Skip to content

Accept vulnerability-draft component as valid flaw bug#3121

Open
joepvd wants to merge 1 commit into
openshift-eng:mainfrom
joepvd:accept-vulnerability-draft-flaw-bugs
Open

Accept vulnerability-draft component as valid flaw bug#3121
joepvd wants to merge 1 commit into
openshift-eng:mainfrom
joepvd:accept-vulnerability-draft-flaw-bugs

Conversation

@joepvd

@joepvd joepvd commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • The is_flaw_bug() method in bzutil.py previously raised a ValueError when encountering Bugzilla flaw bugs with the vulnerability-draft component, requiring manual ProdSec consultation
  • This change treats vulnerability-draft the same as vulnerability, allowing these bugs to be processed in CVE workflows (e.g. find-bugs)

Test plan

  • All 412 existing elliott unit tests pass
  • Verify with a real vulnerability-draft flaw bug that it is now accepted by find-bugs

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes
    • Security Response bugs with a vulnerability-draft component are now treated the same as other flaw bugs.
    • This prevents errors in cases that previously failed and improves handling for draft vulnerability bugs.

The is_flaw_bug() method previously raised a ValueError when encountering
Bugzilla bugs with the "vulnerability-draft" component. This change treats
"vulnerability-draft" the same as "vulnerability", allowing these bugs to
be processed normally in find-bugs and other CVE workflows.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rayfordj for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift-eng/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3d76cc32-04fe-460c-9563-758edf0667cd

📥 Commits

Reviewing files that changed from the base of the PR and between e448a31 and 0c28d2a.

📒 Files selected for processing (1)
  • elliott/elliottlib/bzutil.py

Walkthrough

The Bug.is_flaw_bug() method was modified so that Security Response bugs with a component of either "vulnerability" or "vulnerability-draft" are both treated as flaw bugs, replacing prior behavior that raised a ValueError for "vulnerability-draft".

Changes

Flaw Bug Detection

Layer / File(s) Summary
Update flaw bug component check
elliott/elliottlib/bzutil.py
is_flaw_bug() returns True for both "vulnerability" and "vulnerability-draft" components instead of raising a ValueError for the latter.

Estimated code review effort: 1 (Trivial) | ~3 minutes


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name Status Explanation Resolution
Container-Privileges ❌ Error Tekton manifests add privileged: true and runAsUser: 0 in artcd-task.yaml and fips-scanning/pipeline-task.yaml, with no explicit justification. Remove privileged/root settings or document why they’re required and switch to least-privilege securityContext values where possible.
Ai-Attribution ⚠️ Warning AI use is explicitly mentioned, but the commit uses Co-Authored-By: Claude Opus 4.6 instead of a Red Hat Assisted-by/Generated-by trailer. Replace the AI credit with an Assisted-by or Generated-by trailer in Red Hat format, and remove Co-Authored-By for the AI tool.
✅ Passed checks (9 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: treating vulnerability-draft as a valid flaw bug.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
No-Weak-Crypto ✅ Passed The only changed logic is Bug.is_flaw_bug() component matching; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons found.
No-Sensitive-Data-In-Logs ✅ Passed PASS: The PR only widens is_flaw_bug() matching; it adds no logging or string interpolation that could expose secrets.
No-Hardcoded-Secrets ✅ Passed Touched code only adds component strings; targeted scan found no keys, tokens, passwords, private keys, or credential URLs.
No-Injection-Vectors ✅ Passed The only change is a boolean membership check in is_flaw_bug(); no new SQL, shell, eval, pickle, yaml, or HTML injection sink is introduced.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@joepvd

joepvd commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

/hold

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@joepvd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/art-pre-commit-check 0c28d2a link false /test art-pre-commit-check
ci/prow/security 0c28d2a link false /test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant