feat: add subcomponent filter to cve.find

vmrh21 · claude · vmrh21 · commit 8ce98b40473a · 2026-03-30T19:31:51.000-04:00
Allow users to optionally scope cve.find to a specific subcomponent:
  /cve.find llm-d autoscaler
  /cve.find "AI Evaluations" trustyai-ragas

Reverse-looks up all containers for the given subcomponent from
component-repository-mappings.json and adds pscomponent: label
filters to the JQL using OR when multiple containers exist
(e.g. lm-evaluation-harness has both odh-ta-lmes-driver and
odh-ta-lmes-job containers).

cve.fix requires no changes — it reads from the scoped find output
and its container-based repo scoping handles the rest automatically.

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/workflows/cve-fixer/.claude/commands/cve.find.md b/workflows/cve-fixer/.claude/commands/cve.find.md
@@ -31,17 +31,26 @@ Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md
 ## Process
 
 1. **Parse Arguments and Flags**
-   - Parse the command arguments for both the component name and optional flags
+   - Parse the command arguments for the component name, optional subcomponent, and optional flags
    - **Supported flags:**
      - `--ignore-resolved` — Exclude issues with Jira status "Resolved" from results
-   - The component name is any argument that is not a flag
+   - The component name is the first argument that is not a flag
+   - The subcomponent is the second positional argument that is not a flag (optional)
    - If component is not provided, ask the user to type the component name
    - **IMPORTANT**: Let the user type the component name freely as text input
    - **DO NOT** provide multiple-choice options or suggestions
    - **DO NOT** use AskUserQuestion tool with predefined options
    - Simply ask: "What is the component name?" and wait for user's text response
    - Store the `--ignore-resolved` flag as a boolean for use in step 3
 
+   **Examples:**
+   ```bash
+   /cve.find llm-d                          # all llm-d CVEs
+   /cve.find llm-d autoscaler               # only autoscaler CVEs
+   /cve.find llm-d autoscaler --ignore-resolved
+   /cve.find "AI Evaluations" trustyai-ragas
+   ```
+
 2. **Check JIRA API Token (REQUIRED - User Setup)**
    - **This is the ONLY thing the user must configure manually before proceeding**
 
@@ -120,6 +129,28 @@ Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md
    # Build JQL query
    JQL="component = \"${COMPONENT_NAME}\" AND summary ~ \"CVE*\" AND labels = SecurityTracking"
 
+   # Append subcomponent filter if provided
+   if [ -n "$SUBCOMPONENT" ] && [ -n "$MAPPING_FILE" ] && [ -f "$MAPPING_FILE" ]; then
+     # Reverse lookup: find ALL containers whose primary repo has matching subcomponent
+     PSCOMPONENTS=$(jq -r --arg comp "$COMPONENT_NAME" --arg sub "$SUBCOMPONENT" '
+       .components[$comp] as $c |
+       $c.container_to_repo_mapping | to_entries[] |
+       select($c.repositories[.value].subcomponent == $sub) |
+       "pscomponent:" + .key
+     ' "$MAPPING_FILE")
+
+     if [ -n "$PSCOMPONENTS" ]; then
+       # Build OR clause for all matching containers
+       LABEL_FILTERS=$(echo "$PSCOMPONENTS" | \
+         awk '{print "labels = \"" $0 "\""}' | \
+         paste -sd ' OR ' -)
+       JQL="${JQL} AND (${LABEL_FILTERS})"
+       echo "Filtering by subcomponent '${SUBCOMPONENT}': ${PSCOMPONENTS}"
+     else
+       echo "⚠️ Subcomponent '${SUBCOMPONENT}' not found in mapping for '${COMPONENT_NAME}' — running without subcomponent filter"
+     fi
+   fi
+
    # Append resolved filter if --ignore-resolved flag was provided
    if [ "$IGNORE_RESOLVED" = "true" ]; then
      JQL="${JQL} AND status not in (\"Resolved\")"
