Skip to content

fix(workflows): close VEX detection issue when clear and accumulate multi-package CVEs#32

Merged
dasiths merged 1 commit into
mainfrom
fix/vex-detect-issue-lifecycle
Jun 19, 2026
Merged

fix(workflows): close VEX detection issue when clear and accumulate multi-package CVEs#32
dasiths merged 1 commit into
mainfrom
fix/vex-detect-issue-lifecycle

Conversation

@dasiths

@dasiths dasiths commented Jun 19, 2026

Copy link
Copy Markdown
Owner

Summary

Addresses @rezatnoMsirhC's two inline review comments on vex-detect.yml from upstream PR microsoft/hve-core#2038. Once merged to the fork's main, these commits flow into microsoft#2038.

1. Close the detection issue when the backlog clears (bug)

The "File or update detection issue" step is gated if: count != '' && count != '0', so when a later run finds zero untriaged vulnerabilities the previously-opened dedup issue was never closed — it stayed open indefinitely. Added a companion step (if: count == '0') that finds the open detection issue (same title + automated search the file step uses), comments, and closes it. No new permissions — the job already has issues: write; the two gates are mutually exclusive.

2. Accumulate multi-package CVEs (visibility)

findings is keyed by CVE id, so when one CVE affected multiple packages the table showed only the last package. Now all affected packages are accumulated (deduped, sorted) into the row, preserving blast-radius visibility. Triage remains per-CVE, so VEX status correctness is unchanged.

Validation

  • actionlint on vex-detect.yml: clean (0 issues).
  • Embedded Python parses (ast.parse).
  • No new actions or permissions added.

Closes the two review threads; replies posted upstream pointing here.

…ulti-package CVEs

Addresses review feedback on microsoft#2038 (@rezatnoMsirhC).

- Add a step that closes the dedup detection issue when a later run finds zero
  untriaged vulnerabilities, so it no longer stays open indefinitely after all
  CVEs are triaged or suppressed.
- Accumulate all affected packages per CVE in the findings table instead of
  overwriting with the last package, preserving blast-radius visibility.
  Triage remains per-CVE so VEX correctness is unchanged.
@dasiths dasiths merged commit 62db9be into main Jun 19, 2026
65 of 66 checks passed
@dasiths dasiths deleted the fix/vex-detect-issue-lifecycle branch June 19, 2026 08:49
@dasiths dasiths mentioned this pull request Jun 19, 2026
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant