Skip to content

feat(triage-security): add decision logic for dev-only and feature-gated deps#233

Merged
mrizzi merged 1 commit into
RHEcosystemAppEng:mainfrom
ruromero:TC-4906
Jul 6, 2026
Merged

feat(triage-security): add decision logic for dev-only and feature-gated deps#233
mrizzi merged 1 commit into
RHEcosystemAppEng:mainfrom
ruromero:TC-4906

Conversation

@ruromero

@ruromero ruromero commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Add explicit dependency scope decision tree to Step 2.3.5 in version-impact-analysis.md covering dev-only/build-only and feature-gated optional dependencies
  • Update SKILL.md Important Rule fix(implement-task): remove hardcoded Git Pull Request custom field ID #8 to reference dev-dependency label and Normal priority for non-production deps
  • Expand remediation-templates.md Implementation Notes with dev-dependency handling guidance
  • Add two eval scenarios (26, 27) with fixture files for dev-only and feature-gated dependency CVE triages

Implements TC-4906

Test plan

  • Run eval scenario 26 (dev-only dependency CVE) — verify dev-dependency label and Normal priority in remediation output
  • Run eval scenario 27 (feature-gated dependency CVE) — verify VEX justification prompt with skip/proceed options
  • Verify evals.json is valid JSON
  • Verify existing eval scenarios still pass (no regressions from updated files)

🤖 Generated with Claude Code

Summary by Sourcery

Document and enforce triage rules for dev-only and feature-gated dependencies, and add evaluation scenarios to validate the updated security workflow behavior.

New Features:

  • Introduce a dependency scope decision tree for handling dev-only/build-only and feature-gated optional dependencies in security triage.
  • Add evaluation scenarios and mock data files for dev-only and feature-gated dependency CVE triage cases.

Enhancements:

  • Clarify remediation guidance and task creation rules for non-production dependencies, including standardized labels and priority handling.
  • Extend the security matrix mock data with version mappings for additional Rust dependencies used in evals.

Documentation:

  • Update triage-security documentation (version-impact analysis, SKILL rules, remediation templates) to describe handling of dev-only and feature-gated dependencies in vulnerability remediation.

Tests:

  • Add new triage-security eval scenarios and fixtures to exercise dev-only and feature-gated dependency vulnerability handling.

…ted deps

Add explicit decision tree to Step 2.3.5 for dependency scope handling:
- Dev-only/build-only deps get `dev-dependency` label and Normal priority
- Feature-gated optional deps prompt user with VEX justification option
- Update Important Rule RHEcosystemAppEng#8 and remediation templates accordingly

Add two eval scenarios (26, 27) with fixture files for dev-only and
feature-gated dependency CVE triages.

Implements TC-4906

Assisted-by: Claude Code
@sourcery-ai

sourcery-ai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Reviewer's Guide

Adds explicit dependency-scope decision logic for triage-security (dev-only/build-only vs feature-gated optional dependencies), wires that guidance into SKILL and remediation templates, and introduces two new eval scenarios with mock data to exercise the new behavior.

Sequence diagram for feature-gated optional dependency VEX justification flow

sequenceDiagram
  participant TriageSecuritySkill
  actor User
  participant RemediationTaskSystem
  participant VEXSystem

  TriageSecuritySkill->User: present VEX justification option
  User->TriageSecuritySkill: choose 1 (skip remediation)
  alt user chooses 1
    TriageSecuritySkill->VEXSystem: close version as not affected with justification Vulnerable_Code_not_in_Execute_Path
  else user chooses 2
    User->TriageSecuritySkill: choose 2 (proceed with remediation)
    TriageSecuritySkill->RemediationTaskSystem: create standard remediation tasks
  end
Loading

File-Level Changes

Change Details Files
Introduce a dependency scope decision tree to guide remediation handling for dev-only/build-only and feature-gated optional dependencies in version impact analysis.
  • Extend Step 2.3.5 guidance so that non-production dependency scope affects both risk assessment and remediation handling.
  • Define handling rules for dev-only and build-only dependencies, including dev-dependency labeling, Normal priority, and supply-chain-risk-only notes.
  • Define handling rules for feature-gated optional dependencies, including an interactive VEX justification prompt with skip/proceed options and corresponding remediation or closure behavior.
plugins/sdlc-workflow/skills/triage-security/version-impact-analysis.md
Align SKILL rules and remediation templates with the new dev-only/build-only dependency handling. plugins/sdlc-workflow/skills/triage-security/SKILL.md
plugins/sdlc-workflow/skills/triage-security/remediation-templates.md
Add eval fixtures and matrix data to test dev-only and feature-gated dependency CVE triage behavior.
  • Extend the security-matrix mock with criterion and rustls version data by product tag to support the new scenarios.
  • Add synthetic Jira vulnerability issues and manifest evidence for a feature-gated rustls dependency and a dev-only criterion dependency.
  • Update triage-security evals configuration to register the new scenarios and ensure JSON validity.
evals/triage-security/files/security-matrix-mock.md
evals/triage-security/files/vuln-issue-feature-gated.md
evals/triage-security/files/vuln-issue-dev-dependency.md
evals/triage-security/evals.json

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!


Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eval Results

Eval Results: triage-security

Eval Passed Failed Pass Rate
eval-1 11/11 0 100%
eval-10 5/5 0 100%
eval-11 5/5 0 100%
eval-12 5/5 0 100%
eval-13 5/5 0 100%
eval-14 5/5 0 100%
eval-15 5/5 0 100%
eval-16 7/7 0 100%
eval-17 5/5 0 100%
eval-18 5/5 0 100%
eval-19 5/5 0 100%
eval-2 5/5 0 100%
eval-20 4/4 0 100%
eval-21 4/4 0 100%
eval-22 4/4 0 100%
eval-23 4/4 0 100%
eval-24 4/4 0 100%
eval-25 4/4 0 100%
eval-26 5/5 0 100%
eval-27 5/5 0 100%
eval-3 5/5 0 100%
eval-4 5/5 0 100%
eval-5 6/6 0 100%
eval-6 6/6 0 100%
eval-7 5/5 0 100%
eval-8 8/8 0 100%
eval-9 5/5 0 100%

Pass rate: 100% · Tokens: 0 · Duration: 0s

Baseline (7b46435b): 98% · 56,030 tokens · 134s


Generated by sdlc-workflow/run-evals v0.12.2

@ruromero

ruromero commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator Author

Verification Report for TC-4906 (commit 779be4c)

Check Result Details
Review Feedback N/A No review feedback on PR
Root-Cause Investigation N/A No sub-tasks created
Scope Containment WARN 4 eval files out of task spec scope (justified by Test Requirements)
Diff Size PASS 192 lines across 7 files, proportionate to task scope
Commit Traceability PASS Single commit references TC-4906
Sensitive Patterns PASS No secrets detected
CI Status PASS All 5 CI checks pass
Acceptance Criteria PASS All 3 acceptance criteria and 2 test requirements satisfied
Test Quality PASS Eval Quality: 100% (27/27 evals, baseline 98%)
Test Change Classification N/A No test files in PR (documentation-only repository)
Verification Commands N/A No verification commands specified

Overall: WARN

Scope Containment is WARN because 4 eval files (evals.json, security-matrix-mock.md, vuln-issue-dev-dependency.md, vuln-issue-feature-gated.md) are not listed in the task's Files to Modify/Create sections. These files are justified by the task's Test Requirements which explicitly request eval scenarios for dev-only and feature-gated dependency CVEs.


This comment was AI-generated by sdlc-workflow/verify-pr v0.12.2.

@mrizzi mrizzi left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ruromero it looks like you have a "treble": eval 100%, sourcery happy and skillsaw lint green 👏

@mrizzi mrizzi merged commit eda40c5 into RHEcosystemAppEng:main Jul 6, 2026
5 checks passed
@ruromero ruromero deleted the TC-4906 branch July 6, 2026 09:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants