Condense vulnerability remediation PR body

[ulziibay-kernel]

Summary

• Summarize batch-limited advisories as counts instead of listing every deferred Socket candidate.
• Keep a capped details section for non-batch deferrals and unconfirmed attempted fixes.
• Add a regression test so generated remediation PRs remain reviewable.

Test plan

• python3 -m unittest scripts.test_vuln_remediation
• Parsed reusable workflow YAML
• git diff --check

Made with Cursor

---

Note

Low Risk
Only changes markdown PR body formatting in render_pr_body; triage, fixes, and confirmation logic are unchanged.

Overview
Remediation PR descriptions are shorter and easier to scan. The generated body no longer lists every batch-limited deferred advisory in a table; those are rolled into a Deferred by batch limit count under a new Not Included section, alongside counts for other deferred findings and unconfirmed fixes.

Other deferrals and unconfirmed fixes still appear in a collapsible Deferred details block, capped at 10 rows with a note pointing reviewers to workflow artifacts when more exist. A unit test locks in that batch-limited items stay out of the detailed table while non-batch deferrals (e.g. non-CVE) remain visible in the details section.

^{Reviewed by Cursor Bugbot for commit 8aafa3b. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 8aafa3b. Configure here.}

[cursor]

Reverted items double-counted when triage has no deferred

Medium Severity

When triage.get("deferred") is falsy, the or fallback causes deferred to equal fix_result.get("reverted"), which is the same value assigned to unconfirmed. This means other_deferred and unconfirmed contain identical items, causing them to be double-counted in the summary bullets and duplicated in the (other_deferred + unconfirmed)[:10] details table. The test only covers reverted: [], so this path is untested.

Additional Locations (1)

• scripts/vuln_remediation.py#L579-L580

 

^{Reviewed by Cursor Bugbot for commit 8aafa3b. Configure here.}

[firetiger-agent]

Created a monitoring plan for this PR.

What this PR does: Improves the automated vulnerability remediation workflow: direct-dependency version bumps are now prioritized over transitive-only fixes, and generated remediation PR bodies summarize batch-deferred advisories by count instead of listing every row.

Intended effect:

• Vulnerability Remediation Self-Test: baseline 100% success (13/13 runs on May 28 and Jun 1); confirmed if conclusion = 'success' continues on main post-merge (already confirmed at 2026-06-01T21:40:49Z).
• Next remediation PR body format: baseline was a flat Markdown table of all deferred CVEs; confirmed if the next security/vuln-remediation PR body contains "Not Included" with count bullets and a <details> block instead of a raw table.

Risks:

• Self-Test failure — Vulnerability Remediation Self-Test workflow conclusion, alert if any failure on kernel/security-workflows within 24h of merge (baseline: 0 failures in 13 runs).
• Malformed PR body — next security/vuln-remediation PR body, alert if it still contains | CVE/GHSA | Package | Reason | table rows for batch-limited items instead of the summarized count bullets.
• Fix ordering regression — reverted count in fix-result.json artifacts, alert if >2 reverted fixes per remediation run (baseline: 0–1).

Status updates will be posted automatically on this PR as monitoring progresses.

View monitor