Skip to content

Shift triage logic to dependency-based team assignment#3

Merged
janisz merged 1 commit intomainfrom
do_not-rely-on-continer
May 5, 2026
Merged

Shift triage logic to dependency-based team assignment#3
janisz merged 1 commit intomainfrom
do_not-rely-on-continer

Conversation

@janisz
Copy link
Copy Markdown
Collaborator

@janisz janisz commented May 5, 2026

Changed vulnerability triage to assign teams based on dependency language and usage location instead of container names.

Key changes:

  • npm/JavaScript dependencies → @stackrox/ui (95% confidence, only team using JS)
  • Go dependencies → based on import path (e.g., scanner/** → @stackrox/scanner)
  • Generic Go deps → use gopls to find where imported
  • Python dependencies → based on usage location (scanner or test infra)
  • PostgreSQL → @stackrox/core-workflows

Updated files:

  • reference/team-mappings.md: Added dependency-to-team mappings
  • reference/vulnerability-decision-tree.md: Step 3 and 6 updated
  • reference/teams.md: Replaced container mapping with dependency reference
  • reference/constants.md: Updated false positive patterns
  • .claude/commands/triage.md: Phase 4b updated for dependency extraction
  • FIELD_REFERENCE.md: Updated vuln_analysis fields
  • templates/triage-report.md: Show language/package instead of container
  • README.md: Updated decision tree description

This aligns with how dependencies are actually distributed in the codebase rather than relying on container names which can be misleading.

@janisz @claude
Shift triage logic from container-based to dependency-based team assi…
c03dbde 
…gnment

Changed vulnerability triage to assign teams based on dependency language
and usage location instead of container names.

Key changes:
- npm/JavaScript dependencies → @stackrox/ui (95% confidence, only team using JS)
- Go dependencies → based on import path (e.g., scanner/** → @stackrox/scanner)
- Generic Go deps → use gopls to find where imported
- Python dependencies → based on usage location (scanner or test infra)
- PostgreSQL → @stackrox/core-workflows

Updated files:
- reference/team-mappings.md: Added dependency-to-team mappings
- reference/vulnerability-decision-tree.md: Step 3 and 6 updated
- reference/teams.md: Replaced container mapping with dependency reference
- reference/constants.md: Updated false positive patterns
- .claude/commands/triage.md: Phase 4b updated for dependency extraction
- FIELD_REFERENCE.md: Updated vuln_analysis fields
- templates/triage-report.md: Show language/package instead of container
- README.md: Updated decision tree description

This aligns with how dependencies are actually distributed in the codebase
rather than relying on container names which can be misleading.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@janisz janisz requested review from mtodor and rhybrillou May 5, 2026 16:17
@janisz janisz merged commit 4cd2fa7 into main May 5, 2026
1 check passed
@janisz janisz deleted the do_not-rely-on-continer branch May 5, 2026 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtodor mtodor Awaiting requested review from mtodor

@rhybrillou rhybrillou Awaiting requested review from rhybrillou

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@janisz