-
Notifications
You must be signed in to change notification settings - Fork 16
Add PVR triage taskflow #58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
anticomputer
wants to merge
28
commits into
main
Choose a base branch
from
anticomputer/pvr-triage
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from all commits
Commits
Show all changes
28 commits
Select commit
Hold shift + click to select a range
9cd09c7
Add PVR triage taskflow
anticomputer 46ea60c
Address PR review: add SPDX headers, pass GH_TOKEN in toolbox env
anticomputer d580f17
Add PVR triage batch scoring, write-back, and reporter reputation tra…
anticomputer 8e37d26
Add run_pvr_triage.sh: local test and demo script for pvr triage task…
anticomputer bd0bae2
pvr_triage_batch: skip already-triaged advisories by default
anticomputer 09b5066
Add SCORING.md: reference for batch priority, quality signals, fast-c…
anticomputer 73b0bb1
Address PR review feedback
anticomputer 9c6e8a9
Self-review: robustness and logic fixes
anticomputer 2ad67c3
fetch_file_at_ref: raise default length from 50 to 100 lines
anticomputer f25edce
pvr-triage: add bulk respond taskflow, 3-path fast-close, reputation …
anticomputer adf0552
SCORING.md: update 3-path decision table and reputation thresholds
anticomputer 88d25f1
Fix ruff linter errors in test_pvr_mcp
anticomputer c1d38d7
Fix advisory state: incoming PVRs use triage state, not draft
anticomputer 37e1624
Fix advisory state API: reject→closed, remove withdraw_pvr_advisory
anticomputer a5b2e2c
Add accept_pvr_advisory: triage→draft state transition
anticomputer eb5d98a
Update overview doc: accept/reject state transitions in diagram and o…
anticomputer bde5f8e
Remove comment posting: no GitHub REST API for advisory comments
anticomputer e632510
Add advisory dedup detection and container-based validation
anticomputer bcb91a5
Add semantic duplicate analysis on top of structural comparison
anticomputer 0f243d9
Evaluate PVR reports against repository security policy
anticomputer a36d9b3
Fix dedup clustering: only strong matches cluster
anticomputer 631ecc6
Add configurable advisory state, demo script
anticomputer d9b1011
Eliminate conversational prompting in taskflow execution
anticomputer 024e747
Fix tests for FastMCP 3.x: remove .fn() indirection
anticomputer c38595a
Fix demo script for FastMCP 3.x: remove .fn() indirection
anticomputer 88b34f1
Update README: state global, semantic dedup, model name, demo script
anticomputer ad8f810
Revert "Fix tests for FastMCP 3.x: remove .fn() indirection"
anticomputer a0a1a21
Revert "Fix demo script for FastMCP 3.x: remove .fn() indirection"
anticomputer File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,142 @@ | ||
| # PVR Triage Taskflows — Overview | ||
|
|
||
| > 30-minute sync reference. Last updated: 2026-03-03. | ||
|
|
||
| --- | ||
|
|
||
| ## The Problem | ||
|
|
||
| OSS maintainers get flooded with low-quality vulnerability reports via GitHub's Private Vulnerability Reporting (PVR). Most are vague, duplicated, or AI-generated. Reviewing each one manually is expensive. | ||
|
|
||
| --- | ||
|
|
||
| ## The Solution: 4 Taskflows | ||
|
|
||
| ``` | ||
| ┌─────────────────────────────────────────────────────────────┐ | ||
| │ INBOX │ | ||
| │ (GHSAs in triage state via GitHub PVR) │ | ||
| └───────────────────────┬─────────────────────────────────────┘ | ||
| │ | ||
| ▼ | ||
| ┌─────────────────────────┐ | ||
| │ pvr_triage_batch │ "What's in my inbox?" | ||
| │ │ | ||
| │ • List triage GHSAs │ | ||
