Skip to content

feat(generate-cve-json): emit related references for sibling CVEs#384

Merged
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat-generate-cve-json-related-reference
May 30, 2026
Merged

feat(generate-cve-json): emit related references for sibling CVEs#384
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat-generate-cve-json-related-reference

Conversation

@potiuk

@potiuk potiuk commented May 30, 2026

Copy link
Copy Markdown
Member

Summary

Per Arnout Engelen's 2026-05-29 review comment on CVE-2026-49298 — when a CVE is an incomplete-fix follow-up to a prior CVE (or otherwise relates to one), the JSON should carry a structured `references[]` entry of type `related` pointing at the prior CVE record so ASF Security's downstream tooling can navigate the cross-CVE relationship.

Implementation

  • `classify_reference` tags `cve.org/CVERecord?id=...` and `nvd.nist.gov/vuln/detail/...` URLs as `["related"]`.
  • `extract_related_cve_ids(text, current_cve_id)` — finds distinct `CVE-YYYY-NNNNN` tokens in arbitrary text (typically the summary) with word-boundary matching, excludes the current record's own ID, preserves first-appearance order for deterministic emission.
  • `related_cve_url(cve_id)` — emits the canonical `https://www.cve.org/CVERecord?id=` URL.
  • `build_cna_container` now accepts `current_cve_id`, extracts related IDs from the description, and appends `cve.org` URLs to the references list.

Gate #3 (incomplete-fix cross-CVE clause, PR #372) already pushes prior CVE IDs into the summary text — so this lands automatically the next time the body is regenerated for any incomplete-fix tracker.

Test plan

🤖 Generated with Claude Code

Per Arnout Engelen's 2026-05-29 review comment on CVE-2026-49298 — when
a CVE is an incomplete-fix follow-up to a prior CVE (or otherwise
relates to one), the JSON should carry a structured references[] entry
of type "related" pointing at the prior CVE record.

Implementation:

- Extend classify_reference to tag cve.org/CVERecord?id=... and
  nvd.nist.gov/vuln/detail/... URLs as ["related"].
- Add extract_related_cve_ids(text, current_cve_id) — finds distinct
  CVE-YYYY-NNNNN tokens in arbitrary text with word-boundary matching,
  excludes the current record's own ID, preserves first-appearance
  order for deterministic emission.
- Add related_cve_url(cve_id) — emits the canonical
  https://www.cve.org/CVERecord?id=<id> URL.
- build_cna_container now accepts current_cve_id, extracts related
  IDs from the description, and appends cve.org URLs to the
  references list.

Tests: 20 new cases. Full suite 264/264.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@potiuk potiuk merged commit 5a2cd96 into apache:main May 30, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant