feat(title-normalization): broader leading bracket + external-ID strip#273
Merged
Merged
Conversation
Generalise the leading bracketed-tag regex in the template (and the matching example cascade in security-cve-allocate/SKILL.md) so it catches any square- or round-bracketed leading tag whose body contains the word "security" or "important", case-insensitive — e.g. (Security Issue), [ Security Vulnerability ], [IMPORTANT], (Important - please read), in addition to the existing four [Security X] forms. Add a new pattern apache#9 to strip trailing IDs from known external bug-bounty / disclosure trackers — (ZDRES-NNN), [HUNTR-NNN], (GHSL-YYYY-NNN) — in either bracket style. Extend the alternation per project as new reporter brands surface (SNYK-, BDSA-, etc.). Real motivating example: an airflow-s tracker whose subject was "[ Security Report ] LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token (ZDRES-223)" — the leading prefix matched the old pattern but no pattern covered the trailing (ZDRES-223). Verified the new cascade collapses this to "LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
[Security Report|Issue|Vulnerability|Bug]with square brackets. New form matches any[...]or(...)leading tag whose body contains the word security or important, applied case-insensitive. Catches(Security Issue),[ Security Vulnerability ],[IMPORTANT],(Important — please read), etc.(ZDRES-…),[HUNTR-…],(GHSL-…)— in either square- or round-bracket form. Documented as a per-project-extensible alternation (SNYK-…,BDSA-…, internal bug-bounty platforms).projects/_template/title-normalization.mdand the example cascade in.claude/skills/security-cve-allocate/SKILL.md.Motivation
Real airflow-s tracker subject:
[ Security Report ] LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token (ZDRES-223). The leading[ Security Report ]did match the old pattern, but no pattern covered the trailing(ZDRES-223)— the cleaned CVE title still carried the reporter-internal tracker ID. The broader leading regex also future-proofs the cascade against(...)-style and[IMPORTANT]-style reporter prefixes, which the old form silently skipped.Verified locally — the new cascade collapses the example to
LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token.Test plan
[Security X],(Security X),[IMPORTANT],(Important …)in any casing.[NotSecurity]/[Securityish]alone (word-boundary required).(ZDRES-NNN),[HUNTR-NNN],(GHSL-YYYY-NNN)and leaves(CVE-…)/(Apache Airflow 2.5)/(GHSA-…)/(split from #N)untouched (handled by other patterns).🤖 Generated with Claude Code