fix: remaining CodeRabbit comments — output docs and markdown formatting

vmrh21 · claude · vmrh21 · commit 3924f59576ca · 2026-04-06T17:33:28.000-04:00
- Add VEX and base image artifact types to Output section:
  vex-justified-*, vex-needs-human-review-*, base-image-pending-*
  so operators know what artifacts to expect for each scenario
- Fix MD031 markdown violations in cve.find.md: add blank lines
  before fenced code blocks in Step 3a and 3b

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/workflows/cve-fixer/.claude/commands/cve.find.md b/workflows/cve-fixer/.claude/commands/cve.find.md
@@ -89,13 +89,15 @@ Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md
 3. **Query Jira for CVE Issues**
 
    a. Set up variables (AUTH already set from Step 2):
+
    ```bash
    COMPONENT_NAME="[from step 1]"
    JIRA_BASE_URL="https://redhat.atlassian.net"
    # AUTH already constructed in Step 2 — reuse it
    ```
 
    b. Construct JQL query and execute API call:
+
    ```bash
    # Normalize component name with case-insensitive lookup against mapping file
    # Try relative to cwd (workflow root), then repo-relative fallback
diff --git a/workflows/cve-fixer/.claude/commands/cve.fix.md b/workflows/cve-fixer/.claude/commands/cve.fix.md
@@ -1173,8 +1173,17 @@ EOF
   - Jira issue references
   - PR URL for the created pull request
 
-- **Already Fixed Report**: `artifacts/cve-fixer/fixes/already-fixed-CVE-YYYY-XXXXX.md` (if CVE was already fixed)
-  - CVE ID and repository checked
+- **Already Fixed Report**: `artifacts/cve-fixer/fixes/already-fixed-CVE-YYYY-XXXXX.md` (if CVE confirmed not present via both scan and package check)
+  - CVE ID, repository, and scan evidence
+
+- **VEX Justified Report**: `artifacts/cve-fixer/fixes/vex-justified-CVE-YYYY-XXXXX.md` (if auto-detected VEX justification added to Jira)
+  - CVE ID, Jira key, justification type, evidence, scan output
+
+- **VEX Human Review Report**: `artifacts/cve-fixer/fixes/vex-needs-human-review-CVE-YYYY-XXXXX.md` (if VEX justification requires human judgment)
+  - CVE ID, Jira key, scan output, and recommended justification options (4 or 5)
+
+- **Base Image Pending Report**: `artifacts/cve-fixer/fixes/base-image-pending-CVE-YYYY-XXXXX.md` (if CVE is in base image and no newer tag available)
+  - CVE ID, base image reference, Jira comment added
   - Scan results showing CVE is not present
   - Timestamp of verification
   - Note about Jira ticket requiring manual closure
