potiuk opened a new pull request, #202:
URL: https://github.com/apache/airflow-steward/pull/202
## Summary
The `pr merged → fix released` transition (Step 12 of the security handling
process) hands ownership of a tracker from the remediation developer to the
release manager. The release manager needs every CVE body field populated to
send the advisory at Step 13, but `security-issue-sync` previously proposed
the hand-off on the release-shipped signal alone — leaving the release
manager to chase down missing fields themselves.
This PR:
1. **Adds a six-field gate to the hand-off.** If *CWE*, *Affected versions*,
*Severity*, *Reporter credited as*, *Short public summary for publish*, or
*PR with the fix* is empty / `_No response_`, the sync no longer proposes
the label flip or assignee swap. It proposes a tracker comment
`@`-mentioning the *Remediation developer* (read from the body field)
listing exactly which fields are missing. A subsequent sync run detects
the gate is clear and proceeds.
2. **Allow-lists CWE and Affected versions for proactive agent auto-proposal
in earlier syncs**, so the gate is more often already clear by the time
the release ships:
- **CWE** — map the patch to a CWE class. Only when unambiguous; must
cite file/lines.
- **Affected versions** — derive from the upstream PR's milestone mapped
to the project's per-scope convention. Only when the milestone uniquely
determines the range.
All other mandatory fields stay on the external-signal path — no guessing.
3. **Content guideline for *Short public summary for publish*** — the field
powers the published CVE description end users read, so it must tell them
what to do (fixed version, mitigations, CWE class is allowed). Propose a
rewrite when the field is technically accurate but missing the
user-facing action.
## Test plan
- [ ] Run `/security-issue-sync` against a tracker that has the
release-shipped signal but `_No response_` in (say) *Short public summary
for publish*. Confirm the sync proposes a tracker comment `@`-mentioning
the remediation developer, **not** the `fix released` label swap or the
assignee swap.
- [ ] Run a second sync after the field is filled. Confirm the gate is now
clear and the original hand-off proposal fires.
- [ ] Run sync on a tracker where CWE is `_No response_` and the PR is
unambiguous (e.g. clear missing-auth-check fix). Confirm the proposal
includes a CWE-287 value with file/line citation.
- [ ] Run sync on a tracker with an ambiguous patch (multiple plausible
CWEs). Confirm the proposal flags the ambiguity rather than guessing.
- [ ] Run sync on a tracker whose *Short public summary for publish* states
only the vulnerability but no upgrade / mitigation text. Confirm the
proposal includes a rewrite that adds the user-facing instructions.
Generated-by: Claude Code (Opus 4.7)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
