Skip to content

feat(security-cve-allocate): extend title-strip cascade with patterns from session cleanups#402

Merged
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat-security-cve-allocate-title-strip-patterns
May 30, 2026
Merged

feat(security-cve-allocate): extend title-strip cascade with patterns from session cleanups#402
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat-security-cve-allocate-title-strip-patterns

Conversation

@potiuk

@potiuk potiuk commented May 30, 2026

Copy link
Copy Markdown
Member

Summary

Two patterns observed in airflow-s manual title-cleanups during the 2026-05-29/30 bulk sync that the existing cascade did not catch — both have a clear structural home elsewhere in the CVE record:

Pattern 1 — trailing prior-CVE-relationship parentheticals

The cross-CVE relationship is structurally captured by the Gate #3 cross-CVE clause in the public summary; embedding the relationship in the title is noise to downstream advisory consumers.

Shapes observed:

Pattern 2 — trailing reporter-name attribution parentheticals

Reporter attribution lives in the credits field, never in the public title.

Shape: `( follow-up)` where `` matches name-like tokens (word chars, dots, hyphens, single inline spaces). Catches `(Evan Ricafort follow-up)` from #346.

Substantive content stays intact

`(GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)` on the GCS path-traversal tracker is not stripped (no CVE ID, doesn't end in `follow-up`).

Sync skill stays in lock-step

The matching Step 1d signal row in `security-issue-sync` now enumerates the two new patterns so the proposal-time detector and the pre-push Gate #4 reflect the cascade.

Test plan

  • Validated against 9 cases: 4 session-derived fixes (all pass), 3 synthetic CVE-relationship variants (all pass), 1 substantive technical parenthetical (preserved), 1 ` follow-up` edge case (stripped — narrow scope acceptable since `follow-up` in airflow-s titles is exclusively reporter-attribution)
  • Next sync pass on a tracker with one of these parentheticals surfaces the strip proposal

🤖 Generated with Claude Code

…erns from session manual cleanups

Per direct observations from the airflow-s 2026-05-29/30 bulk sync —
two recurring title-noise patterns were cleaned manually that the
existing cascade did not catch:

1. Trailing prior-CVE-relationship parentheticals — the cross-CVE
   relationship is structurally captured by the Gate apache#3 cross-CVE
   clause in the public summary; embedding the relationship in the
   title is noise to downstream advisory consumers. Catches every
   shape observed in this session:
   - `(CVE-YYYY-NNNNN)`
   - `(possible CVE-YYYY-NNNNN variant)` — from apache#345
   - `(incomplete fix for CVE-YYYY-NNNNN)` — from apache#351
   - `(fix-bypass of CVE-YYYY-NNNNN)` — from apache#352
   - and any other `(... CVE-YYYY-NNNNN ...)` shape

2. Trailing reporter-name attribution parentheticals — reporter
   attribution lives in the credits field, never in the public
   title. Pattern matches `(<name> follow-up)` where `<name>`
   matches name-like tokens (word chars, dots, hyphens, single
   inline spaces) to avoid over-stripping substantive technical
   content. Catches:
   - `(Evan Ricafort follow-up)` — from apache#346

Substantive technical parentheticals stay intact — e.g. the operator-
name list `(GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)` on
the GCS path-traversal tracker is NOT stripped (it lacks a CVE ID
and doesn't end in `follow-up`).

The matching Step 1d signal row in security-issue-sync now enumerates
the two new patterns so the proposal-time detector and the pre-push
Gate apache#4 stay in lock-step with the cascade.

Validated against 9 cases: 4 session-derived fixes (all pass), 3
synthetic CVE-relationship variants (all pass), 1 substantive
technical parenthetical (preserved correctly), 1 "<word> follow-up"
edge case (stripped as designed — narrow scope acceptable since
"follow-up" titles in airflow-s are exclusively reporter-attribution).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@potiuk potiuk merged commit 30a2b36 into apache:main May 30, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant