This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new 30a2b36 feat(security-cve-allocate): extend title-strip cascade with
two patterns from session manual cleanups (#402)
30a2b36 is described below
commit 30a2b36f631e95dc29dded349af97f72a29e3335
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sat May 30 21:53:12 2026 +0200
feat(security-cve-allocate): extend title-strip cascade with two patterns
from session manual cleanups (#402)
Per direct observations from the airflow-s 2026-05-29/30 bulk sync —
two recurring title-noise patterns were cleaned manually that the
existing cascade did not catch:
1. Trailing prior-CVE-relationship parentheticals — the cross-CVE
relationship is structurally captured by the Gate #3 cross-CVE
clause in the public summary; embedding the relationship in the
title is noise to downstream advisory consumers. Catches every
shape observed in this session:
- `(CVE-YYYY-NNNNN)`
- `(possible CVE-YYYY-NNNNN variant)` — from #345
- `(incomplete fix for CVE-YYYY-NNNNN)` — from #351
- `(fix-bypass of CVE-YYYY-NNNNN)` — from #352
- and any other `(... CVE-YYYY-NNNNN ...)` shape
2. Trailing reporter-name attribution parentheticals — reporter
attribution lives in the credits field, never in the public
title. Pattern matches `(<name> follow-up)` where `<name>`
matches name-like tokens (word chars, dots, hyphens, single
inline spaces) to avoid over-stripping substantive technical
content. Catches:
- `(Evan Ricafort follow-up)` — from #346
Substantive technical parentheticals stay intact — e.g. the operator-
name list `(GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)` on
the GCS path-traversal tracker is NOT stripped (it lacks a CVE ID
and doesn't end in `follow-up`).
The matching Step 1d signal row in security-issue-sync now enumerates
the two new patterns so the proposal-time detector and the pre-push
Gate #4 stay in lock-step with the cascade.
Validated against 9 cases: 4 session-derived fixes (all pass), 3
synthetic CVE-relationship variants (all pass), 1 substantive
technical parenthetical (preserved correctly), 1 "<word> follow-up"
edge case (stripped as designed — narrow scope acceptable since
"follow-up" titles in airflow-s are exclusively reporter-attribution).
Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
---
.claude/skills/security-cve-allocate/SKILL.md | 16 ++++++++++++++++
.claude/skills/security-issue-sync/SKILL.md | 2 +-
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/.claude/skills/security-cve-allocate/SKILL.md
b/.claude/skills/security-cve-allocate/SKILL.md
index d4889e7..d52b029 100644
--- a/.claude/skills/security-cve-allocate/SKILL.md
+++ b/.claude/skills/security-cve-allocate/SKILL.md
@@ -341,6 +341,22 @@ patterns_trailing = [
# brackets. Extend the alternation per project.
r"[
\t]*(?:\[(?:ZDRES|HUNTR|GHSL)-[\w-]+\]|\((?:ZDRES|HUNTR|GHSL)-[\w-]+\))\.?[
\t]*$",
r"[ \t]*\([^)]*split from #\d+[^)]*\)\.?[ \t]*$",
+ # Trailing parentheticals that mention a prior CVE ID. The cross-
+ # CVE relationship belongs in the public summary (Gate #3
+ # cross-CVE clause), never in the title — the title ships as
+ # `containers.cna.title` and prior-CVE references read as noise
+ # to downstream advisory consumers. Catches every shape observed
+ # in airflow-s manual cleanups: `(CVE-...)`,
+ # `(possible CVE-... variant)`, `(incomplete fix for CVE-...)`,
+ # `(fix-bypass of CVE-...)`, `(CVE-... <anything>)`, etc.
+ r"[ \t]*\([^)]*\bCVE-\d{4}-\d{4,7}\b[^)]*\)\.?[ \t]*$",
+ # Trailing `(<reporter name> follow-up)` parenthetical. Reporter
+ # attribution belongs in the credits field, never in the public
+ # title. The `<name>` part matches name-like tokens (word chars,
+ # dots, hyphens, single inline spaces) to avoid over-stripping
+ # substantive technical parentheticals that happen to contain
+ # the word `follow-up`.
+ r"[ \t]*\([\w.][\w. -]*[ \t]+follow-up\)\.?[ \t]*$",
]
# Leading passes twice — strip order reveals nested tags.
diff --git a/.claude/skills/security-issue-sync/SKILL.md
b/.claude/skills/security-issue-sync/SKILL.md
index 5fba16e..9f5b869 100644
--- a/.claude/skills/security-issue-sync/SKILL.md
+++ b/.claude/skills/security-issue-sync/SKILL.md
@@ -849,7 +849,7 @@ update, label change, or next-step recommendation in Step 2:
| The tracker is an **incomplete-fix follow-up to another CVE** — detected by
any of: the rollup or body mentions *"incomplete fix for `CVE-YYYY-NNNNN`"* /
*"follow-up to `CVE-YYYY-NNNNN`"* / *"sibling tracker"*; the title contains a
*"(incomplete fix for `CVE-YYYY-NNNNN`)"* parenthetical; the `affected[]` array
names a different `packageName` than the referenced prior CVE; OR the tracker
was opened as a split from a closed-`announced` tracker whose CVE is already
PUBLISHED — **AND** the [...]
| The *"CWE"* body field is populated with a bare `CWE-NNN` token (no
description text) — e.g. `CWE-22` or `CWE-502` alone, without the canonical
short description that follows in the format `CWE-NNN: <Title>` | Propose
expanding the field to `CWE-NNN: <Canonical Title>` per the MITRE CWE catalog
(e.g. `CWE-22: Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal')`, `CWE-502: Deserialization of Untrusted Data`, `CWE-601:
URL Redirection to Untrusted Site ('Open R [...]
| The tracker's *Security mailing list thread* body field references a
**private scanner product** (declared in
[`<project-config>/scanner-products.md`](../../../<project-config>/scanner-products.md)
— e.g. internal SAST, partner-shared scan, unpublished bug-bounty pipeline)
**AND** the *Reporter credited as* body field names a person rather than
`anonymous` / a public handle, **AND** there is no signal the finder consented
to public credit (no inbound `security@` message from them under [...]
-| The **issue title** contains adopter-specific or internal noise that would
otherwise ship to the public CVE record — leading or trailing project-name
tokens (e.g. ``Apache Airflow:`` / ``in Apache Airflow`` / ``(Apache Airflow
X.Y)``), internal split markers (``(split from #NNN)`` / ``(split for scope
clarity from #NNN)``), report-form classifiers (``[ Security Report ]`` /
``[Security Issue]``), external-tracker IDs in parentheses or brackets
(``[GHSA-xxxx-xxxx-xxxx]``, ``(ZDRES-NNNNN [...]
+| The **issue title** contains adopter-specific or internal noise that would
otherwise ship to the public CVE record — leading or trailing project-name
tokens (e.g. ``Apache Airflow:`` / ``in Apache Airflow`` / ``(Apache Airflow
X.Y)``), internal split markers (``(split from #NNN)`` / ``(split for scope
clarity from #NNN)``), report-form classifiers (``[ Security Report ]`` /
``[Security Issue]``), external-tracker IDs in parentheses or brackets
(``[GHSA-xxxx-xxxx-xxxx]``, ``(ZDRES-NNNNN [...]
| A release carrying the fix has shipped. Detection is **scope-dependent** —
different scope labels on a project can ride different release trains, each
with its own *"is it released?"* signal (which artifact registry to consult,
what to query, how to map a tracker's milestone to that registry,
partial-release edge cases). The per-scope detection recipe lives in
[`<project-config>/scope-labels.md` — *Detecting that a fix release has
shipped*](../../../<project-config>/scope-labels.md#det [...]
| GHSA state transition (opened, accepted, published, rejected) in a
GHSA-forwarded email | If the GHSA is closed as "not accepted" but the security
team accepted the report on `security@`, flag the divergence in the status
comment so it is not lost. |
| Team member saying *"let's also backport to v3-2-test"* / *"please mark X
for backport"* | Note the requested backport label on the public PR as an item
for Step 9 of the `security-issue-fix` workflow. |
