This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new 5f86430c fix(cve-tool): lower-case ASF qualitative severity words
(moderate/important) (#478)
5f86430c is described below
commit 5f86430c160dc99d103d268b35aeff2d44aa3586
Author: Jarek Potiuk <[email protected]>
AuthorDate: Thu Jun 11 10:24:02 2026 +0200
fix(cve-tool): lower-case ASF qualitative severity words
(moderate/important) (#478)
normalise_severity only lower-cased the CVSS set
{none,low,medium,high,critical},
so the ASF qualitative words 'Moderate' and 'Important' fell through
unchanged and
landed capitalized in the CVE record's metrics[] 'Textual description of
severity'.
Add moderate/important to the set so the full ASF rating set
(low/moderate/important/critical) is emitted lower-case, matching the ASF
severity-rating convention.
---
.../generate-cve-json/src/generate_cve_json/cve_json.py | 5 +++--
.../generate-cve-json/tests/test_generate_cve_json.py | 4 +++-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git
a/tools/cve-tool-vulnogram/generate-cve-json/src/generate_cve_json/cve_json.py
b/tools/cve-tool-vulnogram/generate-cve-json/src/generate_cve_json/cve_json.py
index ce91bd68..a0f52e1e 100644
---
a/tools/cve-tool-vulnogram/generate-cve-json/src/generate_cve_json/cve_json.py
+++
b/tools/cve-tool-vulnogram/generate-cve-json/src/generate_cve_json/cve_json.py
@@ -774,10 +774,11 @@ def parse_affected_versions(value: str,
version_start_override: str | None) -> l
def normalise_severity(value: str) -> str:
"""Return the severity as a lower-case word
- (``none`` / ``low`` / ``medium`` / ``high`` / ``critical``) or the
+ (``none`` / ``low`` / ``moderate`` / ``medium`` / ``high`` / ``important``
/
+ ``critical``) or the
original text if it doesn't match the standard set."""
lowered = value.strip().lower()
- if lowered in {"none", "low", "medium", "high", "critical"}:
+ if lowered in {"none", "low", "moderate", "medium", "high", "important",
"critical"}:
return lowered
return value.strip()
diff --git
a/tools/cve-tool-vulnogram/generate-cve-json/tests/test_generate_cve_json.py
b/tools/cve-tool-vulnogram/generate-cve-json/tests/test_generate_cve_json.py
index b9d4b6d9..a8308f34 100644
--- a/tools/cve-tool-vulnogram/generate-cve-json/tests/test_generate_cve_json.py
+++ b/tools/cve-tool-vulnogram/generate-cve-json/tests/test_generate_cve_json.py
@@ -1416,7 +1416,7 @@ class TestCombineRemediationDevelopers:
class TestNormaliseSeverity:
def test_known_values_are_lowercased(self):
- for raw in ("None", "Low", "Medium", "High", "Critical"):
+ for raw in ("None", "Low", "Moderate", "Medium", "High", "Important",
"Critical"):
assert normalise_severity(raw) == raw.lower()
def test_already_lowercase_known_value_passes_through(self):
@@ -1428,6 +1428,8 @@ class TestNormaliseSeverity:
def test_mixed_case_known_value_normalised(self):
assert normalise_severity("HIGH") == "high"
assert normalise_severity("CRITICAL") == "critical"
+ assert normalise_severity("MODERATE") == "moderate"
+ assert normalise_severity("Important") == "important"
# ---------------------------------------------------------------------------
