Skip to content

feat(security-issue-sync): gate fix-released hand-off on mandatory CVE fields#202

Merged
potiuk merged 1 commit into
apache:mainfrom
potiuk:security-sync-cve-gate
May 17, 2026
Merged

feat(security-issue-sync): gate fix-released hand-off on mandatory CVE fields#202
potiuk merged 1 commit into
apache:mainfrom
potiuk:security-sync-cve-gate

Conversation

@potiuk
Copy link
Copy Markdown
Member

@potiuk potiuk commented May 17, 2026

Summary

The pr merged → fix released transition (Step 12 of the security handling
process) hands ownership of a tracker from the remediation developer to the
release manager. The release manager needs every CVE body field populated to
send the advisory at Step 13, but security-issue-sync previously proposed
the hand-off on the release-shipped signal alone — leaving the release
manager to chase down missing fields themselves.

This PR:

  1. Adds a six-field gate to the hand-off. If CWE, Affected versions,
    Severity, Reporter credited as, Short public summary for publish, or
    PR with the fix is empty / _No response_, the sync no longer proposes
    the label flip or assignee swap. It proposes a tracker comment
    @-mentioning the Remediation developer (read from the body field)
    listing exactly which fields are missing. A subsequent sync run detects
    the gate is clear and proceeds.

  2. Allow-lists CWE and Affected versions for proactive agent auto-proposal
    in earlier syncs    , so the gate is more often already clear by the time
    the release ships:

    • CWE — map the patch to a CWE class. Only when unambiguous; must
      cite file/lines.
    • Affected versions — derive from the upstream PR's milestone mapped
      to the project's per-scope convention. Only when the milestone uniquely
      determines the range.

    All other mandatory fields stay on the external-signal path — no guessing.

  3. Content guideline for Short public summary for publish — the field
    powers the published CVE description end users read, so it must tell them
    what to do (fixed version, mitigations, CWE class is allowed). Propose a
    rewrite when the field is technically accurate but missing the
    user-facing action.

Test plan

  • Run /security-issue-sync against a tracker that has the
    release-shipped signal but _No response_ in (say) Short public summary
    for publish    . Confirm the sync proposes a tracker comment @-mentioning
    the remediation developer, not the fix released label swap or the
    assignee swap.
  • Run a second sync after the field is filled. Confirm the gate is now
    clear and the original hand-off proposal fires.
  • Run sync on a tracker where CWE is _No response_ and the PR is
    unambiguous (e.g. clear missing-auth-check fix). Confirm the proposal
    includes a CWE-287 value with file/line citation.
  • Run sync on a tracker with an ambiguous patch (multiple plausible
    CWEs). Confirm the proposal flags the ambiguity rather than guessing.
  • Run sync on a tracker whose Short public summary for publish states
    only the vulnerability but no upgrade / mitigation text. Confirm the
    proposal includes a rewrite that adds the user-facing instructions.

Generated-by: Claude Code (Opus 4.7)

@potiuk
feat(security-issue-sync): gate fix-released hand-off on mandatory CV…
b354851 
…E fields

The pr merged → fix released transition (Step 12) hands ownership
of a tracker from the remediation developer to the release
manager. The release manager needs every CVE body field populated
to send the advisory at Step 13, but the sync previously proposed
the hand-off on the release-shipped signal alone — leaving the
release manager to chase down missing CWE / Affected versions /
Severity / Reporter credit / Short public summary / PR-with-fix
entries themselves.

What changed:

- Step 2b table row for the fix-released transition gains a
  precondition: if any of the six mandatory body fields is empty
  or _No response_, the sync proposes a tracker comment
  @-mentioning the Remediation developer listing exactly which
  fields are missing, instead of the label flip and the assignee
  swap. A later sync detects the gate is clear and proceeds.

- Description-fields paragraph in Step 2b adds an explicit
  allow-list of two fields the agent may proactively auto-propose
  during earlier syncs:

  - CWE — derived from the patch (auth-bypass → CWE-287, SQL
    injection → CWE-89, path traversal → CWE-22, …). Only when
    unambiguous; must cite the file/line range that drove the
    mapping. Ambiguity is flagged, never guessed.

  - Affected versions — derived from the upstream PR's milestone
    mapped to the project's per-scope convention. Only when the
    milestone uniquely determines the range.

  All other mandatory fields stay on the external-signal path.

- New content guideline for the Short public summary for publish
  field: it powers the published CVE description end users read,
  so it must tell them what to do (fixed version, mitigations,
  CWE class is allowed). The agent proposes a rewrite when the
  field is technically accurate but missing the user-facing
  action.

Generated-by: Claude Code (Opus 4.7)
@potiuk potiuk merged commit ff38bc2 into apache:main May 17, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@potiuk