feat(triage-security): add decision logic for dev-only and feature-gated deps#233
Conversation
…ted deps Add explicit decision tree to Step 2.3.5 for dependency scope handling: - Dev-only/build-only deps get `dev-dependency` label and Normal priority - Feature-gated optional deps prompt user with VEX justification option - Update Important Rule RHEcosystemAppEng#8 and remediation templates accordingly Add two eval scenarios (26, 27) with fixture files for dev-only and feature-gated dependency CVE triages. Implements TC-4906 Assisted-by: Claude Code
Reviewer's GuideAdds explicit dependency-scope decision logic for triage-security (dev-only/build-only vs feature-gated optional dependencies), wires that guidance into SKILL and remediation templates, and introduces two new eval scenarios with mock data to exercise the new behavior. Sequence diagram for feature-gated optional dependency VEX justification flowsequenceDiagram
participant TriageSecuritySkill
actor User
participant RemediationTaskSystem
participant VEXSystem
TriageSecuritySkill->User: present VEX justification option
User->TriageSecuritySkill: choose 1 (skip remediation)
alt user chooses 1
TriageSecuritySkill->VEXSystem: close version as not affected with justification Vulnerable_Code_not_in_Execute_Path
else user chooses 2
User->TriageSecuritySkill: choose 2 (proceed with remediation)
TriageSecuritySkill->RemediationTaskSystem: create standard remediation tasks
end
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Eval Results
Eval Results: triage-security
| Eval | Passed | Failed | Pass Rate |
|---|---|---|---|
| eval-1 | 11/11 | 0 | 100% |
| eval-10 | 5/5 | 0 | 100% |
| eval-11 | 5/5 | 0 | 100% |
| eval-12 | 5/5 | 0 | 100% |
| eval-13 | 5/5 | 0 | 100% |
| eval-14 | 5/5 | 0 | 100% |
| eval-15 | 5/5 | 0 | 100% |
| eval-16 | 7/7 | 0 | 100% |
| eval-17 | 5/5 | 0 | 100% |
| eval-18 | 5/5 | 0 | 100% |
| eval-19 | 5/5 | 0 | 100% |
| eval-2 | 5/5 | 0 | 100% |
| eval-20 | 4/4 | 0 | 100% |
| eval-21 | 4/4 | 0 | 100% |
| eval-22 | 4/4 | 0 | 100% |
| eval-23 | 4/4 | 0 | 100% |
| eval-24 | 4/4 | 0 | 100% |
| eval-25 | 4/4 | 0 | 100% |
| eval-26 | 5/5 | 0 | 100% |
| eval-27 | 5/5 | 0 | 100% |
| eval-3 | 5/5 | 0 | 100% |
| eval-4 | 5/5 | 0 | 100% |
| eval-5 | 6/6 | 0 | 100% |
| eval-6 | 6/6 | 0 | 100% |
| eval-7 | 5/5 | 0 | 100% |
| eval-8 | 8/8 | 0 | 100% |
| eval-9 | 5/5 | 0 | 100% |
Pass rate: 100% · Tokens: 0 · Duration: 0s
Baseline (7b46435b): 98% · 56,030 tokens · 134s
Generated by sdlc-workflow/run-evals v0.12.2
Verification Report for TC-4906 (commit 779be4c)
Overall: WARNScope Containment is WARN because 4 eval files ( This comment was AI-generated by sdlc-workflow/verify-pr v0.12.2. |
Summary
version-impact-analysis.mdcovering dev-only/build-only and feature-gated optional dependenciesdev-dependencylabel and Normal priority for non-production depsremediation-templates.mdImplementation Notes with dev-dependency handling guidanceImplements TC-4906
Test plan
dev-dependencylabel and Normal priority in remediation output🤖 Generated with Claude Code
Summary by Sourcery
Document and enforce triage rules for dev-only and feature-gated dependencies, and add evaluation scenarios to validate the updated security workflow behavior.
New Features:
Enhancements:
Documentation:
Tests: