Skip to content

feat(title-normalization): broader leading bracket + external-ID strip#273

Merged
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat/title-norm-generic-patterns
May 25, 2026
Merged

feat(title-normalization): broader leading bracket + external-ID strip#273
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat/title-norm-generic-patterns

Conversation

@potiuk

@potiuk potiuk commented May 25, 2026

Copy link
Copy Markdown
Member

Summary

  • Pattern docs: tighten Airflow references to placeholders across framework files #1 (leading bracketed tag) broadened. Old form matched only [Security Report|Issue|Vulnerability|Bug] with square brackets. New form matches any [...] or (...) leading tag whose body contains the word security or important, applied case-insensitive. Catches (Security Issue), [ Security Vulnerability ], [IMPORTANT], (Important — please read), etc.
  • Pattern .asf.yaml: route all notification schemes (suppress dev@ default) #9 (new) — trailing external-tracker IDs. Strips trailing IDs from common public-disclosure tracker brands — (ZDRES-…), [HUNTR-…], (GHSL-…) — in either square- or round-bracket form. Documented as a per-project-extensible alternation (SNYK-…, BDSA-…, internal bug-bounty platforms).
  • Both changes land in two places kept in sync: the adopter-facing template projects/_template/title-normalization.md and the example cascade in .claude/skills/security-cve-allocate/SKILL.md.

Motivation

Real airflow-s tracker subject: [ Security Report ] LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token (ZDRES-223). The leading [ Security Report ] did match the old pattern, but no pattern covered the trailing (ZDRES-223) — the cleaned CVE title still carried the reporter-internal tracker ID. The broader leading regex also future-proofs the cascade against (...)-style and [IMPORTANT]-style reporter prefixes, which the old form silently skipped.

Verified locally — the new cascade collapses the example to LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token.

Test plan

🤖 Generated with Claude Code

Generalise the leading bracketed-tag regex in the template (and the
matching example cascade in security-cve-allocate/SKILL.md) so it
catches any square- or round-bracketed leading tag whose body
contains the word "security" or "important", case-insensitive —
e.g. (Security Issue), [ Security Vulnerability ], [IMPORTANT],
(Important - please read), in addition to the existing four
[Security X] forms.

Add a new pattern apache#9 to strip trailing IDs from known external
bug-bounty / disclosure trackers — (ZDRES-NNN), [HUNTR-NNN],
(GHSL-YYYY-NNN) — in either bracket style. Extend the alternation
per project as new reporter brands surface (SNYK-, BDSA-, etc.).

Real motivating example: an airflow-s tracker whose subject was
"[ Security Report ] LDAP Filter Injection in FAB Auth Manager
_search_ldap reachable via /auth/token (ZDRES-223)" — the leading
prefix matched the old pattern but no pattern covered the trailing
(ZDRES-223). Verified the new cascade collapses this to "LDAP Filter
Injection in FAB Auth Manager _search_ldap reachable via /auth/token".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@potiuk potiuk merged commit 6b609b7 into apache:main May 25, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant