feat(security-cve-allocate): extend title-strip cascade with patterns from session cleanups#402
Merged
potiuk merged 1 commit intoMay 30, 2026
Conversation
…erns from session manual cleanups Per direct observations from the airflow-s 2026-05-29/30 bulk sync — two recurring title-noise patterns were cleaned manually that the existing cascade did not catch: 1. Trailing prior-CVE-relationship parentheticals — the cross-CVE relationship is structurally captured by the Gate apache#3 cross-CVE clause in the public summary; embedding the relationship in the title is noise to downstream advisory consumers. Catches every shape observed in this session: - `(CVE-YYYY-NNNNN)` - `(possible CVE-YYYY-NNNNN variant)` — from apache#345 - `(incomplete fix for CVE-YYYY-NNNNN)` — from apache#351 - `(fix-bypass of CVE-YYYY-NNNNN)` — from apache#352 - and any other `(... CVE-YYYY-NNNNN ...)` shape 2. Trailing reporter-name attribution parentheticals — reporter attribution lives in the credits field, never in the public title. Pattern matches `(<name> follow-up)` where `<name>` matches name-like tokens (word chars, dots, hyphens, single inline spaces) to avoid over-stripping substantive technical content. Catches: - `(Evan Ricafort follow-up)` — from apache#346 Substantive technical parentheticals stay intact — e.g. the operator- name list `(GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)` on the GCS path-traversal tracker is NOT stripped (it lacks a CVE ID and doesn't end in `follow-up`). The matching Step 1d signal row in security-issue-sync now enumerates the two new patterns so the proposal-time detector and the pre-push Gate apache#4 stay in lock-step with the cascade. Validated against 9 cases: 4 session-derived fixes (all pass), 3 synthetic CVE-relationship variants (all pass), 1 substantive technical parenthetical (preserved correctly), 1 "<word> follow-up" edge case (stripped as designed — narrow scope acceptable since "follow-up" titles in airflow-s are exclusively reporter-attribution). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two patterns observed in airflow-s manual title-cleanups during the 2026-05-29/30 bulk sync that the existing cascade did not catch — both have a clear structural home elsewhere in the CVE record:
Pattern 1 — trailing prior-CVE-relationship parentheticals
The cross-CVE relationship is structurally captured by the Gate #3 cross-CVE clause in the public summary; embedding the relationship in the title is noise to downstream advisory consumers.
Shapes observed:
skill-validator/skill-validatereferences to the renamedskill-and-tool-validator#351Pattern 2 — trailing reporter-name attribution parentheticals
Reporter attribution lives in the credits field, never in the public title.
Shape: `( follow-up)` where `` matches name-like tokens (word chars, dots, hyphens, single inline spaces). Catches `(Evan Ricafort follow-up)` from #346.
Substantive content stays intact
`(GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)` on the GCS path-traversal tracker is not stripped (no CVE ID, doesn't end in `follow-up`).
Sync skill stays in lock-step
The matching Step 1d signal row in `security-issue-sync` now enumerates the two new patterns so the proposal-time detector and the pre-push Gate #4 reflect the cascade.
Test plan
🤖 Generated with Claude Code