LCORE-2118: Add Claude Code skill for Dependabot CVE triage#1740
Conversation
WalkthroughThis PR adds a command guide for end-to-end Dependabot CVE triage and Jira ticket filing, including alert fetch, severity summary, Jira cross-reference, gap verification, user-driven parameters, ticket drafting, optional epic linking, and ticket creation. ChangesDependabot CVE Filing Workflow
🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.claude/commands/file-dependabot-cves.md:
- Around line 12-14: The markdown fenced code blocks containing the gh api
commands (the blocks starting with the command gh api
"repos/$repo/dependabot/alerts" --paginate --jq '...' and gh api
"repos/$repo/dependabot/alerts/$alert_number" --jq '...') are missing language
identifiers; update those fenced blocks to use "bash" (i.e., replace the opening
``` with ```bash) for both occurrences so MD040 is satisfied and shell syntax
highlighting/tooling works correctly.
- Line 91: The doc hardcodes a CVE label in the `additional_fields` example
which can be invalid for GHSA-only advisories; update the example for
`additional_fields` so `labels` is built conditionally—include the CVE label
only when a CVE identifier exists, otherwise include the GHSA identifier (or
just "Security")—and show a template that demonstrates this conditional choice
(referencing the `additional_fields` key and the `labels` array in the example).
- Line 47: The guidance that tells reviewers to "cross-reference in JIRA
(full-text search by CVE ID) and GitHub" should be extended to handle GHSA-only
advisories: when the CVE is `N/A` and the advisory has a GHSA identifier, also
perform a full-text JIRA search using the GHSA ID and confirm the GitHub alert
state by GHSA ID; update the sentence that begins "For each gap,
cross-reference..." to explicitly instruct searching JIRA by CVE or GHSA ID (use
GHSA when CVE=`N/A`) and verifying GitHub alerts by GHSA ID to avoid
misclassifying GHSA-only gaps as missing.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 59d4f0aa-28f9-4c8d-b7d9-6438595c9f72
📒 Files selected for processing (1)
.claude/commands/file-dependabot-cves.md
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)
- GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
- GitHub Check: E2E: library mode / ci / group 2
- GitHub Check: integration_tests (3.12)
- GitHub Check: E2E: server mode / ci / group 2
- GitHub Check: E2E: server mode / ci / group 3
- GitHub Check: E2E: server mode / ci / group 1
- GitHub Check: E2E: library mode / ci / group 1
- GitHub Check: E2E: library mode / ci / group 3
- GitHub Check: E2E Tests for Lightspeed Evaluation job
- GitHub Check: Pylinter
- GitHub Check: unit_tests (3.13)
- GitHub Check: unit_tests (3.12)
- GitHub Check: build-pr
🧰 Additional context used
🪛 markdownlint-cli2 (0.22.1)
.claude/commands/file-dependabot-cves.md
[warning] 6-6: First line in a file should be a top-level heading
(MD041, first-line-heading, first-line-h1)
[warning] 12-12: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
[warning] 61-61: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
| ``` | ||
| gh api "repos/$repo/dependabot/alerts" --paginate --jq '.[] | select(.state == "open") | {number, state, severity: .security_vulnerability.severity, package: .security_vulnerability.package.name, ecosystem: .security_vulnerability.package.ecosystem, summary: .security_advisory.summary, cve: (.security_advisory.cve_id // "N/A"), ghsa: .security_advisory.ghsa_id, created: .created_at, fixed_version: (.security_vulnerability.first_patched_version.identifier // "N/A")}' | ||
| ``` |
There was a problem hiding this comment.
Add language identifiers to fenced command blocks.
Lines 12 and 61 use unlabeled fenced blocks, which triggers markdownlint MD040 and reduces readability/tooling support.
Suggested doc fix
-```
+```bash
gh api "repos/$repo/dependabot/alerts" --paginate --jq '.[] | select(.state == "open") | {number, state, severity: .security_vulnerability.severity, package: .security_vulnerability.package.name, ecosystem: .security_vulnerability.package.ecosystem, summary: .security_advisory.summary, cve: (.security_advisory.cve_id // "N/A"), ghsa: .security_advisory.ghsa_id, created: .created_at, fixed_version: (.security_vulnerability.first_patched_version.identifier // "N/A")}'@@
- +bash
gh api "repos/$repo/dependabot/alerts/$alert_number" --jq '{summary: .security_advisory.summary, description: .security_advisory.description, cve: (.security_advisory.cve_id // "N/A"), remediation: (.security_vulnerability.first_patched_version.identifier // "No fix available"), vulnerable_range: .security_vulnerability.vulnerable_version_range}'
Also applies to: 61-63
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 12-12: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.claude/commands/file-dependabot-cves.md around lines 12 - 14, The markdown
fenced code blocks containing the gh api commands (the blocks starting with the
command gh api "repos/$repo/dependabot/alerts" --paginate --jq '...' and gh api
"repos/$repo/dependabot/alerts/$alert_number" --jq '...') are missing language
identifiers; update those fenced blocks to use "bash" (i.e., replace the opening
``` with ```bash) for both occurrences so MD040 is satisfied and shell syntax
highlighting/tooling works correctly.
