This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new ff38bc2 feat(security-issue-sync): gate fix-released hand-off on
mandatory CVE fields (#202)
ff38bc2 is described below
commit ff38bc25435fc71abcdbc306ce3dd7152eb8905b
Author: Jarek Potiuk <[email protected]>
AuthorDate: Mon May 18 01:29:43 2026 +0200
feat(security-issue-sync): gate fix-released hand-off on mandatory CVE
fields (#202)
The pr merged → fix released transition (Step 12) hands ownership
of a tracker from the remediation developer to the release
manager. The release manager needs every CVE body field populated
to send the advisory at Step 13, but the sync previously proposed
the hand-off on the release-shipped signal alone — leaving the
release manager to chase down missing CWE / Affected versions /
Severity / Reporter credit / Short public summary / PR-with-fix
entries themselves.
What changed:
- Step 2b table row for the fix-released transition gains a
precondition: if any of the six mandatory body fields is empty
or _No response_, the sync proposes a tracker comment
@-mentioning the Remediation developer listing exactly which
fields are missing, instead of the label flip and the assignee
swap. A later sync detects the gate is clear and proceeds.
- Description-fields paragraph in Step 2b adds an explicit
allow-list of two fields the agent may proactively auto-propose
during earlier syncs:
- CWE — derived from the patch (auth-bypass → CWE-287, SQL
injection → CWE-89, path traversal → CWE-22, …). Only when
unambiguous; must cite the file/line range that drove the
mapping. Ambiguity is flagged, never guessed.
- Affected versions — derived from the upstream PR's milestone
mapped to the project's per-scope convention. Only when the
milestone uniquely determines the range.
All other mandatory fields stay on the external-signal path.
- New content guideline for the Short public summary for publish
field: it powers the published CVE description end users read,
so it must tell them what to do (fixed version, mitigations,
CWE class is allowed). The agent proposes a rewrite when the
field is technically accurate but missing the user-facing
action.
Generated-by: Claude Code (Opus 4.7)
---
.claude/skills/security-issue-sync/SKILL.md | 42 +++++++++++++++++++++++++++--
1 file changed, 40 insertions(+), 2 deletions(-)
diff --git a/.claude/skills/security-issue-sync/SKILL.md
b/.claude/skills/security-issue-sync/SKILL.md
index ceb5283..393f16d 100644
--- a/.claude/skills/security-issue-sync/SKILL.md
+++ b/.claude/skills/security-issue-sync/SKILL.md
@@ -706,7 +706,7 @@ update, label change, or next-step recommendation in Step 2:
| The *"PR with the fix"* body field has at least one PR URL **and** the
*"Remediation developer"* body field is missing the PR author's name (or is
`_No response_`) | Propose appending the PR author's display name (`gh pr view
<N> --repo <upstream> --json author --jq '.author.name // .author.login'`) to
the *"Remediation developer"* body field. **Append, never overwrite** — manual
edits (co-authors added by the triager, name spelling corrections, "Anonymous"
overrides) must survive subs [...]
| The *"Affected versions"* body field is missing, holds a pre-convention
shape, or carries the project's pre-release sentinel, and the tracker is
**not** at `fix released` yet | Propose populating / refining *"Affected
versions"* per the project's convention. The per-scope shape, the pre-release
sentinel (if any), and the lifecycle live in
[`<project-config>/scope-labels.md` — *Affected versions convention by
scope*](../../../<project-config>/scope-labels.md#affected-versions-convention
[...]
| A tracker is transitioning to `fix released` (per the row below) and
*"Affected versions"* still carries the project's pre-release sentinel |
Propose replacing the sentinel with the concrete released version per the
project's convention; see [`<project-config>/scope-labels.md` — *Affected
versions convention by
scope*](../../../<project-config>/scope-labels.md#affected-versions-convention-by-scope)
for the recipe. After the body update, regenerate the CVE JSON attachment so
`versions[] [...]
-| A release carrying the fix has shipped. Detection is **scope-dependent** —
different scope labels on a project can ride different release trains, each
with its own *"is it released?"* signal (which artifact registry to consult,
what to query, how to map a tracker's milestone to that registry,
partial-release edge cases). The per-scope detection recipe lives in
[`<project-config>/scope-labels.md` — *Detecting that a fix release has
shipped*](../../../<project-config>/scope-labels.md#det [...]
+| A release carrying the fix has shipped. Detection is **scope-dependent** —
different scope labels on a project can ride different release trains, each
with its own *"is it released?"* signal (which artifact registry to consult,
what to query, how to map a tracker's milestone to that registry,
partial-release edge cases). The per-scope detection recipe lives in
[`<project-config>/scope-labels.md` — *Detecting that a fix release has
shipped*](../../../<project-config>/scope-labels.md#det [...]
| GHSA state transition (opened, accepted, published, rejected) in a
GHSA-forwarded email | If the GHSA is closed as "not accepted" but the security
team accepted the report on `security@`, flag the divergence in the status
comment so it is not lost. |
| Team member saying *"let's also backport to v3-2-test"* / *"please mark X
for backport"* | Note the requested backport label on the public PR as an item
for Step 9 of the `security-issue-fix` workflow. |
| Reporter flagging a second distinct vulnerability on the same thread |
Surface as an explicit question to the user — it may warrant a separate
tracking issue. |
@@ -1127,7 +1127,45 @@ will change and *why*. Group them by category:
as *"still `_No response_` — needs \<what\> before it can be filled"*.
Do not silently leave fields empty across multiple sync runs — the
release manager at Step 13 needs **every** field filled in to send the
- advisory.
+ advisory, and the `pr merged → fix released` transition is gated on
+ the six mandatory fields per the table row in Step 2b above.
+
+ **Agent-derivable fields — propose high-confidence values proactively.**
+ Two of the mandatory fields can be derived by the agent itself with
+ high confidence from artefacts already in the sync's evidence pool,
+ rather than waiting for a human to fill them in. Treat the following
+ as the allow-listed set for active auto-proposal whenever the field
+ is empty or `_No response_`:
+
+ - **CWE** — map the patch to a CWE class (e.g., a missing-auth-check
+ fix → CWE-287, untrusted-input-into-SQL fix → CWE-89, path-traversal
+ guard fix → CWE-22). **Propose only when the patch is unambiguous**
+ — when multiple plausible CWE classes fit, flag the ambiguity
+ instead of guessing. Cite the file path(s) and line range(s) that
+ drove the mapping so the user can sanity-check before confirming.
+
+ - **Affected versions** — derive from the `<upstream>` PR's milestone
+ / fix-version metadata mapped to the project's per-scope convention
+ (see [`<project-config>/scope-labels.md` — *Affected versions
+ convention by
scope*](../../../<project-config>/scope-labels.md#affected-versions-convention-by-scope)).
+ Propose only when the milestone uniquely determines the affected
+ range; flag ambiguity (e.g. multiple backport milestones with
+ partial coverage) rather than guessing.
+
+ All other mandatory fields stay on the *external-signal* path:
+ propose values only when the discussion, mail thread, PR, or GHSA
+ provides enough information — never guess them.
+
+ **"Short public summary for publish" must include user-facing
+ instructions.** This field powers the published CVE description that
+ end users read in the advisory. Beyond stating the vulnerability in
+ one or two sentences, the summary must tell users **what to do**:
+ the fixed version to upgrade to, the mitigations available for users
+ who cannot upgrade immediately, and the CWE class (allowed and
+ useful — CWE is not embargoed information once the advisory ships).
+ When the field is technically accurate but missing the action a user
+ should take, propose a rewrite — even when the rest of the gate at
+ the `pr merged → fix released` transition is otherwise clear.
**Special case for the "Security mailing list thread" field — leave
it alone.** This field holds the internal navigation reference to
