fix node-cve: add cross-team component validation safeguards to triage#623
Conversation
CVE-2026-27136 (a multi-team CVE) had Node-specific analysis posted to ~200 non-Node OCPBUGS trackers (HyperShift, Storage, Networking, etc.) because a downstream posting step re-searched Jira by CVE ID alone, without a component filter. Add two layers of defense: query-open-cves now explicitly requires the Node team component filter even when --component is omitted (no flag means "all Node components", never "no filter"), and report-findings re-validates each tracker's component immediately before posting any comment, independent of upstream filtering, skipping and audit-logging anything that isn't a Node team component. Both layers reference the canonical node-team shared components list rather than a hardcoded copy, so they can't drift out of sync. Bump node-cve to 0.0.6 and sync marketplace/docs metadata. Co-authored-by: Cursor <cursoragent@cursor.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
WalkthroughThe node-cve plugin version is updated to 0.0.6. Its documentation now requires Node-team Jira component filtering, validates returned trackers and posting targets, skips non-Node trackers, and records posting results in ChangesNode CVE safeguards
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 10✅ Passed checks (10 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@plugins/node-cve/commands/triage.md`:
- Line 32: Coordinate this documentation change with the implementation in open
PR `#623` before proceeding. Consolidate the overlapping triage-scope updates into
one authoritative change, or adjust this change to avoid duplicating or
conflicting with PR `#623`.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 722d9a9c-63e8-4c46-8a1a-18ac9b717368
📒 Files selected for processing (7)
.claude-plugin/marketplace.jsondocs/index.htmlplugins/node-cve/.claude-plugin/plugin.jsonplugins/node-cve/README.mdplugins/node-cve/commands/triage.mdplugins/node-cve/skills/query-open-cves/SKILL.mdplugins/node-cve/skills/report-findings/SKILL.md
| # Node team component list from the shared components reference (link above), | ||
| # NOT a hardcoded list. | ||
| for tracker_key in $TRACKER_KEYS; do | ||
| component=$(jira issue view "$tracker_key" --plain --no-headers --columns COMPONENT | tail -1) |
There was a problem hiding this comment.
The two jira issue view calls (lines 99-100) each make a separate API call per tracker. These can be combined into one:
output=$(jira issue view "$tracker_key" --plain --no-headers --columns COMPONENT,LABELS | tail -1)This halves the validation API calls. Also, the loop has no sleep 1 between calls, but the existing rate limit instruction (line 159) says "sleep 1 second between Jira API calls." Since the agent will likely follow this pseudocode literally, adding sleep 1 inside the loop would prevent 429s. For a CVE with 30 trackers, the current pseudocode fires 60 unthrottled API calls before posting even starts.
There was a problem hiding this comment.
Thanks sascha. I have Added sleep 1 between validation calls and made posting-audit.log conditional on --notify-jira in the artifacts list.
| done | ||
| ``` | ||
|
|
||
| A component is considered a Node team component only if it matches an entry in the "Jira Components (OCPBUGS)" list (plus Driver Toolkit, Machine Config Operator) or one of the `pscomponent:` labels in the shared components reference. If a tracker's component cannot be confidently classified as Node team, **skip it and log the reason** — never post "just in case." This check must run even when `--component` was passed, and even if Phase 1 already filtered by component, since this is the last line of defense before an irreversible write to another team's tracker. |
There was a problem hiding this comment.
The pscomponent: label check creates a false-pass risk in the posting-time validation. A tracker with component "Security" (non-Node) but label pscomponent:cri-o would pass this check and get posted to, which is exactly the cross-team contamination this PR prevents.
Phase 1 already filters by component in (...), so any tracker reaching Phase 3 should have a Node team component. The defense-in-depth re-validation should verify the COMPONENT field only, not offer pscomponent labels as an alternative pass condition. The pscomponent labels are for Phase 2 repo mapping (which repo to clone), not for determining tracker ownership.
| ".work/node-cve/triage-2026-05-20/report.md", | ||
| ".work/node-cve/triage-2026-05-20/cves.json" | ||
| ".work/node-cve/triage-2026-05-20/cves.json", | ||
| ".work/node-cve/triage-2026-05-20/posting-audit.log" |
There was a problem hiding this comment.
posting-audit.log is listed unconditionally in the artifacts array, but it's only written when --notify-jira is used (see Step 2, line 163). A run without --notify-jira would have the agent report a nonexistent file. Either note this artifact is conditional on --notify-jira, or move it out of the example and into a note below it.
There was a problem hiding this comment.
Addressed in the latest commit, please check.
Per @saschagrunert's review on PR openshift-eng#623: - Drop the pscomponent: label as an alternative pass condition in the posting-time validation. A non-Node tracker (e.g. component "Security") could incidentally carry a pscomponent:cri-o label, which would silently reintroduce the cross-team contamination this safeguard exists to prevent. Validate the COMPONENT field only. - Removing the label check also removes the second per-tracker jira API call; add sleep 1 between validation calls to match the existing rate-limit convention used for posting calls. - Only list posting-audit.log as an artifact when --notify-jira was used, since it's not written otherwise. Co-authored-by: Cursor <cursoragent@cursor.com>
|
/test images |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: asahay19, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
|
/retest-required |
|
Images CI seems to be broken all over the place, unfortunately I can't fix that now. |
|
/retest |
What this PR does / why we need it:
Add cross-team component validation safeguards to
node-cve:triageto prevent Node-specific CVE analysis from being posted to non-Node team Jira trackers.On 2026-07-15,
/node-cve:triage --notify-jiraposted Node-specific reachability analysis for CVE-2026-27136 to non-Node OCPBUGS trackers (HyperShift, Storage, Networking/PTP, Installer, Monitoring, Cloud providers, Security, Windows Containers, etc.). Root cause: at posting time, trackers were looked up by CVE ID alone, without a component filter, so all of that CVE's multi-team trackers were treated as a single batch to comment on.This PR adds two independent layers of defense:
query-open-cves:--componentmeans "all Node team components," never "no filter" — thecomponent in (...)clause in the JQL query is now mandatory in every invocation, whether or not--componentwas passed.report-findings:posting-audit.log) recording every tracker skipped and why, and surfaces a warning in the command summary output when any trackers are skipped.Both safeguards reference the canonical Node team component list in the
node-teamshared reference (plugins/node-team/skills/node/references/shared/components.md) rather than duplicating a hardcoded list, so they can't drift out of sync as Node team components change.Also bumps
node-cveto0.0.6and syncs marketplace/docs metadata.Which issue(s) this PR fixes:
N/A — prompted by an internal incident (2026-07-15), not a filed issue.
Special notes for your reviewer:
Node / CRI-O,Node / kubelet,Node / cri-tools). That list is incomplete — the real Node team component list has ~14 Jira components (CPU manager, Memory manager, Topology manager, Device Manager, Kueue, etc.) pluspscomponent:label mappings (cadvisor, conmon, conmon-rs, cri-tools). This PR instead points both safeguards at the existing canonical shared reference so the safeguard itself doesn't become a new source of drift.Checklist:
Summary by CodeRabbit
Summary by CodeRabbit
New Features
posting-audit.logwith posted vs. skipped tracker details.Documentation
node-cve:triageand related skills with explicit, non-optional component scoping and re-validation guidance.Chores
node-cveplugin version to0.0.6.