feat(security-issue-sync): auto-propose backtick-wrap for Affected versions field#367
Merged
potiuk merged 1 commit intoMay 28, 2026
Conversation
…rsions field
The ``Affected versions`` body field on tracker issues holds version
expressions like ``>= 3.0.0, < 3.2.2``. Without backticks the leading
``>`` is interpreted by GitHub as a markdown blockquote, so the
rendered field shows as a quoted single line. Maintainers editing via
the issue-form UI then see the visible (un-quoted) text and "fix" it
by removing the ``>=`` prefix, silently turning a bounded range into a
misleading single-version entry like ``3.2.1`` — and the CVE record
that follows publishes with the wrong affected range.
Surface the un-wrapped state as a Step 1d signal so the sync proposes
the wrap on every run that encounters one, and reinforce on the
auto-derived ``Affected versions`` value (Step 2b) that the emitter
must wrap. The generate-cve-json parser already strips backticks at
parse time (``cleaned = value.strip().strip("\`").strip()``), so this
is a pure-cosmetic + edit-resilience fix with no semantic change.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
Affected versionsbody field on tracker issues holds version expressions like>= 3.0.0, < 3.2.2. Without surrounding backticks the leading>is interpreted by GitHub as a markdown blockquote, so the rendered field shows as a quoted single line. Maintainers editing via the issue-form UI then see the visible (un-quoted) text and "fix" it by removing the>=prefix, silently turning a bounded range into a misleading single-version entry like3.2.1— and the CVE record that follows publishes with the wrong affected range.This was observed in the wild during the 2026-05-28 bulk sync against
airflow-s/airflow-s: multiple trackers had theirAffected versionsfield re-rendered as a blockquote, then edited down to a bare single version, then regenerated into CVE JSON with{ "version": "3.2.1" }— instead of{ "lessThan": "3.2.2", "version": "3.0.0", "versionType": "semver" }.Changes
Two complementary additions to
security-issue-sync:Step 1d signal table — add a row for "Affected versions field has a value but it is not backtick-wrapped" so sync surfaces and auto-proposes the wrap on every run that finds one, even when no other body update is being proposed for the tracker.
Step 2b body-field emitter — add a sentence to the "Affected versions" derivation rule reminding the emitter to wrap the proposed value in backticks, with a cross-reference to the new signal row for the underlying reason.
The
generate-cve-jsonparser already strips backticks at parse time (cleaned = value.strip().strip("\").strip()—cve_json.py:651`), so this is a pure-cosmetic + edit-resilience fix with no semantic change to existing trackers or CVE JSON output. The fail-loud parser introduced in #362 continues to refuse genuinely un-parseable input; this PR makes the input less likely to drift into that state.Test plan
skill-and-tool-validateis the only relevant hook)./security-issue-syncinvocation against a tracker with an un-wrappedAffected versionsvalue should surface the wrap as a proposed body-field change (verified out-of-band when this lands).Follow-up
The issue template (
.github/ISSUE_TEMPLATE/...) lives in the adopter repo, not inairflow-steward. A companion PR againstairflow-s/airflow-swill update the template's placeholder example and add an inline note to the field description so reporters and triagers start the value in the right shape.Was generative AI tooling used to co-author this PR?