potiuk opened a new pull request, #362: URL: https://github.com/apache/airflow-steward/pull/362
## Summary Two surgical input-sanitization fixes for the CVE-JSON generator, both arising from Arnout Engelen's 2026-05-28 review pass on the Apache Airflow CVE records ([`CVE-2026-46763`](https://cveprocess.apache.org/cve5/CVE-2026-46763), [`CVE-2026-33264`](https://cveprocess.apache.org/cve5/CVE-2026-33264)). ## Changes ### `parse_cwe`: strip outer parens / brackets from the title Reviewers' CWE pickers commonly serialise to `CWE-285 (Improper Authorization)`. The previous concat path then emitted `"CWE-285: (Improper Authorization)"` — both a colon *and* parens — which the reviewer flagged as cluttered. The fix strips a single outer wrapper layer when the entire title is wrapped (`(Foo)` / `[Bar]`); inner parens and unbalanced wrappers are left intact. ### `parse_affected_versions`: fail loud on unparsable input The previous fall-through path emitted `{"version": <raw string>}` — invalid per CVE 5.x schema (`version` must be a literal version, never a range expression). Real inputs like `>= 3.0.0 (reporter verified against 3.2.1)` silently shipped as malformed JSON. Now raises `ValueError`; `main` catches it and exits 2 with a clean error. ### `parse_affected_versions`: warn on bare lower bound without sentinel `>= 2.0.0` alone emits `{version: "2.0.0"}` with no `lessThan`, which CVE 5.x readers interpret as "this version alone is affected" — almost always misleading. Warns to stderr unless the documented `< NEXT VERSION` sentinel was used. ## Test plan - [x] 242 unit tests pass (`uv run pytest`). - [x] Coverage added for: CWE paren-strip, bracket-strip, inner-parens-not-stripped, mismatched-wrappers-not-stripped, `ValueError` on unparsable input, message contains the value, warning on bare lower bound, no warning when `< NEXT VERSION` sentinel is present, `main()` returns 2 on `ValueError` with a clean error message. - [x] Updated previously-naive tests that relied on the fall-through path. ## Related - Follow-up to #360 (`generate-cve-json`: gate DRAFT → REVIEW on active release vote) and #361 (sync-skill `[VOTE]` detection) — same diagnostic session, distinct failure mode. This PR ships only the **input-sanitization** half; the **`vulnogram-api-record-update` merge-mode** half (state-downgrade guard, reference merge, product-change warn) lands as a separate PR against the `oauth-api` package. - Arnout's review comments on the affected CVE records prompted the fixes; the records themselves were patched out-of-band before this PR. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
