fix: address all CodeRabbit review comments on PR 101

cve.fix.md:
- Deduplicate TARGET_BRANCHES to prevent processing DEFAULT_BRANCH twice
- Fix branch naming: include target branch in fix branch name to avoid
  collisions (fix/cve-...-urllib3-rhoai-3.4-attempt-1)
- Replace shared-dir branch loop with isolated git worktree per branch
  to prevent cross-branch state contamination
- Fix version_is_safe: replace undefined function with sort -V comparison
- Fix govulncheck condition: check for Informational section (not
  "No vulnerabilities found") for execute path detection
- Fix unsafe JSON in curl: use jq -n --arg to safely encode Jira comment
- Add skopeo error handling: check exit code, warn and skip on failure
- Fix semantic version comparison: use sort -V + awk instead of awk string compare
- Clarify fork vs direct-push as two separate repo examples (not sequential)

cve.find.md:
- Remove HTTP 403 case: /rest/api/3/myself only returns 401 for all auth failures
- Add retry loop: attempt auth test call twice before giving up on network timeout

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: vmrh21

workflows/cve-fixer/.claude/commands/cve.find.md

@@ -59,23 +59,30 @@ Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md
    ```bash
    JIRA_BASE_URL="https://redhat.atlassian.net"
    AUTH=$(echo -n "${JIRA_EMAIL}:${JIRA_API_TOKEN}" | base64)
-   TEST_RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -X GET \
-     --connect-timeout 10 --max-time 15 \
-     -H "Authorization: Basic ${AUTH}" \
-     -H "Content-Type: application/json" \
-     "${JIRA_BASE_URL}/rest/api/3/myself")
+
+   # Retry once on network failure (curl exit code 000 = timeout/no response)
+   for ATTEMPT in 1 2; do
+     TEST_RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -X GET \
+       --connect-timeout 10 --max-time 15 \
+       -H "Authorization: Basic ${AUTH}" \
+       -H "Content-Type: application/json" \
+       "${JIRA_BASE_URL}/rest/api/3/myself")
+     [ "$TEST_RESPONSE" != "000" ] && break
+     echo "⚠️ Network timeout on attempt ${ATTEMPT}, retrying..."
+     sleep 3
+   done
    ```
 
    - **HTTP 200** → credentials valid, proceed
-   - **HTTP 401** → credentials missing or invalid. Only now inform the user:
+   - **HTTP 401** → credentials missing or invalid. Note: `/rest/api/3/myself` returns 401 for all authentication failures — there is no separate 403 for this endpoint. Only now inform the user:
      - Check if `JIRA_API_TOKEN` and `JIRA_EMAIL` are configured as Ambient session secrets
      - If not, generate a token at https://id.atlassian.com/manage-profile/security/api-tokens and export:
+
        ```bash
        export JIRA_API_TOKEN="your-token-here"
        export JIRA_EMAIL="your-email@redhat.com"
        ```
-   - **HTTP 403** → token valid but insufficient permissions — inform user
-   - **Other / timeout** → network issue — inform user and retry once
+   - **HTTP 000 after retry** → persistent network issue — inform user and stop
 
    **Do NOT pre-check env vars with `[ -z "$JIRA_API_TOKEN" ]` and stop.** The variables may be available to the API call even if not visible to the shell check (e.g. Ambient secrets injection).
 

workflows/cve-fixer/.claude/commands/cve.fix.md

@@ -151,9 +151,10 @@ Summary:
      - If `active_release_branches` is empty, target `default_branch` only
 
    ```bash
-   # Determine target branches per repo
+   # Determine target branches per repo — deduplicate to avoid processing DEFAULT_BRANCH twice
    if [ "$REPO_TYPE" = "downstream" ]; then
-     TARGET_BRANCHES=("$DEFAULT_BRANCH" "${ACTIVE_RELEASE_BRANCHES[@]}")
+     ALL_BRANCHES=("$DEFAULT_BRANCH" "${ACTIVE_RELEASE_BRANCHES[@]}")
+     TARGET_BRANCHES=($(printf '%s\n' "${ALL_BRANCHES[@]}" | awk '!seen[$0]++'))
    else
      TARGET_BRANCHES=("$DEFAULT_BRANCH")
    fi
@@ -174,7 +175,9 @@ Summary:
    **Multi-repo + multi-branch strategy**:
    - Fix upstream repos first, then midstream, then downstream
    - For downstream: Steps 4 through 11 repeat for EACH branch independently
-   - Each branch produces its own PR with its own fix branch (e.g., `fix/cve-YYYY-XXXXX-<package>-rhoai-3.4-attempt-1`)
+   - Each branch produces its own fix branch including the target branch name to avoid collisions:
+     `fix/cve-YYYY-XXXXX-<package>-<target-branch>-attempt-1`
+     e.g. `fix/cve-2025-66418-urllib3-rhoai-3.4-attempt-1`
    - Never combine fixes for multiple branches into a single PR
 
 4. **Clone or Use Existing Repository**
@@ -236,25 +239,41 @@ Summary:
 
    This is common for upstream repos (`llm-d/*`, `eval-hub/*`, `trustyai-explainability/*`) where the user doesn't have direct write access.
 
-   **4.3: Branch loop**
+   **4.3: Branch loop — isolated worktree per branch**
 
-   Steps 5–11 run in a loop over `TARGET_BRANCHES` — for each branch:
-   - `git checkout <branch>` and `git pull` to ensure it is up to date
-   - Apply fix and create PR targeting that branch (from fork if no direct push access)
+   To prevent cross-branch contamination (uncommitted files, lockfile drift, tool artifacts),
+   use a separate worktree for each target branch rather than switching branches in the same dir:
 
-   **Example for downstream with 4 active branches:**
    ```bash
-   # Clone once: /tmp/red-hat-data-services/llm-d-inference-scheduler
-   # User has write access → push directly, 5 PRs:
-   # PR 1 → base: main
-   # PR 2 → base: rhoai-3.3
-   # PR 3 → base: rhoai-3.4
-   # PR 4 → base: rhoai-3.4-ea.1
-   # PR 5 → base: rhoai-3.4-ea.2
-
-   # Clone once: /tmp/llm-d/llm-d-inference-scheduler
-   # User has NO write access → fork + 1 PR:
-   # PR 1 → head: <user>/llm-d-inference-scheduler:fix/... → base: main
+   for TARGET_BRANCH in "${TARGET_BRANCHES[@]}"; do
+     BRANCH_DIR="/tmp/${REPO_ORG}/${REPO_NAME}-${TARGET_BRANCH//\//-}"
+     git -C "$REPO_DIR" worktree add "$BRANCH_DIR" "$TARGET_BRANCH"
+     cd "$BRANCH_DIR"
+     git pull origin "$TARGET_BRANCH"
+     # Steps 5–11 run here — fix, test, push, PR
+     FIX_BRANCH="fix/cve-${CVE_ID}-${PACKAGE}-${TARGET_BRANCH//\//-}-attempt-1"
+     git -C "$REPO_DIR" worktree remove "$BRANCH_DIR" --force  # cleanup after PR
+   done
+   ```
+
+   Each worktree is fully isolated — no shared index or working tree state between branches.
+
+   **Example output for downstream with write access (5 separate PRs):**
+
+   ```
+   Repo: red-hat-data-services/llm-d-inference-scheduler
+   ├── worktree: main          → fix branch: fix/cve-2025-66418-urllib3-main-attempt-1
+   ├── worktree: rhoai-3.3     → fix branch: fix/cve-2025-66418-urllib3-rhoai-3.3-attempt-1
+   ├── worktree: rhoai-3.4     → fix branch: fix/cve-2025-66418-urllib3-rhoai-3.4-attempt-1
+   ├── worktree: rhoai-3.4-ea.1 → fix branch: fix/cve-2025-66418-urllib3-rhoai-3.4-ea.1-attempt-1
+   └── worktree: rhoai-3.4-ea.2 → fix branch: fix/cve-2025-66418-urllib3-rhoai-3.4-ea.2-attempt-1
+   ```
+
+   **Example output for upstream with no write access (fork, 1 PR):**
+
+   ```
+   Repo: llm-d/llm-d-inference-scheduler (no write access → fork)
