potiuk opened a new pull request, #384: URL: https://github.com/apache/airflow-steward/pull/384
## Summary Per Arnout Engelen's 2026-05-29 review comment on CVE-2026-49298 — when a CVE is an incomplete-fix follow-up to a prior CVE (or otherwise relates to one), the JSON should carry a structured \`references[]\` entry of type \`related\` pointing at the prior CVE record so ASF Security's downstream tooling can navigate the cross-CVE relationship. ## Implementation - \`classify_reference\` tags \`cve.org/CVERecord?id=...\` and \`nvd.nist.gov/vuln/detail/...\` URLs as \`["related"]\`. - \`extract_related_cve_ids(text, current_cve_id)\` — finds distinct \`CVE-YYYY-NNNNN\` tokens in arbitrary text (typically the summary) with word-boundary matching, excludes the current record's own ID, preserves first-appearance order for deterministic emission. - \`related_cve_url(cve_id)\` — emits the canonical \`https://www.cve.org/CVERecord?id=<id>\` URL. - \`build_cna_container\` now accepts \`current_cve_id\`, extracts related IDs from the description, and appends \`cve.org\` URLs to the references list. Gate #3 (incomplete-fix cross-CVE clause, [PR #372](https://github.com/apache/airflow-steward/pull/372)) already pushes prior CVE IDs into the summary text — so this lands automatically the next time the body is regenerated for any incomplete-fix tracker. ## Test plan - [x] 20 new test cases (classify_reference tagging, edge cases for extraction: substring guard, case-insensitive current-CVE exclusion, dedup, digit-count boundary, URL format) - [x] Full \`generate-cve-json\` test suite: 264 / 264 passed - [ ] Next regen on an incomplete-fix tracker (e.g. #233/CVE-2026-49298 → CVE-2026-27173, #265/CVE-2026-49267 → CVE-2026-41016, #345/CVE-2026-42360 → CVE-2025-68438) emits the related reference automatically 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
