You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Fix subcomponent: trustyai-service-operator repos incorrectly grouped
under lm-evaluation-harness — give them their own subcomponent value
- Add missing case in Step 3: container extracted but not found in
container_to_repo_mapping → fall back to all repos with warning
- Add language-specific transitive dependency guidance in Step 5.2.1:
Go (replace directive), Python (update parent package), Node (overrides)
- Fix package regex to support npm scoped packages (@grpc/grpc-js etc)
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Store `CONTAINER` and `PACKAGE` per CVE for use in Steps 3 and 5.
@@ -122,7 +122,10 @@ Summary:
122
122
123
123
If a `CONTAINER` was extracted in Step 1:
124
124
- Look up `CONTAINER` in `container_to_repo_mapping` for the component
125
-
- This gives the **primary repo** (e.g., `opendatahub-io/workload-variant-autoscaler`)
125
+
-**If container not found in mapping**:
126
+
- Log a warning: "⚠️ Container [CONTAINER] not in mapping — may be a new container not yet registered. Processing all component repos."
127
+
- Fall back to processing all repos in the component (scan in Step 5 filters irrelevant ones)
128
+
-**If container found**: gives the **primary repo** (e.g., `opendatahub-io/workload-variant-autoscaler`)
126
129
- Check if the primary repo has a `subcomponent` field in the `repositories` section
127
130
-**If `subcomponent` is defined**: collect all repos in the component with the same `subcomponent` value — this is the chain (upstream + midstream + downstream)
128
131
-**If `subcomponent` is not defined**: process ALL repositories in the component (safe fallback — the CVE scan in Step 5 will filter out repos where the CVE doesn't exist)
@@ -303,8 +306,12 @@ Summary:
303
306
- If version is in affected range → proceed with fix
304
307
- If version is already patched → mark as already fixed (see below)
305
308
- **Package not found in any manifest** → it may be transitive or RPM-installed
306
-
- **Still proceed with fix attempt** — try to add/pin the package at a safe version
307
-
- Include note in PR: "⚠️ Package not found directly in manifests — may be a transitive or RPM-installed dependency. Manual review required to confirm fix is effective."
309
+
- **Do NOT blindly add a direct dependency** — this can cause version conflicts or unnecessary bloat
310
+
- Instead, document the situation and create PR with guidance:
311
+
- **Go**: transitive deps require a `replace` directive in go.mod — add it only if intentional
312
+
- **Python**: adding to requirements.txt may conflict with what pip resolves transitively; prefer updating the parent package that pulls it in
313
+
- **Node**: use npm `overrides` to force a safe version without adding a direct dep
314
+
- Include note in PR: "⚠️ Package not found directly in manifests — may be a transitive or RPM-installed dependency. Manual review required to confirm the right fix approach."
308
315
- **Both scan AND version check find nothing** → mark as already fixed:
309
316
- **DO NOT create a PR**
310
317
- **Print to stdout**: "✅ CVE-YYYY-XXXXX is already fixed in [repository] ([branch]). No action needed."
0 commit comments