From 8833349c8745993b9022d8c8f0683c2fdc8fb329 Mon Sep 17 00:00:00 2001 From: Vaishnavi-Modi Date: Wed, 25 Mar 2026 11:56:45 -0400 Subject: [PATCH 1/7] docs: add comprehensive team onboarding section to CVE Fixer workflow - Add Team Onboarding section with requirements and steps - Document component-to-repository mapping requirements - Explain ProdSec coordination needed - Detail GitHub and Jira access configuration - Include onboarding checklist and contact information - Update startupPrompt to warn first-time users about onboarding - Update systemPrompt with onboarding verification steps New teams must complete onboarding before using the workflow: 1. Component mapped in component-repository-mappings.json 2. ProdSec sets up Jira component for CVE tracking 3. Jira API credentials configured 4. GitHub CLI authenticated 5. Test workflow with sample CVE Co-authored-by: Claude (Anthropic) --- workflows/cve-fixer/.ambient/ambient.json | 4 +- workflows/cve-fixer/README.md | 129 ++++++++++++++++++++++ 2 files changed, 131 insertions(+), 2 deletions(-) diff --git a/workflows/cve-fixer/.ambient/ambient.json b/workflows/cve-fixer/.ambient/ambient.json index 3d1d324d..1568a9d9 100644 --- a/workflows/cve-fixer/.ambient/ambient.json +++ b/workflows/cve-fixer/.ambient/ambient.json @@ -1,8 +1,8 @@ { "name": "CVE Fixer", "description": "Automate remediation of CVE issues reported by ProdSec team in Jira by creating pull requests with dependency updates and patches", - "systemPrompt": "You are a CVE remediation assistant for the Ambient Code Platform. Your role is to help users remediate CVE issues that have been reported by the ProdSec team in Jira by automatically creating pull requests with fixes.\n\nKEY RESPONSIBILITIES:\n- Guide users through the CVE remediation workflow for Jira-tracked vulnerabilities\n- Execute slash commands to perform specific security tasks\n- Find CVE issues opened by ProdSec team in Jira\n- Implement secure fixes that resolve vulnerabilities without breaking functionality\n- Create pull requests with dependency updates, patches, and comprehensive test results\n\nWORKFLOW METHODOLOGY:\n1. FIND - Find CVEs already reported in Jira for a component\n2. FIX - Implement remediation strategies (dependency updates, patches, code changes, PR creation)\n\nAVAILABLE COMMANDS:\n/cve.find - Find CVEs reported in Jira for a specific component\n/cve.fix - Implement fixes for discovered CVEs and create pull requests\n\nOUTPUT LOCATIONS:\n- Create all Jira CVE findings in: artifacts/cve-fixer/find/\n- Create all fix implementations in: artifacts/cve-fixer/fixes/\n\nFIRST TIME SETUP:\nBefore using any slash commands, ensure the workspace is initialized and security scanning tools are available.", - "startupPrompt": "Welcome! I'm your CVE Remediation assistant.\n\nšŸŽÆ WHAT I DO:\nI help you remediate CVE issues reported by the ProdSec team in Jira by automatically creating pull requests with dependency updates, patches, and code changes.\n\nšŸ“‹ WORKFLOW PHASES:\n1. **Find** - Discover CVE issues opened by ProdSec in Jira for a component\n2. **Fix** - Implement secure remediations and create pull requests\n\nšŸš€ AVAILABLE COMMANDS:\n/cve.find - Find CVE issues reported by ProdSec in Jira\n/cve.fix - Implement security fixes and create PRs\n\nšŸ’” GETTING STARTED:\nRun /cve.find to discover CVE issues from ProdSec in Jira for a specific component, then use /cve.fix to automatically remediate them with pull requests.\n\n**Note:** This workflow is designed for CVE issues tracked in Jira by your Product Security team.\n\nWhat would you like to accomplish today?", + "systemPrompt": "You are a CVE remediation assistant for the Ambient Code Platform. Your role is to help users remediate CVE issues that have been reported by the ProdSec team in Jira by automatically creating pull requests with fixes.\n\nKEY RESPONSIBILITIES:\n- Guide users through the CVE remediation workflow for Jira-tracked vulnerabilities\n- Execute slash commands to perform specific security tasks\n- Find CVE issues opened by ProdSec team in Jira\n- Implement secure fixes that resolve vulnerabilities without breaking functionality\n- Create pull requests with dependency updates, patches, and comprehensive test results\n\nWORKFLOW METHODOLOGY:\n1. FIND - Find CVEs already reported in Jira for a component\n2. FIX - Implement remediation strategies (dependency updates, patches, code changes, PR creation)\n\nAVAILABLE COMMANDS:\n/cve.find - Find CVEs reported in Jira for a specific component\n/cve.fix - Implement fixes for discovered CVEs and create pull requests\n\nOUTPUT LOCATIONS:\n- Create all Jira CVE findings in: artifacts/cve-fixer/find/\n- Create all fix implementations in: artifacts/cve-fixer/fixes/\n\nFIRST TIME SETUP:\nBefore using any slash commands:\n1. Verify the user's team has completed onboarding (component mapped in component-repository-mappings.json)\n2. Ensure JIRA_API_TOKEN and JIRA_EMAIL environment variables are set\n3. Verify GitHub CLI authentication (gh auth status)\n4. Check security scanning tools are available\n\nIf the user's component is not in component-repository-mappings.json, direct them to the \"Team Onboarding\" section in README.md.", + "startupPrompt": "Welcome! I'm your CVE Remediation assistant.\n\nšŸŽÆ WHAT I DO:\nI help you remediate CVE issues reported by the ProdSec team in Jira by automatically creating pull requests with dependency updates, patches, and code changes.\n\nāš ļø FIRST TIME USER?\nNew teams must complete onboarding before using this workflow. See README.md section \"Team Onboarding\" for requirements:\n- Component-to-repository mapping must be configured\n- ProdSec team must set up your Jira component\n- Jira API credentials required (JIRA_API_TOKEN, JIRA_EMAIL)\n- GitHub CLI authentication required\n\nšŸ“‹ WORKFLOW PHASES:\n1. **Find** - Discover CVE issues opened by ProdSec in Jira for a component\n2. **Fix** - Implement secure remediations and create pull requests\n\nšŸš€ AVAILABLE COMMANDS:\n/cve.find - Find CVE issues reported by ProdSec in Jira\n/cve.fix - Implement security fixes and create PRs\n\nšŸ’” GETTING STARTED:\nRun /cve.find to discover CVE issues from ProdSec in Jira for a specific component, then use /cve.fix to automatically remediate them with pull requests.\n\n**Note:** This workflow is designed for CVE issues tracked in Jira by your Product Security team.