[PR] generate-cve-json: derive project_dir from package_pattern regex [airflow-steward]

Thu, 14 May 2026 18:22:47 -0700 


potiuk opened a new pull request, #161:
URL: https://github.com/apache/airflow-steward/pull/161

   ## Summary
   - `generate_cve_json._product_for_package` anchored its subpackage
     lookup on `PROJECT_PREFIX = f"{TOP_LEVEL_NAME}-project-"` — a
     hardcoded `-project-` substring. Projects whose subpackages live
     under a different prefix (Apache Airflow ships
     `apache-airflow-providers-<dir>` on PyPI) saw `startswith(...)`
     fail and the function fall through to returning the raw PyPI
     package name as the CVE `product`. The configured
     `project_display_map` and `project_product_template` were silently
     ignored even when the `<project>` named group in
     `package_pattern` correctly captured the subpackage directory.
   - Fix: read the `project` named group from the configured
     `package_pattern` regex via `PACKAGE_RE.fullmatch(package_name)`,
     then look up the display map / fall through to title-cased
     fallback. The prefix becomes a project-level concern encoded in
     the regex (`-project-`, `-providers-`, anything else), not a
     generator constant. `PROJECT_PREFIX` is removed; no other reader
     exists.
   - Adds a `-providers-`-style fixture
     (`tests/fixtures/cve-json-config-providers.toml`) and a
     `TestProductForPackageProvidersStyle` class that exercises the
     new lookup path. The existing `-project-` test suite continues
     to pass unchanged — the regex captures the `project` group for
     both conventions.
   
   Real-world consequence: when this PR lands in the
   `airflow-s/airflow-s` adopter checkout, the next
   `generate_cve_json` invocation against an issue whose *Affected
   versions* line names `apache-airflow-providers-<dir>` will emit
   `product: "Apache Airflow Providers <Display>"` (matching the
   display map) instead of the raw PyPI package name. The first
   beneficiary is CVE-2026-27173.
   
   ## Test plan
   - [x] `uv run pytest tests/test_generate_cve_json.py -q` — 108
         passed (4 new regression tests in
         `TestProductForPackageProvidersStyle`)
   - [x] `prek run --files <changed files>` — ruff, mypy, pytest, and
         the rest pass
   - [ ] End-to-end: regenerate CVE-2026-27173 JSON from the tracker
         issue body and confirm `product` resolves via the display map
         instead of falling through to the raw package name


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to