feat(triage-security): clarify transitive dependency remediation in task templates#234
Conversation
…ask templates Add two-tier remediation guidance distinguishing direct vs transitive dependency vulnerabilities in remediation-templates.md, expand Step 2.3.5 in version-impact-analysis.md with remediation implications and a transitive dependency chain example, and add transitive dep documentation rule to SKILL.md Remediation Task Creation section. Includes eval scenario 28 with a transitive dependency CVE (h2 via reqwest → hyper → h2) verifying remediation tasks include the full dependency chain and two-tier approach. Implements TC-4908 Assisted-by: Claude Code
Reviewer's GuideClarifies remediation guidance for direct vs transitive dependencies in triage-security docs and templates, and adds an evaluation fixture for a transitive dependency CVE scenario. Flow diagram for remediation approach based on dependency typeflowchart TD
Start["Inspect dependency in Step 2.3.5"] --> Type{Direct vs transitive}
Type -->|direct| DirectRemediation["Remediation: bump direct dependency version in manifest/lock file"]
Type -->|transitive| TransitiveTier1["Preferred: bump direct dependency that pulls in vulnerable package"]
TransitiveTier1 --> Viable{Direct dep bump viable?}
Viable -->|yes| TransitiveRemediation1["Apply direct dep bump; dependency chain recorded in task"]
Viable -->|no| TransitiveRemediation2["Fallback: pin transitive dependency directly (cargo add / overrides / resolutions)"]
DirectRemediation --> End["Document remediation in task using templates"]
TransitiveRemediation1 --> End
TransitiveRemediation2 --> End
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- In the transitive remediation section, consider explicitly tying the recorded dependency chain from Step 2.3.5 into the upstream template’s acceptance criteria (e.g., requiring the chain to be present in the task description) to make the expectation enforceable.
- The two-tier remediation examples currently focus on Cargo and npm; if other ecosystems (e.g., Maven, Pip) are in scope for this skill, it may be worth briefly noting their equivalent pinning strategies to avoid ambiguity for non-JS/Rust cases.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In the transitive remediation section, consider explicitly tying the recorded dependency chain from Step 2.3.5 into the upstream template’s acceptance criteria (e.g., requiring the chain to be present in the task description) to make the expectation enforceable.
- The two-tier remediation examples currently focus on Cargo and npm; if other ecosystems (e.g., Maven, Pip) are in scope for this skill, it may be worth briefly noting their equivalent pinning strategies to avoid ambiguity for non-JS/Rust cases.
## Individual Comments
### Comment 1
<location path="plugins/sdlc-workflow/skills/triage-security/SKILL.md" line_range="735-737" />
<code_context>
+For transitive dependencies, the remediation task must document the full
+dependency chain (from Step 2.3.5) and specify the two-tier remediation
+approach: bump the direct dependency first, fall back to pinning the
+transitive dep. This may require coordination with intermediate package
+maintainers if they pin the vulnerable version.
+
</code_context>
<issue_to_address>
**nitpick (typo):** Consider writing out "transitive dependency" instead of "transitive dep".
Using "transitive dependency" here keeps terminology consistent with "direct dependency" in the same paragraph and improves readability.
```suggestion
approach: bump the direct dependency first, fall back to pinning the
transitive dependency. This may require coordination with intermediate package
maintainers if they pin the vulnerable version.
```
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
There was a problem hiding this comment.