\n\nWhat would you like to accomplish today?", "results": { "Jira CVE Issues": "artifacts/cve-fixer/find/**/*.md", "Fix Implementations": "artifacts/cve-fixer/fixes/**/*" diff --git a/workflows/cve-fixer/README.md b/workflows/cve-fixer/README.md index 04b58855..d0328d97 100644 --- a/workflows/cve-fixer/README.md +++ b/workflows/cve-fixer/README.md @@ -11,6 +11,135 @@ This workflow helps you remediate CVE vulnerabilities that have been reported by The workflow is designed for both interactive use and scheduled automation (GitHub Actions, Ambient scheduled sessions). +## Team Onboarding + +**āš ļø IMPORTANT:** New teams must complete the onboarding process before using this workflow. + +### Onboarding Requirements + +Before your team can use the CVE Fixer workflow, the following setup must be completed: + +#### 1. Component-to-Repository Mapping + +Your team's Jira components must be mapped to GitHub repositories in `component-repository-mappings.json`. + +**What you need to provide:** +- Jira component name (as it appears in RHOAIENG project) +- GitHub repository URLs (upstream and/or downstream) +- Primary target branch for each repository +- Build location (directory containing go.mod, package.json, etc.) + +**Example mapping:** +```json +{ + "Your Component Name": { + "repositories": { + "org/upstream-repo": { + "github_url": "https://github.com/org/upstream-repo", + "repo_type": "upstream", + "primary_target": "main", + "build_location": "." + }, + "org/downstream-repo": { + "github_url": "https://github.com/org/downstream-repo", + "repo_type": "downstream", + "primary_target": "rhoai-2.19", + "build_location": "." + } + } + } +} +``` + +#### 2. ProdSec Team Coordination + +The Product Security (ProdSec) team must: +- Create Jira component for your team in the RHOAIENG project +- Configure CVE issue templates for your component +- Set up automated CVE discovery and Jira issue creation + +**Contact:** Your ProdSec team representative to request component setup + +#### 3. GitHub Access Configuration + +The workflow requires GitHub CLI (`gh`) authentication to create pull requests. + +**Required permissions:** +- Read access to your upstream/downstream repositories +- Write access (PR creation) to repositories where fixes will be applied +- Ability to run `gh auth login` or use `GITHUB_TOKEN` environment variable + +**Setup:** +```bash +# Option 1: Interactive login +gh auth login + +# Option 2: Use token (for automation) +export GITHUB_TOKEN="your-personal-access-token" +``` + +#### 4. Jira API Access + +Each team member using the workflow needs: +- Red Hat Jira account with access to RHOAIENG project +- Jira API token for authentication +- Read access to CVE issues for their component + +**Setup:** +1. Generate API token at https://id.atlassian.com/manage-profile/security/api-tokens +2. Export credentials: + ```bash + export JIRA_API_TOKEN="your-token-here" + export JIRA_EMAIL="your-email@redhat.com" + ``` + +### Onboarding Steps + +1. **Submit Onboarding Request** + - Contact the workflow maintainers with your component details + - Provide GitHub repository URLs and target branches + - Specify upstream/downstream repository structure + +2. **Wait for Mapping Update** + - Maintainers will add your component to `component-repository-mappings.json` + - PR will be created and merged + - You'll be notified when ready + +3. **Coordinate with ProdSec** + - Ensure your Jira component exists in RHOAIENG + - Verify CVE issues are being filed against your component + - Test with a sample CVE issue + +4. **Set Up Personal Credentials** + - Configure Jira API access (step 4 above) + - Configure GitHub access (step 3 above) + - Test with `/cve.find` command + +5. **Test Workflow** + - Run `/cve.find` for your component + - Review discovered issues + - Test `/cve.fix` on a non-critical CVE + - Verify PR creation and formatting + +### Onboarding Checklist + +Before using the workflow, verify: + +- [ ] Component mapped in `component-repository-mappings.json` +- [ ] ProdSec filing CVEs against your Jira component +- [ ] JIRA_API_TOKEN and JIRA_EMAIL configured +- [ ] GitHub CLI authenticated (`gh auth status`) +- [ ] Test repository access with `gh repo view ` +- [ ] Tested `/cve.find` returns issues for your component +- [ ] Tested `/cve.fix` creates a PR successfully + +### Who to Contact + +- **Workflow Mapping Updates**: Open PR against this repository or contact workflow maintainers +- **ProdSec Component Setup**: Contact your ProdSec team representative +- **Jira Access Issues**: Contact Red Hat IT Support +- **GitHub Access Issues**: Contact your GitHub org administrators + ## Getting Started ### Prerequisites From be1692e6c141bb2b400b2524c768d099326d332a Mon Sep 17 00:00:00 2001 From: Vaishnavi-Modi Date: Wed, 25 Mar 2026 12:00:02 -0400 Subject: [PATCH 2/7] docs: add maintainer GitHub handles to workflow mapping contact info Co-authored-by: Claude (Anthropic) Co-authored-by: Claude (Anthropic) --- workflows/cve-fixer/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflows/cve-fixer/README.md b/workflows/cve-fixer/README.md index d0328d97..d9720060 100644 --- a/workflows/cve-fixer/README.md +++ b/workflows/cve-fixer/README.md @@ -135,7 +135,7 @@ Before using the workflow, verify: ### Who to Contact -- **Workflow Mapping Updates**: Open PR against this repository or contact workflow maintainers +- **Workflow Mapping Updates**: Open PR against this repository or contact workflow maintainers (@angaduom, @vmrh21) - **ProdSec Component Setup**: Contact your ProdSec team representative - **Jira Access Issues**: Contact Red Hat IT Support - **GitHub Access Issues**: Contact your GitHub org administrators From 83c0fc710d8433cc449dcbd64b7d664b72e90934 Mon Sep 17 00:00:00 2001 From: Vaishnavi-Modi Date: Wed, 25 Mar 2026 12:30:34 -0400 Subject: [PATCH 3/7] docs: address CodeRabbit review feedback on onboarding docs - Simplify systemPrompt to avoid duplicating /cve.find validation logic - Update README example JSON to match actual component-repository-mappings.json schema - Add complete cve_fix_workflow structure with all required fields Co-Authored-By: Claude Sonnet 4.6 (1M context) --- workflows/cve-fixer/.ambient/ambient.json | 2 +- workflows/cve-fixer/README.md | 30 ++++++++++++++++++----- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/workflows/cve-fixer/.ambient/ambient.json b/workflows/cve-fixer/.ambient/ambient.json index 1568a9d9..96eee670 100644 --- a/workflows/cve-fixer/.ambient/ambient.json +++ b/workflows/cve-fixer/.ambient/ambient.json @@ -1,7 +1,7 @@ { "name": "CVE Fixer", "description": "Automate remediation of CVE issues reported by ProdSec team in Jira by creating pull requests with dependency updates and patches", - "systemPrompt": "You are a CVE remediation assistant for the Ambient Code Platform. Your role is to help users remediate CVE issues that have been reported by the ProdSec team in Jira by automatically creating pull requests with fixes.\n\nKEY RESPONSIBILITIES:\n- Guide users through the CVE remediation workflow for Jira-tracked vulnerabilities\n- Execute slash commands to perform specific security tasks\n- Find CVE issues opened by ProdSec team in Jira\n- Implement secure fixes that resolve vulnerabilities without breaking functionality\n- Create pull requests with dependency updates, patches, and comprehensive test results\n\nWORKFLOW METHODOLOGY:\n1. FIND - Find CVEs already reported in Jira for a component\n2. FIX - Implement remediation strategies (dependency updates, patches, code changes, PR creation)\n\nAVAILABLE COMMANDS:\n/cve.find - Find CVEs reported in Jira for a specific component\n/cve.fix - Implement fixes for discovered CVEs and create pull requests\n\nOUTPUT LOCATIONS:\n- Create all Jira CVE findings in: artifacts/cve-fixer/find/\n- Create all fix implementations in: artifacts/cve-fixer/fixes/\n\nFIRST TIME SETUP:\nBefore using any slash commands:\n1. Verify the user's team has completed onboarding (component mapped in component-repository-mappings.json)\n2. Ensure JIRA_API_TOKEN and JIRA_EMAIL environment variables are set\n3. Verify GitHub CLI authentication (gh auth status)\n4. Check security scanning tools are available\n\nIf the user's component is not in component-repository-mappings.json, direct them to the \"Team Onboarding\" section in README.md.", + "systemPrompt": "You are a CVE remediation assistant for the Ambient Code Platform. Your role is to help users remediate CVE issues that have been reported by the ProdSec team in Jira by automatically creating pull requests with fixes.\n\nKEY RESPONSIBILITIES:\n- Guide users through the CVE remediation workflow for Jira-tracked vulnerabilities\n- Execute slash commands to perform specific security tasks\n- Find CVE issues opened by ProdSec team in Jira\n- Implement secure fixes that resolve vulnerabilities without breaking functionality\n- Create pull requests with dependency updates, patches, and comprehensive test results\n\nWORKFLOW METHODOLOGY:\n1. FIND - Find CVEs already reported in Jira for a component\n2. FIX - Implement remediation strategies (dependency updates, patches, code changes, PR creation)\n\nAVAILABLE COMMANDS:\n/cve.find - Find CVEs reported in Jira for a specific component\n/cve.fix - Implement fixes for discovered CVEs and create pull requests\n\nOUTPUT LOCATIONS:\n- Create all Jira CVE findings in: artifacts/cve-fixer/find/\n- Create all fix implementations in: artifacts/cve-fixer/fixes/\n\nNote: Commands will guide you through required setup steps on first use. If the user's component is not in component-repository-mappings.json, direct them to the \"Team Onboarding\" section in README.md.", "startupPrompt": "Welcome! I'm your CVE Remediation assistant.\n\nšŸŽÆ WHAT I DO:\nI help you remediate CVE issues reported by the ProdSec team in Jira by automatically creating pull requests with dependency updates, patches, and code changes.\n\nāš ļø FIRST TIME USER?\nNew teams must complete onboarding before using this workflow. See README.md section \"Team Onboarding\" for requirements:\n- Component-to-repository mapping must be configured\n- ProdSec team must set up your Jira component\n- Jira API credentials required (JIRA_API_TOKEN, JIRA_EMAIL)\n- GitHub CLI authentication required\n\nšŸ“‹ WORKFLOW PHASES:\n1. **Find** - Discover CVE issues opened by ProdSec in Jira for a component\n2. **Fix** - Implement secure remediations and create pull requests\n\nšŸš€ AVAILABLE COMMANDS:\n/cve.find - Find CVE issues reported by ProdSec in Jira\n/cve.fix - Implement security fixes and create PRs\n\nšŸ’” GETTING STARTED:\nRun /cve.find to discover CVE issues from ProdSec in Jira for a specific component, then use /cve.fix to automatically remediate them with pull requests.\n\n**Note:** This workflow is designed for CVE issues tracked in Jira by your Product Security team.\n\nWhat would you like to accomplish today?", "results": { "Jira CVE Issues": "artifacts/cve-fixer/find/**/*.md", diff --git a/workflows/cve-fixer/README.md b/workflows/cve-fixer/README.md index d9720060..7846f77c 100644 --- a/workflows/cve-fixer/README.md +++ b/workflows/cve-fixer/README.md @@ -36,15 +36,33 @@ Your team's Jira components must be mapped to GitHub repositories in `component- "repositories": { "org/upstream-repo": { "github_url": "https://github.com/org/upstream-repo", - "repo_type": "upstream", - "primary_target": "main", - "build_location": "." + "default_branch": "main", + "protected_branches": ["main", "release"], + "active_release_branches": [], + "branch_strategy": "Fix in main, cherry-pick to release branches as needed", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "Active release branches", + "automation": "Auto-create PRs to main", + "manual_intervention": "Cherry-pick to release branches" + }, + "build_location": ".", + "repo_type": "upstream" }, "org/downstream-repo": { "github_url": "https://github.com/org/downstream-repo", - "repo_type": "downstream", - "primary_target": "rhoai-2.19", - "build_location": "." + "default_branch": "rhoai-2.19", + "protected_branches": ["rhoai-2.19"], + "active_release_branches": ["rhoai-2.19"], + "branch_strategy": "Direct fixes to release branch", + "cve_fix_workflow": { + "primary_target": "rhoai-2.19", + "backport_targets": "rhoai-2.19", + "automation": "Auto-create PRs to release branch", + "manual_intervention": "Manual backport from upstream if needed" + }, + "build_location": ".", + "repo_type": "downstream" } } } From 9373f43fa9f8e1688be9cc0fd1a15083843bc9a9 Mon Sep 17 00:00:00 2001 From: Vaishnavi-Modi Date: Sun, 29 Mar 2026 19:05:10 -0400 Subject: [PATCH 4/7] fix: address PR review feedback on CVE fixer workflow - Update JQL query: remove project=RHOAIENG, add labels=SecurityTracking to make workflow usable by teams outside of RHOAIENG - Add case-insensitive component name lookup against mapping file - Add llm-d component with inference-scheduler and routing-sidecar repos - Add llm-d Batch Gateway and auto-scaler repos under llm-d component - Add AI Evaluations component (eval-hub repos) - Clean up metadata: remove stale count fields from mapping file - Fix ambient.json startupPrompt: trim verbose FIRST TIME USER checklist - Fix README example JSON to match actual mapping schema - Fix README ProdSec contact to reference feature refinement process - Remove RHOAIENG-specific references to make docs team-agnostic Co-Authored-By: Claude Sonnet 4.6 (1M context) --- workflows/cve-fixer/.ambient/ambient.json | 2 +- .../cve-fixer/.claude/commands/cve.find.md | 15 +- workflows/cve-fixer/README.md | 59 +++---- .../component-repository-mappings.json | 151 +++++++++++++++++- 4 files changed, 185 insertions(+), 42 deletions(-) diff --git a/workflows/cve-fixer/.ambient/ambient.json b/workflows/cve-fixer/.ambient/ambient.json index 96eee670..6957c44a 100644 --- a/workflows/cve-fixer/.ambient/ambient.json +++ b/workflows/cve-fixer/.ambient/ambient.json @@ -2,7 +2,7 @@ "name": "CVE Fixer", "description": "Automate remediation of CVE issues reported by ProdSec team in Jira by creating pull requests with dependency updates and patches", "systemPrompt": "You are a CVE remediation assistant for the Ambient Code Platform. Your role is to help users remediate CVE issues that have been reported by the ProdSec team in Jira by automatically creating pull requests with fixes.\n\nKEY RESPONSIBILITIES:\n- Guide users through the CVE remediation workflow for Jira-tracked vulnerabilities\n- Execute slash commands to perform specific security tasks\n- Find CVE issues opened by ProdSec team in Jira\n- Implement secure fixes that resolve vulnerabilities without breaking functionality\n- Create pull requests with dependency updates, patches, and comprehensive test results\n\nWORKFLOW METHODOLOGY:\n1. FIND - Find CVEs already reported in Jira for a component\n2. FIX - Implement remediation strategies (dependency updates, patches, code changes, PR creation)\n\nAVAILABLE COMMANDS:\n/cve.find - Find CVEs reported in Jira for a specific component\n/cve.fix - Implement fixes for discovered CVEs and create pull requests\n\nOUTPUT LOCATIONS:\n- Create all Jira CVE findings in: artifacts/cve-fixer/find/\n- Create all fix implementations in: artifacts/cve-fixer/fixes/\n\nNote: Commands will guide you through required setup steps on first use. If the user's component is not in component-repository-mappings.json, direct them to the \"Team Onboarding\" section in README.md.", - "startupPrompt": "Welcome! I'm your CVE Remediation assistant.\n\nšŸŽÆ WHAT I DO:\nI help you remediate CVE issues reported by the ProdSec team in Jira by automatically creating pull requests with dependency updates, patches, and code changes.\n\nāš ļø FIRST TIME USER?\nNew teams must complete onboarding before using this workflow. See README.md section \"Team Onboarding\" for requirements:\n- Component-to-repository mapping must be configured\n- ProdSec team must set up your Jira component\n- Jira API credentials required (JIRA_API_TOKEN, JIRA_EMAIL)\n- GitHub CLI authentication required\n\nšŸ“‹ WORKFLOW PHASES:\n1. **Find** - Discover CVE issues opened by ProdSec in Jira for a component\n2. **Fix** - Implement secure remediations and create pull requests\n\nšŸš€ AVAILABLE COMMANDS:\n/cve.find - Find CVE issues reported by ProdSec in Jira\n/cve.fix - Implement security fixes and create PRs\n\nšŸ’” GETTING STARTED:\nRun /cve.find to discover CVE issues from ProdSec in Jira for a specific component, then use /cve.fix to automatically remediate them with pull requests.\n\n**Note:** This workflow is designed for CVE issues tracked in Jira by your Product Security team.\n\nWhat would you like to accomplish today?", + "startupPrompt": "Welcome! I'm your CVE Remediation assistant.\n\nšŸŽÆ WHAT I DO:\nI help you remediate CVE issues reported by the ProdSec team in Jira by automatically creating pull requests with dependency updates, patches, and code changes.\n\nšŸ“‹ WORKFLOW PHASES:\n1. **Find** - Discover CVE issues opened by ProdSec in Jira for a component\n2. **Fix** - Implement secure remediations and create pull requests\n\nšŸš€ AVAILABLE COMMANDS:\n/cve.find - Find CVE issues reported by ProdSec in Jira\n/cve.fix - Implement security fixes and create PRs\n\nšŸ’” GETTING STARTED:\nRun /cve.find to discover CVE issues from ProdSec in Jira for a specific component, then use /cve.fix to automatically remediate them with pull requests.\n\nFirst time? See README.md ā†’ \"Team Onboarding\" for setup requirements.\n\nWhat would you like to accomplish today?", "results": { "Jira CVE Issues": "artifacts/cve-fixer/find/**/*.md", "Fix Implementations": "artifacts/cve-fixer/fixes/**/*" diff --git a/workflows/cve-fixer/.claude/commands/cve.find.md b/workflows/cve-fixer/.claude/commands/cve.find.md index 013db7d8..3eb8347d 100644 --- a/workflows/cve-fixer/.claude/commands/cve.find.md +++ b/workflows/cve-fixer/.claude/commands/cve.find.md @@ -99,8 +99,19 @@ Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md b. Construct JQL query and execute API call: ```bash + # Normalize component name with case-insensitive lookup against mapping file + MAPPING_FILE="$(dirname "$0")/../component-repository-mappings.json" + if [ -f "$MAPPING_FILE" ]; then + CANONICAL_NAME=$(jq -r --arg name "${COMPONENT_NAME}" \ + '.components | keys[] | select(ascii_downcase == ($name | ascii_downcase))' \ + "$MAPPING_FILE" | head -1) + if [ -n "$CANONICAL_NAME" ]; then + COMPONENT_NAME="$CANONICAL_NAME" + fi + fi + # Build JQL query - JQL="project = RHOAIENG AND component = \"${COMPONENT_NAME}\" AND summary ~ \"CVE*\"" + JQL="component = \"${COMPONENT_NAME}\" AND summary ~ \"CVE*\" AND labels = SecurityTracking" # Append resolved filter if --ignore-resolved flag was provided if [ "$IGNORE_RESOLVED" = "true" ]; then @@ -332,7 +343,7 @@ Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md **Ignored Issues:** ${IGNORED_COUNT} ## Query Parameters - - **JQL Query:** project = RHOAIENG AND component = "${COMPONENT_NAME}" AND summary ~ "CVE*"$( [ "$IGNORE_RESOLVED" = "true" ] && echo ' AND status not in ("Resolved")' ) + - **JQL Query:** component = "${COMPONENT_NAME}" AND summary ~ "CVE*" AND labels = SecurityTracking$( [ "$IGNORE_RESOLVED" = "true" ] && echo ' AND status not in ("Resolved")' ) - **Columns:** KEY, SUMMARY, STATUS, PRIORITY, CREATED, COMPONENTS - **Jira Instance:** ${JIRA_BASE_URL} diff --git a/workflows/cve-fixer/README.md b/workflows/cve-fixer/README.md index 7846f77c..f8b2f2f6 100644 --- a/workflows/cve-fixer/README.md +++ b/workflows/cve-fixer/README.md @@ -24,44 +24,30 @@ Before your team can use the CVE Fixer workflow, the following setup must be com Your team's Jira components must be mapped to GitHub repositories in `component-repository-mappings.json`. **What you need to provide:** -- Jira component name (as it appears in RHOAIENG project) -- GitHub repository URLs (upstream and/or downstream) -- Primary target branch for each repository -- Build location (directory containing go.mod, package.json, etc.) +- Jira component name (as it appears in your Jira project) +- GitHub repository URLs (upstream, midstream, and/or downstream) +- Default and active release branches for each repository **Example mapping:** ```json { "Your Component Name": { + "container_to_repo_mapping": { + "rhoai/odh-your-container-rhel9": "org/upstream-repo" + }, "repositories": { "org/upstream-repo": { "github_url": "https://github.com/org/upstream-repo", "default_branch": "main", - "protected_branches": ["main", "release"], - "active_release_branches": [], - "branch_strategy": "Fix in main, cherry-pick to release branches as needed", - "cve_fix_workflow": { - "primary_target": "main", - "backport_targets": "Active release branches", - "automation": "Auto-create PRs to main", - "manual_intervention": "Cherry-pick to release branches" - }, - "build_location": ".", + "active_release_branches": ["release-1.0"], + "branch_strategy": "Fix in main. Release branches follow pattern release-X.Y.", "repo_type": "upstream" }, "org/downstream-repo": { "github_url": "https://github.com/org/downstream-repo", - "default_branch": "rhoai-2.19", - "protected_branches": ["rhoai-2.19"], - "active_release_branches": ["rhoai-2.19"], - "branch_strategy": "Direct fixes to release branch", - "cve_fix_workflow": { - "primary_target": "rhoai-2.19", - "backport_targets": "rhoai-2.19", - "automation": "Auto-create PRs to release branch", - "manual_intervention": "Manual backport from upstream if needed" - }, - "build_location": ".", + "default_branch": "main", + "active_release_branches": ["rhoai-3.4"], + "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.", "repo_type": "downstream" } } @@ -72,11 +58,11 @@ Your team's Jira components must be mapped to GitHub repositories in `component- #### 2. ProdSec Team Coordination The Product Security (ProdSec) team must: -- Create Jira component for your team in the RHOAIENG project +- Create Jira component for your team in your Jira project - Configure CVE issue templates for your component - Set up automated CVE discovery and Jira issue creation -**Contact:** Your ProdSec team representative to request component setup +**Contact:** Make sure your component repos are actively scanned by ProdSec team. If your component is not onboarded please follow the feature refinement process. #### 3. GitHub Access Configuration @@ -99,7 +85,7 @@ export GITHUB_TOKEN="your-personal-access-token" #### 4. Jira API Access Each team member using the workflow needs: -- Red Hat Jira account with access to RHOAIENG project +- Red Hat Jira account with access to your Jira project - Jira API token for authentication - Read access to CVE issues for their component @@ -251,18 +237,23 @@ The workflow uses `component-repository-mappings.json` to map Jira components to ```json { "Model as a Service": { + "container_to_repo_mapping": { + "rhoai/odh-maas-api-rhel9": "opendatahub-io/models-as-a-service" + }, "repositories": { "opendatahub-io/models-as-a-service": { "github_url": "https://github.com/opendatahub-io/models-as-a-service", - "repo_type": "upstream", - "primary_target": "main", - "build_location": "." + "default_branch": "main", + "active_release_branches": [], + "branch_strategy": "Fix in main.", + "repo_type": "upstream" }, "red-hat-data-services/models-as-a-service": { "github_url": "https://github.com/red-hat-data-services/models-as-a-service", - "repo_type": "downstream", - "primary_target": "rhoai-2.19", - "build_location": "." + "default_branch": "rhoai-3.0", + "active_release_branches": ["rhoai-3.0"], + "branch_strategy": "Fork of midstream. Fixes backported from upstream.", + "repo_type": "downstream" } } } diff --git a/workflows/cve-fixer/component-repository-mappings.json b/workflows/cve-fixer/component-repository-mappings.json index 2f72bdc9..f573572f 100644 --- a/workflows/cve-fixer/component-repository-mappings.json +++ b/workflows/cve-fixer/component-repository-mappings.json @@ -374,14 +374,155 @@ "github_url": "https://github.com/opendatahub-io/codeflare-operator" } } + }, + "llm-d": { + "container_to_repo_mapping": { + "rhoai/odh-llm-d-inference-scheduler-rhel9": "opendatahub-io/llm-d-inference-scheduler", + "rhoai/odh-llm-d-routing-sidecar-rhel9": "red-hat-data-services/llm-d-routing-sidecar", + "rhoai/odh-workload-variant-autoscaler-controller-rhel9": "opendatahub-io/workload-variant-autoscaler" + }, + "repositories": { + "llm-d/llm-d-inference-scheduler": { + "github_url": "https://github.com/llm-d/llm-d-inference-scheduler", + "default_branch": "main", + "active_release_branches": [ + "release-0.5", + "release-0.6" + ], + "branch_strategy": "Fix in main. Release branches follow pattern release-X.Y.", + "repo_type": "upstream" + }, + "opendatahub-io/llm-d-inference-scheduler": { + "github_url": "https://github.com/opendatahub-io/llm-d-inference-scheduler", + "default_branch": "main", + "active_release_branches": [ + "release-0.2", + "release-0.3.1", + "release-v0.4", + "stable-2.x" + ], + "branch_strategy": "Fork of upstream llm-d/llm-d-inference-scheduler. Synced via sync branches. ODH release branches via Konflux replicator.", + "repo_type": "midstream" + }, + "red-hat-data-services/llm-d-inference-scheduler": { + "github_url": "https://github.com/red-hat-data-services/llm-d-inference-scheduler", + "default_branch": "main", + "active_release_branches": [ + "rhoai-3.3", + "rhoai-3.4", + "rhoai-3.4-ea.1", + "rhoai-3.4-ea.2" + ], + "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.", + "repo_type": "downstream" + }, + "red-hat-data-services/llm-d-routing-sidecar": { + "github_url": "https://github.com/red-hat-data-services/llm-d-routing-sidecar", + "default_branch": "main", + "active_release_branches": [ + "rhoai-2.25", + "rhoai-3.0", + "rhoai-3.2" + ], + "branch_strategy": "Fork of upstream (now archived). Downstream only ā€” upstream code migrated into llm-d-inference-scheduler. No branches beyond rhoai-3.2.", + "repo_type": "downstream", + "notes": "Upstream llm-d/llm-d-routing-sidecar is archived; code moved to llm-d-inference-scheduler (cmd/pd_sidecar). This downstream repo may be phased out in future releases." + }, + "llm-d-incubation/batch-gateway": { + "github_url": "https://github.com/llm-d-incubation/batch-gateway", + "default_branch": "main", + "active_release_branches": [], + "branch_strategy": "Fix in main. No formal release branching documented.", + "repo_type": "upstream" + }, + "opendatahub-io/batch-gateway": { + "github_url": "https://github.com/opendatahub-io/batch-gateway", + "default_branch": "main", + "active_release_branches": [ + "release-v0.5" + ], + "branch_strategy": "Fork of upstream llm-d-incubation/batch-gateway.", + "repo_type": "midstream" + }, + "red-hat-data-services/batch-gateway": { + "github_url": "https://github.com/red-hat-data-services/batch-gateway", + "default_branch": "main", + "active_release_branches": [ + "rhoai-3.4", + "rhoai-3.4-ea.1", + "rhoai-3.4-ea.2" + ], + "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.", + "repo_type": "downstream" + }, + "llm-d/llm-d-workload-variant-autoscaler": { + "github_url": "https://github.com/llm-d/llm-d-workload-variant-autoscaler", + "default_branch": "main", + "active_release_branches": [ + "release-0.4.2" + ], + "branch_strategy": "Fix in main. Release branches follow pattern release-X.Y.Z.", + "repo_type": "upstream" + }, + "opendatahub-io/workload-variant-autoscaler": { + "github_url": "https://github.com/opendatahub-io/workload-variant-autoscaler", + "default_branch": "main", + "active_release_branches": [ + "release-v0.5" + ], + "branch_strategy": "Fork of upstream llm-d/llm-d-workload-variant-autoscaler. Note: repo name differs from upstream (no llm-d- prefix).", + "repo_type": "midstream" + }, + "red-hat-data-services/workload-variant-autoscaler": { + "github_url": "https://github.com/red-hat-data-services/workload-variant-autoscaler", + "default_branch": "main", + "active_release_branches": [ + "rhoai-3.4", + "rhoai-3.4-ea.1", + "rhoai-3.4-ea.2" + ], + "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.", + "repo_type": "downstream" + } + } + }, + "AI Evaluations": { + "container_to_repo_mapping": {}, + "repositories": { + "eval-hub/eval-hub": { + "github_url": "https://github.com/eval-hub/eval-hub", + "default_branch": "main", + "active_release_branches": [], + "branch_strategy": "Fix in main. Feature branches follow pattern feature/name or fix/issue.", + "repo_type": "upstream" + }, + "opendatahub-io/eval-hub": { + "github_url": "https://github.com/opendatahub-io/eval-hub", + "default_branch": "main", + "active_release_branches": [ + "release/odh-3.4", + "stable" + ], + "branch_strategy": "Fork of upstream eval-hub/eval-hub.", + "repo_type": "midstream" + }, + "red-hat-data-services/eval-hub": { + "github_url": "https://github.com/red-hat-data-services/eval-hub", + "default_branch": "main", + "active_release_branches": [ + "rhoai-3.4", + "rhoai-3.4-ea.1", + "rhoai-3.4-ea.2" + ], + "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.", + "repo_type": "downstream" + } + } } }, "metadata": { "description": "Component to repository and branch mappings for CVE fix workflow automation", - "purpose": "Maps RHOAI Jira components to GitHub repositories and their branch strategies for automated CVE patching", - "last_updated": "2026-03-16", - "components_analyzed": 7, - "components_with_branch_info": 1, - "components_pending_branch_analysis": 6 + "purpose": "Maps Jira components to GitHub repositories and their branch strategies for automated CVE patching", + "last_updated": "2026-03-29" } } From 5ede32f6faa6a208e5b96c4c24c0883d5241e3ee Mon Sep 17 00:00:00 2001 From: Vaishnavi-Modi Date: Mon, 30 Mar 2026 08:07:31 -0400 Subject: [PATCH 5/7] fix: address CodeRabbit review comments and add AI Evaluations repos - Fix cve.find mapping file path: replace unreliable dirname "$0" with cwd-relative path and repo-root fallback - Add cve_fix_workflow field to all new llm-d and AI Evaluations repos - Add full AI Evaluations component repos (trustyai-service-operator, lm-evaluation-harness, llama-stack-provider-trustyai-garak, eval-hub upstream/midstream/downstream with real branch data) - Add container_to_repo_mapping for odh-ta-lmes-driver and odh-ta-lmes-job - Remove hardcoded RHOAIENG reference from README onboarding step 3 Co-Authored-By: Claude Sonnet 4.6 (1M context) --- .../cve-fixer/.claude/commands/cve.find.md | 11 +- workflows/cve-fixer/README.md | 2 +- .../component-repository-mappings.json | 231 ++++++++++++++++-- 3 files changed, 224 insertions(+), 20 deletions(-) diff --git a/workflows/cve-fixer/.claude/commands/cve.find.md b/workflows/cve-fixer/.claude/commands/cve.find.md index 3eb8347d..5087acc6 100644 --- a/workflows/cve-fixer/.claude/commands/cve.find.md +++ b/workflows/cve-fixer/.claude/commands/cve.find.md @@ -100,8 +100,15 @@ Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md b. Construct JQL query and execute API call: ```bash # Normalize component name with case-insensitive lookup against mapping file - MAPPING_FILE="$(dirname "$0")/../component-repository-mappings.json" - if [ -f "$MAPPING_FILE" ]; then + # Try relative to cwd (workflow root), then repo-relative fallback + if [ -f "component-repository-mappings.json" ]; then + MAPPING_FILE="component-repository-mappings.json" + elif [ -f "workflows/cve-fixer/component-repository-mappings.json" ]; then + MAPPING_FILE="workflows/cve-fixer/component-repository-mappings.json" + else + MAPPING_FILE="" + fi + if [ -n "$MAPPING_FILE" ] && [ -f "$MAPPING_FILE" ]; then CANONICAL_NAME=$(jq -r --arg name "${COMPONENT_NAME}" \ '.components | keys[] | select(ascii_downcase == ($name | ascii_downcase))' \ "$MAPPING_FILE" | head -1) diff --git a/workflows/cve-fixer/README.md b/workflows/cve-fixer/README.md index f8b2f2f6..a977b0ea 100644 --- a/workflows/cve-fixer/README.md +++ b/workflows/cve-fixer/README.md @@ -110,7 +110,7 @@ Each team member using the workflow needs: - You'll be notified when ready 3. **Coordinate with ProdSec** - - Ensure your Jira component exists in RHOAIENG + - Ensure your Jira component exists in your Jira project - Verify CVE issues are being filed against your component - Test with a sample CVE issue diff --git a/workflows/cve-fixer/component-repository-mappings.json b/workflows/cve-fixer/component-repository-mappings.json index f573572f..62e6fca1 100644 --- a/workflows/cve-fixer/component-repository-mappings.json +++ b/workflows/cve-fixer/component-repository-mappings.json @@ -23,11 +23,11 @@ "v2.28.0-fixes", "v2.27.0-fixes" ], - "branch_strategy": "Fix in main ā†’ auto-propagates to stable ā†’ rhoai (every 2 hours). Manual cherry-pick to release branches during code freeze.", + "branch_strategy": "Fix in main \u2192 auto-propagates to stable \u2192 rhoai (every 2 hours). Manual cherry-pick to release branches during code freeze.", "cve_fix_workflow": { "primary_target": "main", "backport_targets": "Active vX.X.X-fixes branches for released versions", - "automation": "Auto-sync every 2 hours (main ā†’ stable ā†’ rhoai)", + "automation": "Auto-sync every 2 hours (main \u2192 stable \u2192 rhoai)", "manual_intervention": "Cherry-pick during code freeze or for patch releases" }, "repository_type": "monorepo", @@ -390,7 +390,11 @@ "release-0.6" ], "branch_strategy": "Fix in main. Release branches follow pattern release-X.Y.", - "repo_type": "upstream" + "repo_type": "upstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "release-0.5, release-0.6" + } }, "opendatahub-io/llm-d-inference-scheduler": { "github_url": "https://github.com/opendatahub-io/llm-d-inference-scheduler", @@ -402,7 +406,11 @@ "stable-2.x" ], "branch_strategy": "Fork of upstream llm-d/llm-d-inference-scheduler. Synced via sync branches. ODH release branches via Konflux replicator.", - "repo_type": "midstream" + "repo_type": "midstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "release-0.2, release-0.3.1, release-v0.4, stable-2.x" + } }, "red-hat-data-services/llm-d-inference-scheduler": { "github_url": "https://github.com/red-hat-data-services/llm-d-inference-scheduler", @@ -414,7 +422,11 @@ "rhoai-3.4-ea.2" ], "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.", - "repo_type": "downstream" + "repo_type": "downstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2" + } }, "red-hat-data-services/llm-d-routing-sidecar": { "github_url": "https://github.com/red-hat-data-services/llm-d-routing-sidecar", @@ -424,16 +436,24 @@ "rhoai-3.0", "rhoai-3.2" ], - "branch_strategy": "Fork of upstream (now archived). Downstream only ā€” upstream code migrated into llm-d-inference-scheduler. No branches beyond rhoai-3.2.", + "branch_strategy": "Fork of upstream (now archived). Downstream only \u2014 upstream code migrated into llm-d-inference-scheduler. No branches beyond rhoai-3.2.", "repo_type": "downstream", - "notes": "Upstream llm-d/llm-d-routing-sidecar is archived; code moved to llm-d-inference-scheduler (cmd/pd_sidecar). This downstream repo may be phased out in future releases." + "notes": "Upstream llm-d/llm-d-routing-sidecar is archived; code moved to llm-d-inference-scheduler (cmd/pd_sidecar). This downstream repo may be phased out in future releases.", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "rhoai-2.25, rhoai-3.0, rhoai-3.2" + } }, "llm-d-incubation/batch-gateway": { "github_url": "https://github.com/llm-d-incubation/batch-gateway", "default_branch": "main", "active_release_branches": [], "branch_strategy": "Fix in main. No formal release branching documented.", - "repo_type": "upstream" + "repo_type": "upstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "None" + } }, "opendatahub-io/batch-gateway": { "github_url": "https://github.com/opendatahub-io/batch-gateway", @@ -442,7 +462,11 @@ "release-v0.5" ], "branch_strategy": "Fork of upstream llm-d-incubation/batch-gateway.", - "repo_type": "midstream" + "repo_type": "midstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "release-v0.5" + } }, "red-hat-data-services/batch-gateway": { "github_url": "https://github.com/red-hat-data-services/batch-gateway", @@ -453,7 +477,11 @@ "rhoai-3.4-ea.2" ], "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.", - "repo_type": "downstream" + "repo_type": "downstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2" + } }, "llm-d/llm-d-workload-variant-autoscaler": { "github_url": "https://github.com/llm-d/llm-d-workload-variant-autoscaler", @@ -462,7 +490,11 @@ "release-0.4.2" ], "branch_strategy": "Fix in main. Release branches follow pattern release-X.Y.Z.", - "repo_type": "upstream" + "repo_type": "upstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "release-0.4.2" + } }, "opendatahub-io/workload-variant-autoscaler": { "github_url": "https://github.com/opendatahub-io/workload-variant-autoscaler", @@ -471,7 +503,11 @@ "release-v0.5" ], "branch_strategy": "Fork of upstream llm-d/llm-d-workload-variant-autoscaler. Note: repo name differs from upstream (no llm-d- prefix).", - "repo_type": "midstream" + "repo_type": "midstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "release-v0.5" + } }, "red-hat-data-services/workload-variant-autoscaler": { "github_url": "https://github.com/red-hat-data-services/workload-variant-autoscaler", @@ -482,19 +518,79 @@ "rhoai-3.4-ea.2" ], "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.", - "repo_type": "downstream" + "repo_type": "downstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2" + } } } }, "AI Evaluations": { - "container_to_repo_mapping": {}, + "container_to_repo_mapping": { + "rhoai/odh-ta-lmes-driver-rhel9": "opendatahub-io/trustyai-service-operator", + "rhoai/odh-ta-lmes-job-rhel9": "opendatahub-io/lm-evaluation-harness" + }, "repositories": { "eval-hub/eval-hub": { "github_url": "https://github.com/eval-hub/eval-hub", "default_branch": "main", "active_release_branches": [], "branch_strategy": "Fix in main. Feature branches follow pattern feature/name or fix/issue.", - "repo_type": "upstream" + "repo_type": "upstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "None" + } + }, + "eval-hub/eval-hub-sdk": { + "github_url": "https://github.com/eval-hub/eval-hub-sdk", + "default_branch": "main", + "active_release_branches": [], + "branch_strategy": "Fix in main.", + "repo_type": "upstream", + "notes": "No midstream/downstream forks exist yet.", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "None" + } + }, + "eval-hub/eval-hub-contrib": { + "github_url": "https://github.com/eval-hub/eval-hub-contrib", + "default_branch": "main", + "active_release_branches": [], + "branch_strategy": "Fix in main.", + "repo_type": "upstream", + "notes": "No midstream/downstream forks exist yet.", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "None" + } + }, + "trustyai-explainability/llama-stack-provider-trustyai-garak": { + "github_url": "https://github.com/trustyai-explainability/llama-stack-provider-trustyai-garak", + "default_branch": "main", + "active_release_branches": [], + "branch_strategy": "Fix in main.", + "repo_type": "upstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "None" + } + }, + "trustyai-explainability/trustyai-service-operator": { + "github_url": "https://github.com/trustyai-explainability/trustyai-service-operator", + "default_branch": "main", + "active_release_branches": [ + "release/1.37.0", + "release/1.38.0" + ], + "branch_strategy": "Fix in main. Release branches follow pattern release/X.Y.Z.", + "repo_type": "upstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "release/1.37.0, release/1.38.0" + } }, "opendatahub-io/eval-hub": { "github_url": "https://github.com/opendatahub-io/eval-hub", @@ -504,7 +600,56 @@ "stable" ], "branch_strategy": "Fork of upstream eval-hub/eval-hub.", - "repo_type": "midstream" + "repo_type": "midstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "release/odh-3.4, stable" + } + }, + "opendatahub-io/lm-evaluation-harness": { + "github_url": "https://github.com/opendatahub-io/lm-evaluation-harness", + "default_branch": "main", + "active_release_branches": [ + "release/odh-3.3", + "release/odh-3.4", + "release/odh-3.4-ea2", + "release/odh-3.5" + ], + "branch_strategy": "ODH fork. Release branches follow pattern release/odh-X.Y.", + "repo_type": "midstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "release/odh-3.3, release/odh-3.4, release/odh-3.4-ea2, release/odh-3.5" + } + }, + "opendatahub-io/llama-stack-provider-trustyai-garak": { + "github_url": "https://github.com/opendatahub-io/llama-stack-provider-trustyai-garak", + "default_branch": "main", + "active_release_branches": [ + "release/odh-3.4", + "stable" + ], + "branch_strategy": "Fork of upstream trustyai-explainability/llama-stack-provider-trustyai-garak.", + "repo_type": "midstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "release/odh-3.4, stable" + } + }, + "opendatahub-io/trustyai-service-operator": { + "github_url": "https://github.com/opendatahub-io/trustyai-service-operator", + "default_branch": "main", + "active_release_branches": [ + "release/odh-3.3", + "release/odh-3.4", + "release/odh-3.4-ea2" + ], + "branch_strategy": "Fork of upstream trustyai-explainability/trustyai-service-operator. Release branches follow pattern release/odh-X.Y.", + "repo_type": "midstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "release/odh-3.3, release/odh-3.4, release/odh-3.4-ea2" + } }, "red-hat-data-services/eval-hub": { "github_url": "https://github.com/red-hat-data-services/eval-hub", @@ -515,7 +660,59 @@ "rhoai-3.4-ea.2" ], "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.", - "repo_type": "downstream" + "repo_type": "downstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2" + } + }, + "red-hat-data-services/lm-evaluation-harness": { + "github_url": "https://github.com/red-hat-data-services/lm-evaluation-harness", + "default_branch": "main", + "active_release_branches": [ + "rhoai-3.3", + "rhoai-3.4", + "rhoai-3.4-ea.1", + "rhoai-3.4-ea.2" + ], + "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.", + "repo_type": "downstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2" + } + }, + "red-hat-data-services/llama-stack-provider-trustyai-garak": { + "github_url": "https://github.com/red-hat-data-services/llama-stack-provider-trustyai-garak", + "default_branch": "main", + "active_release_branches": [ + "rhoai-3.3", + "rhoai-3.4", + "rhoai-3.4-ea.1", + "rhoai-3.4-ea.2" + ], + "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.", + "repo_type": "downstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2" + } + }, + "red-hat-data-services/trustyai-service-operator": { + "github_url": "https://github.com/red-hat-data-services/trustyai-service-operator", + "default_branch": "main", + "active_release_branches": [ + "rhoai-3.3", + "rhoai-3.4", + "rhoai-3.4-ea.1", + "rhoai-3.4-ea.2" + ], + "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.", + "repo_type": "downstream", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2" + } } } } From a23f47ca47914a3bb0ef61d4dcc4060a4478d9a1 Mon Sep 17 00:00:00 2001 From: Vaishnavi-Modi Date: Mon, 30 Mar 2026 08:09:58 -0400 Subject: [PATCH 6/7] fix: remove all RHOAIENG project references from docs and commands Replace RHOAIENG-specific Jira issue key examples with generic PROJ-XXXXX placeholders across cve.find.md, cve.fix.md, and README.md to make the workflow fully team-agnostic. Co-Authored-By: Claude Sonnet 4.6 (1M context) --- .../cve-fixer/.claude/commands/cve.find.md | 4 ++-- .../cve-fixer/.claude/commands/cve.fix.md | 20 +++++++++---------- workflows/cve-fixer/README.md | 6 +++--- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/workflows/cve-fixer/.claude/commands/cve.find.md b/workflows/cve-fixer/.claude/commands/cve.find.md index 5087acc6..519cada9 100644 --- a/workflows/cve-fixer/.claude/commands/cve.find.md +++ b/workflows/cve-fixer/.claude/commands/cve.find.md @@ -13,8 +13,8 @@ Example: Querying Jira... Found 2 CVEs Results: -- RHOAIENG-49745: CVE-2025-68121 -- RHOAIENG-48536: CVE-2025-61726 +- PROJ-49745: CVE-2025-68121 +- PROJ-48536: CVE-2025-61726 Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md ``` diff --git a/workflows/cve-fixer/.claude/commands/cve.fix.md b/workflows/cve-fixer/.claude/commands/cve.fix.md index 4de528a6..0790238b 100644 --- a/workflows/cve-fixer/.claude/commands/cve.fix.md +++ b/workflows/cve-fixer/.claude/commands/cve.fix.md @@ -34,7 +34,7 @@ Summary: 1. **Load CVEs from Find Output or User-Specified Jira Issue** **Option A: User specifies one or more Jira issues** - - If user provides one or more Jira issue IDs (e.g., `/cve.fix RHOAIENG-4973` or `/cve.fix RHOAIENG-4973 RHOAIENG-5821`): + - If user provides one or more Jira issue IDs (e.g., `/cve.fix PROJ-4973` or `/cve.fix PROJ-4973 PROJ-5821`): - Process each issue independently -- extract CVE ID and component from each - Use the provided Jira issue ID(s) directly - Fetch the issue details from Jira API @@ -687,7 +687,7 @@ Summary: - **If using `/cve.find` output (Option B)**: - Read the latest `/cve.find` output from `artifacts/cve-fixer/find/` - Search for all Jira issues that mention this specific CVE ID in their summary - - Extract the issue IDs (e.g., RHOAIENG-17794, RHOAIENG-16619, etc.) + - Extract the issue IDs (e.g., PROJ-12345, PROJ-12346, etc.) - Collect all issue IDs for this CVE - Generate comprehensive PR description with: - CVE details and severity @@ -698,9 +698,9 @@ Summary: - Risk assessment table - Links to CVE advisories - **Jira issue references**: List the extracted Jira issue IDs as plain text WITHOUT hyperlinks - - āœ… Correct: `Resolves: RHOAIENG-17794, RHOAIENG-16619, RHOAIENG-16616` - - āŒ Wrong: `Resolves: [RHOAIENG-17794](https://redhat.atlassian.net/browse/RHOAIENG-17794)` - - āŒ Wrong: `Multiple RHOAIENG issues for CVE-2024-21538 across different release branches` + - āœ… Correct: `Resolves: PROJ-12345, PROJ-12346, PROJ-12347` + - āŒ Wrong: `Resolves: [PROJ-12345](https://redhat.atlassian.net/browse/PROJ-12345)` + - āŒ Wrong: `Multiple Jira issues for CVE-2024-21538 across different release branches` - Do NOT create markdown links for Jira issues - Do NOT use generic descriptions - list the ACTUAL issue IDs - Just list the issue IDs separated by commas @@ -719,7 +719,7 @@ This PR fixes **CVE-YYYY-XXXXX** by upgrading from X.X.X to Y.Y.Y. - **Impact**: [Description] - **Vulnerable versions**: X.X.X - X.X.X - **Fixed version**: Y.Y.Y -- **Jira Issues**: RHOAIENG-XXXXX, RHOAIENG-YYYYY +- **Jira Issues**: PROJ-XXXXX, PROJ-YYYYY ### Test Results @@ -896,12 +896,12 @@ Fix all open CVEs from /cve.find output (default): Fix specific Jira issue: ``` -/cve.fix RHOAIENG-4973 +/cve.fix PROJ-4973 ``` Fix multiple specific Jira issues: ``` -/cve.fix RHOAIENG-4973 RHOAIENG-5821 +/cve.fix PROJ-4973 PROJ-5821 ``` Fix with custom message: @@ -910,7 +910,7 @@ Fix with custom message: ``` **How it works**: -- If you provide Jira issue IDs (e.g., RHOAIENG-XXXXX), the workflow will fix those specific issues +- If you provide Jira issue IDs (e.g., PROJ-XXXXX), the workflow will fix those specific issues - If you don't provide Jira IDs, the workflow will: 1. Read the latest `/cve.find` output 2. Extract all CVEs with `Status: Open` @@ -1097,5 +1097,5 @@ After completing this phase: - Include CVE ID in commit title - Document breaking changes in commit body - Reference Jira issues being resolved (plain text IDs, no hyperlinks) - - Example: `Resolves RHOAIENG-17794, RHOAIENG-427` + - Example: `Resolves PROJ-12345, PROJ-427` - Add Co-Authored-By for AI agent assistance diff --git a/workflows/cve-fixer/README.md b/workflows/cve-fixer/README.md index a977b0ea..9c5161c7 100644 --- a/workflows/cve-fixer/README.md +++ b/workflows/cve-fixer/README.md @@ -202,8 +202,8 @@ Implement remediations for CVEs discovered in Jira by creating pull requests wit **Usage:** ```bash /cve.fix # Will prompt for component and Jira issues -/cve.fix RHOAIENG-12345 # Fix specific Jira issue -/cve.fix RHOAIENG-12345,RHOAIENG-12346 # Fix multiple issues +/cve.fix PROJ-12345 # Fix specific Jira issue +/cve.fix PROJ-12345,PROJ-12346 # Fix multiple issues ``` **What it does:** @@ -281,7 +281,7 @@ artifacts/cve-fixer/ # Step 2: Review the discovered issues in artifacts/cve-fixer/find/ # Step 3: Implement fixes and create PRs -/cve.fix RHOAIENG-12345,RHOAIENG-12346 +/cve.fix PROJ-12345,PROJ-12346 # Step 4: Review the created PRs and merge when ready ``` From 332616b4566ea44efe053a1a4d19c2a702065c91 Mon Sep 17 00:00:00 2001 From: Vaishnavi-Modi Date: Mon, 30 Mar 2026 08:11:30 -0400 Subject: [PATCH 7/7] Revert "fix: remove all RHOAIENG project references from docs and commands" This reverts commit a23f47ca47914a3bb0ef61d4dcc4060a4478d9a1. --- .../cve-fixer/.claude/commands/cve.find.md | 4 ++-- .../cve-fixer/.claude/commands/cve.fix.md | 20 +++++++++---------- workflows/cve-fixer/README.md | 6 +++--- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/workflows/cve-fixer/.claude/commands/cve.find.md b/workflows/cve-fixer/.claude/commands/cve.find.md index 519cada9..5087acc6 100644 --- a/workflows/cve-fixer/.claude/commands/cve.find.md +++ b/workflows/cve-fixer/.claude/commands/cve.find.md @@ -13,8 +13,8 @@ Example: Querying Jira... Found 2 CVEs Results: -- PROJ-49745: CVE-2025-68121 -- PROJ-48536: CVE-2025-61726 +- RHOAIENG-49745: CVE-2025-68121 +- RHOAIENG-48536: CVE-2025-61726 Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md ``` diff --git a/workflows/cve-fixer/.claude/commands/cve.fix.md b/workflows/cve-fixer/.claude/commands/cve.fix.md index 0790238b..4de528a6 100644 --- a/workflows/cve-fixer/.claude/commands/cve.fix.md +++ b/workflows/cve-fixer/.claude/commands/cve.fix.md @@ -34,7 +34,7 @@ Summary: 1. **Load CVEs from Find Output or User-Specified Jira Issue** **Option A: User specifies one or more Jira issues** - - If user provides one or more Jira issue IDs (e.g., `/cve.fix PROJ-4973` or `/cve.fix PROJ-4973 PROJ-5821`): + - If user provides one or more Jira issue IDs (e.g., `/cve.fix RHOAIENG-4973` or `/cve.fix RHOAIENG-4973 RHOAIENG-5821`): - Process each issue independently -- extract CVE ID and component from each - Use the provided Jira issue ID(s) directly - Fetch the issue details from Jira API @@ -687,7 +687,7 @@ Summary: - **If using `/cve.find` output (Option B)**: - Read the latest `/cve.find` output from `artifacts/cve-fixer/find/` - Search for all Jira issues that mention this specific CVE ID in their summary - - Extract the issue IDs (e.g., PROJ-12345, PROJ-12346, etc.) + - Extract the issue IDs (e.g., RHOAIENG-17794, RHOAIENG-16619, etc.) - Collect all issue IDs for this CVE - Generate comprehensive PR description with: - CVE details and severity @@ -698,9 +698,9 @@ Summary: - Risk assessment table - Links to CVE advisories - **Jira issue references**: List the extracted Jira issue IDs as plain text WITHOUT hyperlinks - - āœ… Correct: `Resolves: PROJ-12345, PROJ-12346, PROJ-12347` - - āŒ Wrong: `Resolves: [PROJ-12345](https://redhat.atlassian.net/browse/PROJ-12345)` - - āŒ Wrong: `Multiple Jira issues for CVE-2024-21538 across different release branches` + - āœ… Correct: `Resolves: RHOAIENG-17794, RHOAIENG-16619, RHOAIENG-16616` + - āŒ Wrong: `Resolves: [RHOAIENG-17794](https://redhat.atlassian.net/browse/RHOAIENG-17794)` + - āŒ Wrong: `Multiple RHOAIENG issues for CVE-2024-21538 across different release branches` - Do NOT create markdown links for Jira issues - Do NOT use generic descriptions - list the ACTUAL issue IDs - Just list the issue IDs separated by commas @@ -719,7 +719,7 @@ This PR fixes **CVE-YYYY-XXXXX** by upgrading from X.X.X to Y.Y.Y. - **Impact**: [Description] - **Vulnerable versions**: X.X.X - X.X.X - **Fixed version**: Y.Y.Y -- **Jira Issues**: PROJ-XXXXX, PROJ-YYYYY +- **Jira Issues**: RHOAIENG-XXXXX, RHOAIENG-YYYYY ### Test Results @@ -896,12 +896,12 @@ Fix all open CVEs from /cve.find output (default): Fix specific Jira issue: ``` -/cve.fix PROJ-4973 +/cve.fix RHOAIENG-4973 ``` Fix multiple specific Jira issues: ``` -/cve.fix PROJ-4973 PROJ-5821 +/cve.fix RHOAIENG-4973 RHOAIENG-5821 ``` Fix with custom message: @@ -910,7 +910,7 @@ Fix with custom message: ``` **How it works**: -- If you provide Jira issue IDs (e.g., PROJ-XXXXX), the workflow will fix those specific issues +- If you provide Jira issue IDs (e.g., RHOAIENG-XXXXX), the workflow will fix those specific issues - If you don't provide Jira IDs, the workflow will: 1. Read the latest `/cve.find` output 2. Extract all CVEs with `Status: Open` @@ -1097,5 +1097,5 @@ After completing this phase: - Include CVE ID in commit title - Document breaking changes in commit body - Reference Jira issues being resolved (plain text IDs, no hyperlinks) - - Example: `Resolves PROJ-12345, PROJ-427` + - Example: `Resolves RHOAIENG-17794, RHOAIENG-427` - Add Co-Authored-By for AI agent assistance diff --git a/workflows/cve-fixer/README.md b/workflows/cve-fixer/README.md index 9c5161c7..a977b0ea 100644 --- a/workflows/cve-fixer/README.md +++ b/workflows/cve-fixer/README.md @@ -202,8 +202,8 @@ Implement remediations for CVEs discovered in Jira by creating pull requests wit **Usage:** ```bash /cve.fix # Will prompt for component and Jira issues -/cve.fix PROJ-12345 # Fix specific Jira issue -/cve.fix PROJ-12345,PROJ-12346 # Fix multiple issues +/cve.fix RHOAIENG-12345 # Fix specific Jira issue +/cve.fix RHOAIENG-12345,RHOAIENG-12346 # Fix multiple issues ``` **What it does:** @@ -281,7 +281,7 @@ artifacts/cve-fixer/ # Step 2: Review the discovered issues in artifacts/cve-fixer/find/ # Step 3: Implement fixes and create PRs -/cve.fix PROJ-12345,PROJ-12346 +/cve.fix RHOAIENG-12345,RHOAIENG-12346 # Step 4: Review the created PRs and merge when ready ```