fix: address all CodeRabbit comments on PR 104

vmrh21 · claude · vmrh21 · commit 1b8f24f031de · 2026-04-10T15:26:00.000-04:00
cve.fix.md:
- Search 3 (broad package name): document false-positive trade-off so
  workflow uses judgment before skipping on common package names
- Post-fix scan: check exit code before grepping output — if scanner
  failed to run, treat as inconclusive and block PR creation
- Automerge: add non-empty PR_URL guard before calling gh pr merge
- Jira comment: add MCP-first note (use MCP tool if available)

onboard.md:
- Jira validation: use MCP-first pattern (select:mcp__mcp-atlassian__)
  with curl fallback; also fix shell injection in JQL encoding
- Python heredoc: pass all variables as argv[] instead of interpolating
  shell vars into Python code — prevents injection from component names
  containing quotes, backslashes, or newlines

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/workflows/cve-fixer/.claude/commands/cve.fix.md b/workflows/cve-fixer/.claude/commands/cve.fix.md
@@ -633,8 +633,11 @@ This issue can be closed as 'Not a Bug / ${VEX_JUSTIFICATION}' if the above evid
        --jq '[.[] | select(.author.login | test("dependabot|renovate|renovate-bot"; "i"))] | .[0]' \
        2>/dev/null)
 
-     # If no bot PR, still check for any open PR bumping this package
-     # (a human may have already opened a fix PR without mentioning the CVE)
+     # Search 3: broad package name search to catch human-opened PRs.
+     # Note: for common package names (e.g. "requests", "yaml") this may
+     # produce false positives. If the matched PR title does not appear
+     # related to the CVE (e.g. it's a feature PR that happens to mention
+     # the package), do NOT skip — use judgment before skipping.
      if [ -z "$EXISTING_PR" ] || [ "$EXISTING_PR" = "null" ]; then
        EXISTING_PR=$(gh pr list --repo "$REPO_FULL" --state open --base "$TARGET_BRANCH" \
          --search "$PACKAGE" --json number,title,url --jq '.[0]' 2>/dev/null)
@@ -1096,10 +1099,18 @@ This issue can be closed as 'Not a Bug / ${VEX_JUSTIFICATION}' if the above evid
    POST_SCAN_OUTPUT=$(npm audit --json 2>&1)
    ```
 
-   **Check result:**
+   **Check result — verify scan ran successfully before trusting output:**
 
    ```bash
-   if echo "$POST_SCAN_OUTPUT" | grep -q "$CVE_ID"; then
+   SCAN_EXIT_CODE=$?
+
+   # If scanner failed (tool missing, network issue, toolchain error), treat as
+   # inconclusive — do NOT assume CVE is fixed. Log and skip PR creation.
+   if [ $SCAN_EXIT_CODE -ne 0 ] && [ -z "$POST_SCAN_OUTPUT" ]; then
+     echo "⚠️ Post-fix scan failed to run (exit code ${SCAN_EXIT_CODE}). Cannot verify fix."
+     echo "⚠️ Skipping PR creation for safety — manual verification required."
+     CVE_STILL_PRESENT=true  # treat as still present to block PR creation
+   elif echo "$POST_SCAN_OUTPUT" | grep -q "$CVE_ID"; then
      CVE_STILL_PRESENT=true
    else
      CVE_STILL_PRESENT=false
@@ -1110,7 +1121,10 @@ This issue can be closed as 'Not a Bug / ${VEX_JUSTIFICATION}' if the above evid
 
    **If CVE is still present** (`CVE_STILL_PRESENT=true`) → **do NOT create a PR**:
    - Print: "❌ CVE-YYYY-XXXXX still detected after fix attempt in [repo] ([branch]). Fix was insufficient."
-   - Add a Jira comment:
+   - Add a Jira comment using MCP if available, otherwise curl:
+
+     If `mcp__mcp-atlassian__jira_search` was used in Step 2, use the corresponding
+     Jira comment MCP tool. Otherwise fall back to curl:
 
      ```bash
      COMMENT_TEXT="Automated fix attempted but CVE still detected after applying changes.
@@ -1231,10 +1245,12 @@ EOF
          --title "Security: Fix CVE-YYYY-XXXXX (<package-name>)" \
          --body "$PR_BODY")
 
-       # Enable automerge if --automerge flag was passed
-       if [ "$AUTOMERGE" = "true" ]; then
+       # Enable automerge if --automerge flag was passed and PR was created successfully
+       if [ "$AUTOMERGE" = "true" ] && [ -n "$PR_URL" ] && [ "$PR_URL" != "null" ]; then
          gh pr merge --auto --squash "$PR_URL"
          echo "✅ Automerge enabled on $PR_URL — will merge when checks pass"
+       elif [ "$AUTOMERGE" = "true" ] && [ -z "$PR_URL" ]; then
+         echo "⚠️ Automerge skipped — PR URL is empty (PR creation may have failed)"
        fi
        ```
      - Capture the PR URL from the command output
diff --git a/workflows/cve-fixer/.claude/commands/onboard.md b/workflows/cve-fixer/.claude/commands/onboard.md
@@ -30,12 +30,17 @@ used in Jira — this is validated against the Jira API during onboarding.
 
 2. **Validate Jira Component Name**
 
-   Confirm the component exists in Jira and has CVE issues:
+   Use MCP if available (preferred), otherwise fall back to curl.
+   Follow the same MCP-first pattern as `cve.find`:
+   - Try `ToolSearch: select:mcp__mcp-atlassian__jira_search` first
+   - If found, use it to search: `component = "${COMPONENT_NAME}" AND labels = SecurityTracking`
+   - If not found, fall back to curl:
 
    ```bash
    JIRA_BASE_URL="https://redhat.atlassian.net"
    AUTH=$(echo -n "${JIRA_EMAIL}:${JIRA_API_TOKEN}" | base64)
-   ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('component = \"${COMPONENT_NAME}\" AND labels = SecurityTracking'))")
+   JQL="component = \"${COMPONENT_NAME}\" AND labels = SecurityTracking"
+   ENCODED=$(python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1]))" "$JQL")
 
    RESULT=$(curl -s -X GET --connect-timeout 10 --max-time 15 \
      -H "Authorization: Basic ${AUTH}" \
@@ -152,24 +157,38 @@ used in Jira — this is validated against the Jira API during onboarding.
 
    MAPPING_FILE="workflows/cve-fixer/component-repository-mappings.json"
 
-   # Insert new component using Python (preserves JSON formatting)
-   python3 - <<PYEOF
-   import json
+   # Write the new component JSON to a temp file first to avoid shell injection
+   # (component names or JSON values may contain quotes, backslashes, or newlines)
+   echo "$NEW_COMPONENT_JSON" > /tmp/new_component.json
 
-   with open("${MAPPING_FILE}") as f:
+   TODAY=$(date +%Y-%m-%d)
+
+   python3 - "$MAPPING_FILE" "$COMPONENT_NAME" /tmp/new_component.json "$TODAY" <<'PYEOF'
+   import json, sys
+
+   mapping_file = sys.argv[1]
+   component_name = sys.argv[2]
+   new_component_file = sys.argv[3]
+   today = sys.argv[4]
+
+   with open(mapping_file) as f:
        data = json.load(f)
 
-   # Add new component
-   data["components"]["${COMPONENT_NAME}"] = ${NEW_COMPONENT_JSON}
+   with open(new_component_file) as f:
+       new_component = json.load(f)
 
-   # Update metadata
-   data["metadata"]["last_updated"] = "$(date +%Y-%m-%d)"
+   data["components"][component_name] = new_component
+   data["metadata"]["last_updated"] = today
 
-   with open("${MAPPING_FILE}", "w") as f:
+   with open(mapping_file, "w") as f:
        json.dump(data, f, indent=2, ensure_ascii=False)
        f.write("\n")
+
+   print(f"Added component: {component_name}")
    PYEOF
 
+   rm -f /tmp/new_component.json
+
    # Validate JSON
    python3 -m json.tool "$MAPPING_FILE" > /dev/null && echo "✅ JSON valid"
 