Eval Results
Eval Results: triage-security
| Eval | Passed | Failed | Pass Rate |
|---|---|---|---|
| eval-1 | 11/11 | 0 | 100% |
| eval-10 | 5/5 | 0 | 100% |
| eval-11 | 5/5 | 0 | 100% |
| eval-12 | 5/5 | 0 | 100% |
| eval-13 | 5/5 | 0 | 100% |
| eval-14 | 5/5 | 0 | 100% |
| eval-15 | 5/5 | 0 | 100% |
| eval-16 | 7/7 | 0 | 100% |
| eval-17 | 4/5 | 1 | 80% |
| eval-18 | 5/5 | 0 | 100% |
| eval-19 | 5/5 | 0 | 100% |
| eval-2 | 5/5 | 0 | 100% |
| eval-20 | 4/4 | 0 | 100% |
| eval-21 | 4/4 | 0 | 100% |
| eval-22 | 4/4 | 0 | 100% |
| eval-23 | 4/4 | 0 | 100% |
| eval-24 | 4/4 | 0 | 100% |
| eval-25 | 4/4 | 0 | 100% |
| eval-26 | 5/5 | 0 | 100% |
| eval-27 | 5/5 | 0 | 100% |
| eval-28 | 5/5 | 0 | 100% |
| eval-3 | 5/5 | 0 | 100% |
| eval-4 | 5/5 | 0 | 100% |
| eval-5 | 6/6 | 0 | 100% |
| eval-6 | 6/6 | 0 | 100% |
| eval-7 | 5/5 | 0 | 100% |
| eval-8 | 8/8 | 0 | 100% |
| eval-9 | 5/5 | 0 | 100% |
Failed Assertions
eval-17: 1 failing assertion
- Assertion: "The embargo warning gate does NOT trigger for Low or Moderate severity CVEs (CVSS < 7.0) — it is skipped silently when severity is below threshold (§1.70)"
Evidence: "No output file demonstrates the behavior for a CVE with CVSS < 7.0. The eval only tested CVE-2026-31812 with CVSS 7.5 (above threshold). While embargo-check.md defines the threshold as 'CVSS >= 7.0', there is no evidence showing the gate being skipped silently for a low or moderate severity CVE. The outputs only demonstrate the positive triggering case, not the negative/skip case. Burden of proof is on PASS and no direct evidence exists."
Pass rate: 99% · Tokens: 48,412 · Duration: 123s
Baseline (eda40c55): 100% · 48,645 tokens · 118s
Generated by sdlc-workflow/run-evals v0.12.2
|
[sdlc-workflow/verify-pr] Re: @sourcery-ai[bot] review —
|
Verification ReportTask: TC-4908 — Clarify transitive dependency remediation in task templates
Overall: FindingsScope Containment (WARN)
Test Quality — Eval Quality (WARN)
Root-Cause Investigation
Sub-Tasks Created
This comment was generated by sdlc-workflow/verify-pr v0.12.2. |
…te file Remove the eval-14 prompt instruction to write a separate outputs/sbom-verification.md file — SBOM results now fold into version-impact.md inline. Strengthen version-impact-analysis.md Step 2.3.5 output requirement to explicitly prohibit separate output files for SBOM verification results. Implements TC-5073 Assisted-by: Claude Code
TC-5074 Step 8 Case B cross-stream impact check now explicitly guards against unscoped issues. Unscoped issues cover all streams by definition so there are no "other streams outside scope" — the guard clause makes this clear to prevent wrong-reasoning eval failures where the correct behavior (no cross-stream notice) was attributed to incorrect logic. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Verification Report for TC-4908 (commit 232ddb6)
Overall: WARNScope Containment WARN: Eval fixture files ( Commit Traceability WARN: Commits Test Quality WARN: Eval-17 assertion 5 regressed (baseline 5/5 → PR 4/5). Root cause: counterfactual assertion — tests below-threshold behavior (CVSS < 7.0) without a fixture exercising it. Fix tracked in TC-5091; convention gap tracked in TC-5092.
This comment was AI-generated by sdlc-workflow/verify-pr v0.12.2. |
Verification Report for TC-4908 (commit 2ba1f51)
Overall: WARNScope Containment and Commit Traceability are WARN. The out-of-scope eval files are justified by the Test Requirements section (eval scenario 28). Commits for TC-5073 and TC-5074 are review feedback sub-tasks linked to TC-4908. The eval-17 failure (1 assertion, pre-existing) is unrelated to this PR's changes. This comment was AI-generated by sdlc-workflow/verify-pr v0.12.2. |
Summary
remediation-templates.mdversion-impact-analysis.mdwith remediation decision implications for direct vs transitive dependencies and add separate example outputs for each typeh2viareqwest → hyper → h2)sbom-verification.mdfile and strengthen Step 2.3.5 output requirement to prohibit separate SBOM output files (TC-5073)Implements TC-4908
Test plan
vuln-issue-transitive.md) and verify remediation output includes full dependency chain and two-tier approach🤖 Generated with Claude Code