+   └── worktree: main → push to <user>/llm-d-inference-scheduler → PR targeting llm-d/... main
    ```
 
 4.5. **Load Global Fix Guidance from `.cve-fix/` Folder**
@@ -420,11 +439,18 @@ Summary:
      echo "Checking for newer tags of: $IMAGE_REF (current: $CURRENT_TAG)"
 
      # List available tags (works for quay.io, registry.access.redhat.com, etc.)
-     AVAILABLE_TAGS=$(skopeo list-tags "docker://${IMAGE_REF}" 2>/dev/null | \
-       jq -r '.Tags[]' | sort -V)
+     SKOPEO_OUTPUT=$(skopeo list-tags "docker://${IMAGE_REF}" 2>&1)
+     SKOPEO_EXIT=$?
+     if [ $SKOPEO_EXIT -ne 0 ]; then
+       echo "⚠️ skopeo list-tags failed for ${IMAGE_REF}: ${SKOPEO_OUTPUT}"
+       echo "⚠️ Skipping base image update check — treating as no newer tag available"
+       continue
+     fi
+     AVAILABLE_TAGS=$(echo "$SKOPEO_OUTPUT" | jq -r '.Tags[]' 2>/dev/null | sort -V)
 
-     # Find tags newer than current
-     NEWER_TAGS=$(echo "$AVAILABLE_TAGS" | awk -v cur="$CURRENT_TAG" '$0 > cur')
+     # Find tags newer than current using sort -V (semantic version aware)
+     NEWER_TAGS=$(printf '%s\n' "$AVAILABLE_TAGS" | sort -V | \
+       awk -v cur="$CURRENT_TAG" 'found{print} $0==cur{found=1}')
    done
    ```
 
@@ -479,15 +505,23 @@ Summary:
      VEX_JUSTIFICATION="Component not Present"
      VEX_EVIDENCE="Package '${PACKAGE}' not found in any dependency manifest (requirements.txt, go.mod, package.json)"
 
-   # Check 2: Vulnerable Code not Present (package exists at safe version)
-   elif [ -n "$PACKAGE_VERSION" ] && version_is_safe "$PACKAGE_VERSION" "$CVE_AFFECTED_RANGE"; then
-     VEX_JUSTIFICATION="Vulnerable Code not Present"
-     VEX_EVIDENCE="Package '${PACKAGE}' present at version ${PACKAGE_VERSION} which is not in the affected range"
+   # Check 2: Vulnerable Code not Present — package present but at a non-vulnerable version.
+   # PACKAGE_VERSION is set during the manifest check in Step 5.2.1.
+   # Compare using sort -V: if the installed version sorts after the last affected version, it is safe.
+   elif [ -n "$PACKAGE_VERSION" ] && [ -n "$CVE_FIXED_VERSION" ]; then
+     HIGHER=$(printf '%s\n' "$PACKAGE_VERSION" "$CVE_FIXED_VERSION" | sort -V | tail -1)
+     if [ "$HIGHER" = "$PACKAGE_VERSION" ] && [ "$PACKAGE_VERSION" != "$CVE_FIXED_VERSION" ]; then
+       VEX_JUSTIFICATION="Vulnerable Code not Present"
+       VEX_EVIDENCE="Package '${PACKAGE}' present at version ${PACKAGE_VERSION} which is >= fixed version ${CVE_FIXED_VERSION}"
+     fi
 
-   # Check 3: Vulnerable Code not in Execute Path (Go govulncheck call graph)
-   elif echo "$SCAN_OUTPUT" | grep -q "No vulnerabilities found" && echo "$SCAN_OUTPUT" | grep -q "${PACKAGE}"; then
+   # Check 3: Vulnerable Code not in Execute Path (Go only — govulncheck call graph analysis)
+   # govulncheck prints an "Informational" block when a module is in the dep tree but the
+   # vulnerable symbol is not reachable. Look for the package name in Informational output.
+   elif echo "$SCAN_OUTPUT" | grep -q "Informational" && \
+        echo "$SCAN_OUTPUT" | grep -A5 "Informational" | grep -qi "${PACKAGE}"; then
      VEX_JUSTIFICATION="Vulnerable Code not in Execute Path"
-     VEX_EVIDENCE="govulncheck found module ${PACKAGE} in dependency tree but confirmed vulnerable symbol is not called in code path"
+     VEX_EVIDENCE="govulncheck found module ${PACKAGE} in dependency tree but reported it as Informational — vulnerable symbol is not called in the code path"
    fi
    ```
 
@@ -498,21 +532,25 @@ Summary:
    - Print: "✅ CVE-YYYY-XXXXX not present in [repo]. VEX justification added to [JIRA-KEY]: [justification]"
 
    ```bash
-   # Add Jira comment with VEX justification
-   COMMENT="*VEX Justification (auto-detected by CVE fixer workflow)*\n\n"
-   COMMENT+="*Justification:* ${VEX_JUSTIFICATION}\n"
-   COMMENT+="*Evidence:* ${VEX_EVIDENCE}\n"
-   COMMENT+="*Repository:* ${REPO_FULL}\n"
-   COMMENT+="*Branch:* ${TARGET_BRANCH}\n"
-   COMMENT+="*Scan date:* $(date -u +%Y-%m-%dT%H:%M:%SZ)\n\n"
-   COMMENT+="This issue can be closed as 'Not a Bug / ${VEX_JUSTIFICATION}' if the above evidence is satisfactory."
+   # Add Jira comment with VEX justification — use jq to safely build JSON (avoids injection)
+   COMMENT_TEXT="VEX Justification (auto-detected by CVE fixer workflow)
+
+Justification: ${VEX_JUSTIFICATION}
+Evidence: ${VEX_EVIDENCE}
+Repository: ${REPO_FULL}
+Branch: ${TARGET_BRANCH}
+Scan date: $(date -u +%Y-%m-%dT%H:%M:%SZ)
+
+This issue can be closed as 'Not a Bug / ${VEX_JUSTIFICATION}' if the above evidence is satisfactory."
+
+   COMMENT_JSON=$(jq -n --arg body "$COMMENT_TEXT" '{"body": $body}')
 
    # Post comment via Jira API
    AUTH=$(echo -n "${JIRA_EMAIL}:${JIRA_API_TOKEN}" | base64)
    curl -s -X POST \
      -H "Authorization: Basic ${AUTH}" \
      -H "Content-Type: application/json" \
-     -d "{\"body\": \"${COMMENT}\"}" \
+     -d "$COMMENT_JSON" \
      "${JIRA_BASE_URL}/rest/api/3/issue/${JIRA_KEY}/comment"
    ```