|
|
||
| ## Step 5: Verify gaps | ||
|
|
||
| For each gap, cross-reference in JIRA (full-text search by CVE ID) and GitHub (confirm alert is still open) to verify it is a real missing issue. Drop false positives (e.g., already-closed tickets, stale alerts). |
There was a problem hiding this comment.
Handle GHSA-only alerts during gap verification.
Line 47 says to verify gaps via CVE full-text Jira search, but GHSA-only advisories are in scope (Line 16). This can misclassify real gaps as “not found” and lead to duplicate filings later. Add GHSA-based Jira verification when CVE is N/A.
Suggested doc fix
-For each gap, cross-reference in JIRA (full-text search by CVE ID) and GitHub (confirm alert is still open) to verify it is a real missing issue.
+For each gap, cross-reference in JIRA (full-text search by CVE ID, or GHSA ID when CVE is `N/A`) and GitHub (confirm alert is still open) to verify it is a real missing issue.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.claude/commands/file-dependabot-cves.md at line 47, The guidance that tells
reviewers to "cross-reference in JIRA (full-text search by CVE ID) and GitHub"
should be extended to handle GHSA-only advisories: when the CVE is `N/A` and the
advisory has a GHSA identifier, also perform a full-text JIRA search using the
GHSA ID and confirm the GitHub alert state by GHSA ID; update the sentence that
begins "For each gap, cross-reference..." to explicitly instruct searching JIRA
by CVE or GHSA ID (use GHSA when CVE=`N/A`) and verifying GitHub alerts by GHSA
ID to avoid misclassifying GHSA-only gaps as missing.
| - `summary`: the GitHub advisory title | ||
| - `description`: as structured above | ||
| - `components`: user's chosen component | ||
| - `additional_fields`: `{"fixVersions": [{"id": "<version_id>"}], "labels": ["<CVE-ID>", "Security"], "parent": "<EPIC_KEY>"}` |
There was a problem hiding this comment.
Do not always include <CVE-ID> in labels.
Line 91 hardcodes "<CVE-ID>" in labels, which conflicts with GHSA-only advisories and can create empty/invalid labels. Build labels conditionally: use CVE when present, otherwise GHSA.
Suggested doc fix
-- `additional_fields`: `{"fixVersions": [{"id": "<version_id>"}], "labels": ["<CVE-ID>", "Security"], "parent": "<EPIC_KEY>"}`
+- `additional_fields`: `{"fixVersions": [{"id": "<version_id>"}], "labels": ["<CVE-OR-GHSA-ID>", "Security"], "parent": "<EPIC_KEY>"}`📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - `additional_fields`: `{"fixVersions": [{"id": "<version_id>"}], "labels": ["<CVE-ID>", "Security"], "parent": "<EPIC_KEY>"}` | |
| - `additional_fields`: `{"fixVersions": [{"id": "<version_id>"}], "labels": ["<CVE-OR-GHSA-ID>", "Security"], "parent": "<EPIC_KEY>"}` |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.claude/commands/file-dependabot-cves.md at line 91, The doc hardcodes a CVE
label in the `additional_fields` example which can be invalid for GHSA-only
advisories; update the example for `additional_fields` so `labels` is built
conditionally—include the CVE label only when a CVE identifier exists, otherwise
include the GHSA identifier (or just "Security")—and show a template that
demonstrates this conditional choice (referencing the `additional_fields` key
and the `labels` array in the example).
2 participants
Description
Adds a Claude Code slash command (
/file-dependabot-cves) that automates Dependabot CVE triage: fetches open alerts, cross-references against LCORE Jira tickets, identifies coverage gaps, and files new tickets for uncovered vulnerabilities. Uses GHSA ID as a fallback dedup key when CVE ID is null/N/A, preventing distinct GHSA-only advisories from being collapsed.Identical to lightspeed-core/lightspeed-providers#120, adapted for this repo (default repo target changed to
lightspeed-core/lightspeed-stack, epic search adjusted accordingly).Type of change
Tools used to create PR
Related Tickets & Documents
Checklist before requesting a review
Testing
/file-dependabot-cvesin Claude Code against the repoSummary by CodeRabbit