array for an existing link + where `type.name` is `"Depend"` and `inwardIssue.key` or + `outwardIssue.key` matches the covering task key. + + If a matching link exists, skip and log: + > "Depend link to [covering-task-key] already exists — skipping" + + If no matching link exists, create the link: + ``` + jira.create_link( + inwardIssue: , + outwardIssue: , + type: "Depend" + ) + ``` + + c. **Post a comment** on the current CVE documenting the cross-CVE + overlap finding. If a ProdSec Jira account ID is configured, include + an @mention before the Comment Footnote: + ``` + Cross-CVE overlap: existing remediation task [covering-task-key] (from + [related-CVE-ID] / [related-cve-key]) already bumps [library] to + [version], which meets or exceeds this CVE's fix threshold + ([fix-version]). + + Links created: + - Related: [current-cve-key] ↔ [related-cve-key] (same upstream component) + - Depend: [current-cve-key] → [covering-task-key] (covering remediation) + + [ProdSec @mention if configured] + [Comment Footnote] + ``` + + MUST include the Comment Footnote (see SKILL.md). - **If related CVEs exist but no covering remediation:** ``` Related CVE Jiras found for [component] in the same stream: From d75567b4d7a1b815454b6fc23005cce5831d2546 Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Wed, 1 Jul 2026 23:38:40 +0200 Subject: [PATCH 2/2] fix(triage-security): create traceability links at identification time, not after confirmation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The cross-CVE relationship is a factual finding that exists regardless of whether the engineer decides to close the issue. Links and comment are now created as soon as Step 4.3 confirms the overlap, before presenting the recommendation — so the engineer sees the linked issues in Jira while deciding. Implements TC-5009 Co-Authored-By: Claude Opus 4.6 --- evals/triage-security/evals.json | 4 ++-- .../triage-security/jira-triage-operations.md | 23 +++++++++++-------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/evals/triage-security/evals.json b/evals/triage-security/evals.json index a3b90f8d1..243b076f5 100644 --- a/evals/triage-security/evals.json +++ b/evals/triage-security/evals.json @@ -110,8 +110,8 @@ "Step 4.3 traverses issuelinks on TC-8008 to find remediation task TC-8009 via the 'Depend' link type", "Step 4.3 compares the remediation task's bump version (1.9.0) against the current CVE's fix threshold (1.8.2) and determines the fix is already covered", "Triage outcome recommends closing the issue because existing remediation task TC-8009 already bumps axios past the fix threshold — no new remediation task is created", - "After engineer confirms closure, Step 4.3 creates a Related link between the current CVE (TC-8010) and the related CVE (TC-8008) with an idempotency check on existing issuelinks before creating", - "After engineer confirms closure, Step 4.3 creates a Depend link from the covering remediation task (TC-8009) to the current CVE (TC-8010) with an idempotency check on existing issuelinks before creating", + "Step 4.3 creates a Related link between the current CVE (TC-8010) and the related CVE (TC-8008) with an idempotency check on existing issuelinks before creating", + "Step 4.3 creates a Depend link from the covering remediation task (TC-8009) to the current CVE (TC-8010) with an idempotency check on existing issuelinks before creating", "A comment is posted on the current CVE documenting the cross-CVE overlap finding — including the related CVE key (TC-8008), covering task key (TC-8009), library (axios), bump version (1.9.0), and fix threshold (1.8.2)" ] }, diff --git a/plugins/sdlc-workflow/skills/triage-security/jira-triage-operations.md b/plugins/sdlc-workflow/skills/triage-security/jira-triage-operations.md index 738055e3f..15d6d77c0 100644 --- a/plugins/sdlc-workflow/skills/triage-security/jira-triage-operations.md +++ b/plugins/sdlc-workflow/skills/triage-security/jira-triage-operations.md @@ -227,17 +227,10 @@ entirely. If no ProdSec Jira account ID is configured, omit the @mention silently. - **If a covering remediation exists:** - ``` - Existing remediation task [task-key] (from [related-CVE-ID]) already bumps - [library] to [version], which meets or exceeds this CVE's fix threshold - ([fix-version]). No new remediation task needed. - Recommendation: Close this issue — the fix is already covered by [task-key]. - [ProdSec @mention if configured] - ``` - - **After engineer confirms closure**, create traceability links and post an - explanatory comment before transitioning to Closed: + Create traceability links and post an explanatory comment as soon as the + overlap is confirmed (these record a factual relationship and must not be + deferred to a closure decision): a. **Create Related link** between the current CVE and the related CVE (idempotent — check existing `issuelinks` first, same pattern as @@ -297,6 +290,16 @@ entirely. ``` MUST include the Comment Footnote (see SKILL.md). + + Then present the finding and recommendation to the engineer: + ``` + Existing remediation task [task-key] (from [related-CVE-ID]) already bumps + [library] to [version], which meets or exceeds this CVE's fix threshold + ([fix-version]). No new remediation task needed. + + Recommendation: Close this issue — the fix is already covered by [task-key]. + [ProdSec @mention if configured] + ``` - **If related CVEs exist but no covering remediation:** ``` Related CVE Jiras found for [component] in the same stream: