tools(generate-cve-json): port project-agnostic Python implementation into framework#2
Merged
Merged
Conversation
… into framework
PR 2 of 3 in the generate-cve-json refactor (PR 1 landed at
airflow-s/airflow-s — refactored the tool to load all project-specific
values from a TOML config). This commit ports the now-project-agnostic
Python implementation into the apache/airflow-steward framework so the
framework can ship the implementation alongside the SKILL.md description.
Files added:
- tools/vulnogram/generate-cve-json/pyproject.toml — Python package metadata.
- tools/vulnogram/generate-cve-json/src/generate_cve_json/{cve_json,__init__,__main__}.py
— the project-agnostic implementation. Loads config at startup
from --config CLI flag → $CVE_JSON_CONFIG → <cwd>/.apache-steward/tools/vulnogram/cve-json-config.toml.
- tools/vulnogram/generate-cve-json/tests/{__init__,conftest,test_generate_cve_json}.py
— full test suite (100 tests). Conftest points at a fixture
config in tests/fixtures/.
- tools/vulnogram/generate-cve-json/tests/fixtures/cve-json-config.toml
— TEST FIXTURE config (clearly labeled as such). Mirrors one
adopter's setup so the existing tests' assertions pass without
rewriting; NOT shipped as a default for adopters.
- tools/vulnogram/generate-cve-json/uv.lock — uv lockfile.
Files updated:
- .pre-commit-config.yaml — added the four generate-cve-json hooks
(ruff-check, ruff-format, mypy, pytest) restored from the airflow-s
pre-commit config.
- tools/vulnogram/generate-cve-json/SKILL.md — preamble note
clarifying that examples use Airflow's config as illustration; the
tool itself is config-driven and emits CVE records against any
adopter's product taxonomy.
Test plan:
- All 100 tests pass against the test-fixture config.
- All four pre-commit hooks pass (ruff/mypy/pytest + the standard set).
Known follow-ups:
- The SKILL.md still has substantial Airflow-flavoured prose in the
body (provider directory examples, `apache-airflow-providers-...`
package names, etc.). The preamble note flags this; tightening
passes can rephrase example-by-example without changing the
contract.
- The test fixture config is Airflow-shaped because the tests were
written against that taxonomy. A future PR could replace it with a
synthetic ("Acme Project") fixture and rewrite assertions to match.
PR 3 (against airflow-s) will delete the local Python implementation
(it lives in the framework now via submodule) and update skill
references to invoke the framework copy.
Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PR 2 of 3 in the generate-cve-json refactor. PR 1 (in
airflow-s/airflow-s) refactored the tool to load all project-specific values from a TOML config; this PR ports the now-project-agnostic Python implementation into the framework so the framework ships both the SKILL.md description and the implementation.Files added
tools/vulnogram/generate-cve-json/pyproject.tomltools/vulnogram/generate-cve-json/src/generate_cve_json/{cve_json,__init__,__main__}.py— config-driven implementation; resolves config from--configCLI flag →$CVE_JSON_CONFIGenv var →<cwd>/.apache-steward/tools/vulnogram/cve-json-config.toml(default, when adopter is the cwd).tools/vulnogram/generate-cve-json/tests/{__init__,conftest,test_generate_cve_json}.py— full 100-test suite. Conftest points at the fixture config intests/fixtures/.tools/vulnogram/generate-cve-json/tests/fixtures/cve-json-config.toml— TEST FIXTURE config (clearly labeled as such). Mirrors one adopter's setup so the existing tests' assertions pass without rewriting; NOT shipped as a default for adopters.tools/vulnogram/generate-cve-json/uv.lock— uv lockfile.Files updated
.pre-commit-config.yaml— added the fourgenerate-cve-jsonhooks (ruff-check, ruff-format, mypy, pytest), restored from the airflow-s pre-commit config.tools/vulnogram/generate-cve-json/SKILL.md— preamble note clarifying that examples in the body use Airflow's config as a running illustration; the tool itself is config-driven and emits CVE records against any adopter's product taxonomy.Test plan
Known follow-ups (deliberately not in this PR)
apache-airflow-providers-...package names, provider directory examples, etc.). The preamble note flags this; tightening passes can rephrase example-by-example without changing the contract.Coordination
PR 3 (against airflow-s) will delete the local Python implementation (it lives in the framework now via submodule) and update skill references to invoke the framework copy. PR 3 is gated on this PR landing.
🤖 Generated with Claude Code