Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion evals/triage-security/evals.json
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,10 @@
"Step 4.3 filters search results by matching PS Component (customfield_10669 = pscomponent:org/rhtpa-ui) and Stream (customfield_10832 = rhtpa-2.2)",
"Step 4.3 traverses issuelinks on TC-8008 to find remediation task TC-8009 via the 'Depend' link type",
"Step 4.3 compares the remediation task's bump version (1.9.0) against the current CVE's fix threshold (1.8.2) and determines the fix is already covered",
"Triage outcome recommends closing the issue because existing remediation task TC-8009 already bumps axios past the fix threshold — no new remediation task is created"
"Triage outcome recommends closing the issue because existing remediation task TC-8009 already bumps axios past the fix threshold — no new remediation task is created",
"Step 4.3 creates a Related link between the current CVE (TC-8010) and the related CVE (TC-8008) with an idempotency check on existing issuelinks before creating",
"Step 4.3 creates a Depend link from the covering remediation task (TC-8009) to the current CVE (TC-8010) with an idempotency check on existing issuelinks before creating",
"A comment is posted on the current CVE documenting the cross-CVE overlap finding — including the related CVE key (TC-8008), covering task key (TC-8009), library (axios), bump version (1.9.0), and fix threshold (1.8.2)"
]
},
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,71 @@ entirely.
If no ProdSec Jira account ID is configured, omit the @mention silently.

- **If a covering remediation exists:**

Create traceability links and post an explanatory comment as soon as the
overlap is confirmed (these record a factual relationship and must not be
deferred to a closure decision):

a. **Create Related link** between the current CVE and the related CVE
(idempotent — check existing `issuelinks` first, same pattern as
Step 4.2):

Check the current issue's `issuelinks` array (already fetched in
Step 1) for an existing link where `type.name` is `"Related"` and
`inwardIssue.key` or `outwardIssue.key` matches the related CVE key.

If a matching link exists, skip and log:
> "Related link to [related-cve-key] already exists — skipping"

If no matching link exists, create the link:
```
jira.create_link(
inwardIssue: <current-cve-key>,
outwardIssue: <related-cve-key>,
type: "Related"
)
```

b. **Create Depend link** from the covering remediation task to the
current CVE (same link type as standard remediation linkage in
`remediation-templates.md`):

Check the current issue's `issuelinks` array for an existing link
where `type.name` is `"Depend"` and `inwardIssue.key` or
`outwardIssue.key` matches the covering task key.

If a matching link exists, skip and log:
> "Depend link to [covering-task-key] already exists — skipping"

If no matching link exists, create the link:
```
jira.create_link(
inwardIssue: <current-cve-key>,
outwardIssue: <covering-task-key>,
type: "Depend"
)
```

c. **Post a comment** on the current CVE documenting the cross-CVE
overlap finding. If a ProdSec Jira account ID is configured, include
an @mention before the Comment Footnote:
```
Cross-CVE overlap: existing remediation task [covering-task-key] (from
[related-CVE-ID] / [related-cve-key]) already bumps [library] to
[version], which meets or exceeds this CVE's fix threshold
([fix-version]).

Links created:
- Related: [current-cve-key] ↔ [related-cve-key] (same upstream component)
- Depend: [current-cve-key] → [covering-task-key] (covering remediation)

[ProdSec @mention if configured]
[Comment Footnote]
```

MUST include the Comment Footnote (see SKILL.md).

Then present the finding and recommendation to the engineer:
```
Existing remediation task [task-key] (from [related-CVE-ID]) already bumps
[library] to [version], which meets or exceeds this CVE's fix threshold
Expand Down
Loading