Skip to content

tools(generate-cve-json): port project-agnostic Python implementation into framework#2

Merged
potiuk merged 1 commit into
mainfrom
port-generate-cve-json
Apr 28, 2026
Merged

tools(generate-cve-json): port project-agnostic Python implementation into framework#2
potiuk merged 1 commit into
mainfrom
port-generate-cve-json

Conversation

@potiuk

@potiuk potiuk commented Apr 28, 2026

Copy link
Copy Markdown
Member

Summary

PR 2 of 3 in the generate-cve-json refactor. PR 1 (in airflow-s/airflow-s) refactored the tool to load all project-specific values from a TOML config; this PR ports the now-project-agnostic Python implementation into the framework so the framework ships both the SKILL.md description and the implementation.

Files added

  • tools/vulnogram/generate-cve-json/pyproject.toml
  • tools/vulnogram/generate-cve-json/src/generate_cve_json/{cve_json,__init__,__main__}.py — config-driven implementation; resolves config from --config CLI flag → $CVE_JSON_CONFIG env var → <cwd>/.apache-steward/tools/vulnogram/cve-json-config.toml (default, when adopter is the cwd).
  • tools/vulnogram/generate-cve-json/tests/{__init__,conftest,test_generate_cve_json}.py — full 100-test suite. Conftest points at the fixture config in tests/fixtures/.
  • tools/vulnogram/generate-cve-json/tests/fixtures/cve-json-config.tomlTEST FIXTURE config (clearly labeled as such). Mirrors one adopter's setup so the existing tests' assertions pass without rewriting; NOT shipped as a default for adopters.
  • tools/vulnogram/generate-cve-json/uv.lock — uv lockfile.

Files updated

  • .pre-commit-config.yaml — added the four generate-cve-json hooks (ruff-check, ruff-format, mypy, pytest), restored from the airflow-s pre-commit config.
  • tools/vulnogram/generate-cve-json/SKILL.md — preamble note clarifying that examples in the body use Airflow's config as a running illustration; the tool itself is config-driven and emits CVE records against any adopter's product taxonomy.

Test plan

  • ✅ All 100 tests pass against the test-fixture config.
  • ✅ All four pre-commit hooks pass (ruff-check, ruff-format, mypy, pytest) plus the standard repo hooks.

Known follow-ups (deliberately not in this PR)

  • SKILL.md prose polish. The body still has substantial Airflow-flavoured prose (apache-airflow-providers-... package names, provider directory examples, etc.). The preamble note flags this; tightening passes can rephrase example-by-example without changing the contract.
  • Synthetic test fixture. The fixture config is Airflow-shaped because the tests were written against that taxonomy. A future PR could replace it with a synthetic ("Acme Project") fixture and rewrite assertions to match.

Coordination

PR 3 (against airflow-s) will delete the local Python implementation (it lives in the framework now via submodule) and update skill references to invoke the framework copy. PR 3 is gated on this PR landing.

🤖 Generated with Claude Code

… into framework

PR 2 of 3 in the generate-cve-json refactor (PR 1 landed at
airflow-s/airflow-s — refactored the tool to load all project-specific
values from a TOML config). This commit ports the now-project-agnostic
Python implementation into the apache/airflow-steward framework so the
framework can ship the implementation alongside the SKILL.md description.

Files added:

- tools/vulnogram/generate-cve-json/pyproject.toml — Python package metadata.
- tools/vulnogram/generate-cve-json/src/generate_cve_json/{cve_json,__init__,__main__}.py
  — the project-agnostic implementation. Loads config at startup
  from --config CLI flag → $CVE_JSON_CONFIG → <cwd>/.apache-steward/tools/vulnogram/cve-json-config.toml.
- tools/vulnogram/generate-cve-json/tests/{__init__,conftest,test_generate_cve_json}.py
  — full test suite (100 tests). Conftest points at a fixture
  config in tests/fixtures/.
- tools/vulnogram/generate-cve-json/tests/fixtures/cve-json-config.toml
  — TEST FIXTURE config (clearly labeled as such). Mirrors one
  adopter's setup so the existing tests' assertions pass without
  rewriting; NOT shipped as a default for adopters.
- tools/vulnogram/generate-cve-json/uv.lock — uv lockfile.

Files updated:

- .pre-commit-config.yaml — added the four generate-cve-json hooks
  (ruff-check, ruff-format, mypy, pytest) restored from the airflow-s
  pre-commit config.
- tools/vulnogram/generate-cve-json/SKILL.md — preamble note
  clarifying that examples use Airflow's config as illustration; the
  tool itself is config-driven and emits CVE records against any
  adopter's product taxonomy.

Test plan:

- All 100 tests pass against the test-fixture config.
- All four pre-commit hooks pass (ruff/mypy/pytest + the standard set).

Known follow-ups:

- The SKILL.md still has substantial Airflow-flavoured prose in the
  body (provider directory examples, `apache-airflow-providers-...`
  package names, etc.). The preamble note flags this; tightening
  passes can rephrase example-by-example without changing the
  contract.
- The test fixture config is Airflow-shaped because the tests were
  written against that taxonomy. A future PR could replace it with a
  synthetic ("Acme Project") fixture and rewrite assertions to match.

PR 3 (against airflow-s) will delete the local Python implementation
(it lives in the framework now via submodule) and update skill
references to invoke the framework copy.

Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@potiuk potiuk merged commit cff3af6 into main Apr 28, 2026
@andreahlert andreahlert added the mode:Triage Agentic Triage — spot, classify, route, surface duplicates label May 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

mode:Triage Agentic Triage — spot, classify, route, surface duplicates

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants