This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new 0cbb242 chore(skills): drop leftover "not CVE worthy" mentions in
security skills (#185)
0cbb242 is described below
commit 0cbb24284143da0c0655fc92b6716774b280f131
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sat May 16 19:59:54 2026 +0200
chore(skills): drop leftover "not CVE worthy" mentions in security skills
(#185)
The closing-disposition convention is `invalid` (not `not CVE worthy`).
The two skills mostly already reflect that, but five list-style references
to the old name lingered:
- security-issue-invalidate/SKILL.md (1× — quoted disposition strings in the
Step 5/6 "closing-comment language" examples)
- security-issue-sync/SKILL.md (4× — disposition enumerations in Step 1d's
closed-bucket scan condition, Step 2b's "all earlier closes" rule, Step
4's
archive-from-board rationale, and Step 5's "when to skip regeneration"
rule)
Dropping these eliminates the residual ambiguity. The `not CVE worthy` label
itself is deprecated on the airflow-s/airflow-s tracker (re-labeled to
`invalid` on every historical issue + deleted from the repo).
Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
---
.claude/skills/security-issue-invalidate/SKILL.md | 2 +-
.claude/skills/security-issue-sync/SKILL.md | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/.claude/skills/security-issue-invalidate/SKILL.md
b/.claude/skills/security-issue-invalidate/SKILL.md
index d9dcdc5..085ed61 100644
--- a/.claude/skills/security-issue-invalidate/SKILL.md
+++ b/.claude/skills/security-issue-invalidate/SKILL.md
@@ -330,7 +330,7 @@ is not a security issue. Strong signals:
(full URL, anchor links, paraphrases).
- Phrases like *"this is by design"*, *"out of scope"*,
*"documented behavior"*, *"requires X privileges already"*,
- *"not a CVE"*, *"not CVE worthy"*, *"won't fix"*, *"working as
+ *"not a CVE"*, *"won't fix"*, *"working as
intended"*.
- Pointers to existing CVEs that already addressed the broader
class (e.g. *"already covered by CVE-2023-37379"*).
diff --git a/.claude/skills/security-issue-sync/SKILL.md
b/.claude/skills/security-issue-sync/SKILL.md
index 63aff78..ceb5283 100644
--- a/.claude/skills/security-issue-sync/SKILL.md
+++ b/.claude/skills/security-issue-sync/SKILL.md
@@ -982,7 +982,7 @@ are in scope, run the checks in parallel via the subagent
fanout
**When the tracker has no CVE ID.** Closed trackers without a
`CVE-YYYY-NNNNN` in the *CVE tool link* body field are closing
-dispositions (`invalid` / `not CVE worthy` / `duplicate` /
+dispositions (`invalid` / `duplicate` /
`wontfix`) — skip the cve.org check entirely and drop the tracker
from the closed-bucket sweep.
@@ -1201,7 +1201,7 @@ will change and *why*. Group them by category:
When it has, propose closing the issue (do not update labels).
This is the only place sync proposes closing an advisory-flow
issue; all earlier closes are only for closing dispositions
- (`invalid` / `not CVE worthy` / `duplicate` / `wontfix`) at
+ (`invalid` / `duplicate` / `wontfix`) at
Steps 5–6.
See the "CVE references must never point at non-public mailing-list
@@ -1936,7 +1936,7 @@ before moving on to the next item. Use:
field still points at, and historical board sweeps still see the
item. Apply the archive for every close, regardless of the close
reason (terminal-Step-15 or non-terminal disposition like
- `invalid` / `duplicate` / `not CVE worthy` / `wontfix`); the
+ `invalid` / `duplicate` / `wontfix`); the
mutation is idempotent and a no-op on already-archived items.
- **Project-board column:** apply via the `updateProjectV2ItemFieldValue`
GraphQL recipe in
@@ -2039,7 +2039,7 @@ it out explicitly in the Step 6 recap:
Remind the user to allocate a CVE via
<https://cveprocess.apache.org/allocatecve> and mention that the next
sync run will embed the JSON automatically once a CVE is set.
-- **The tracking issue was closed as `invalid` / `not CVE worthy` /
+- **The tracking issue was closed as `invalid` /
`duplicate`** and there is nothing to attach.
In every other case — including already-published CVEs — regenerate.