| │ • Score each by │ | ||
| │ severity + quality │ | ||
| │ • Show Age (days) │ | ||
| │ • Rank: highest first │ | ||
| │ (oldest wins ties) │ | ||
| └────────────┬────────────┘ | ||
| │ ranked queue saved to REPORT_DIR | ||
| ▼ | ||
| ┌─────────────────────────┐ | ||
| │ pvr_triage │ "Is this real?" | ||
| │ (one advisory) │ | ||
| │ │ | ||
| │ Task 1: init │ | ||
| │ Task 2: fetch & parse │ | ||
| │ Task 3: quality gate ──┼──► fast-close? ──► skip to Task 7 | ||
| │ Task 4: verify code │ | ||
| │ Task 5: write report │ | ||
| │ Task 6: save report │ | ||
| │ Task 7: draft response │ | ||
| │ Task 8: save + record │ | ||
| └────────────┬────────────┘ | ||
| │ _triage.md + _response_triage.md saved | ||
| ▼ | ||
| Maintainer reviews | ||
| (edits draft if needed) | ||
| │ | ||
| ┌────────┴────────┐ | ||
| │ │ | ||
| ▼ ▼ | ||
| ┌──────────────────┐ ┌──────────────────────┐ | ||
| │ pvr_respond │ │ pvr_respond_batch │ | ||
| │ (one at a time) │ │ (all at once) │ | ||
| │ │ │ │ | ||
| │ confirm-gated: │ │ • list_pending │ | ||
| │ accept (→draft) │ │ • for each: │ | ||
| │ reject (→closed)│ │ - confirm-gated │ | ||
| │ │ │ state change │ | ||
| │ mark as applied │ │ - mark as applied │ | ||
| │ post draft │ │ • post drafts │ | ||
| │ manually via UI │ │ manually via UI │ | ||
| └──────────────────┘ └──────────────────────┘ | ||
| ``` | ||
|
|
||
| --- | ||
|
|
||
| ## The Quality Gate (Task 3) — Key Logic | ||
|
|
||
| ``` | ||
| Reporter has history? | ||
| │ | ||
| ├── HIGH TRUST ──────────────────► Always full verification | ||
| │ (≥60% confirmed, ≤20% low) | ||
| │ | ||
| ├── SKEPTICISM ──────────────────► Fast-close if 0 quality signals | ||
| │ (≤20% confirmed OR ≥50% low) (no prior report needed) | ||
| │ | ||
| └── NORMAL / NEW ────────────────► Fast-close only if: | ||
| 0 quality signals | ||
| AND prior similar report exists | ||
| ``` | ||
|
|
||
| **Quality signals:** file paths cited · PoC provided · line numbers cited | ||
|
|
||
| **Fast-close effect:** skip code verification → use canned response template requesting specifics | ||
|
|
||
| --- | ||
|
|
||
| ## Scoring (batch) | ||
|
|
||
| ``` | ||
| priority_score = severity_weight + quality_weight | ||
|
|
||
| severity: critical=4 high=3 medium=2 low=1 | ||
| quality: +1 per signal (files, PoC, lines) → max +3 | ||
|
|
||
| ≥5 Triage Immediately | ||
| ≥3 Triage Soon | ||
| 2 Triage | ||
| ≤1 Likely Low Quality — Fast Close | ||
| ``` | ||
|
|
||
| --- | ||
|
|
||
| ## Output Files (all in REPORT_DIR) | ||
|
|
||
| | File | Written by | What it is | | ||
| |---|---|---| | ||
| | `GHSA-xxxx_triage.md` | pvr_triage | Full analysis report | | ||
| | `GHSA-xxxx_response_triage.md` | pvr_triage | Draft reply to reporter | | ||
| | `GHSA-xxxx_response_sent.md` | pvr_respond / batch | State-transition applied marker (idempotent) | | ||
| | `batch_queue_<repo>_<date>.md` | pvr_triage_batch | Ranked inbox table | | ||
|
|
||
| --- | ||
|
|
||
| ## Reporter Reputation (background) | ||
|
|
||
| Every completed triage records **verdict + quality** against the reporter's GitHub login in a local SQLite DB. Score feeds back into the next triage's quality gate automatically. No manual configuration. | ||
|
|
||
| --- | ||
|
|
||
| ## One-liner workflow | ||
|
|
||
| ```bash | ||
| ./scripts/run_pvr_triage.sh batch owner/repo # see inbox | ||
| ./scripts/run_pvr_triage.sh triage owner/repo GHSA-xxx # analyse one | ||
| ./scripts/run_pvr_triage.sh respond owner/repo GHSA-xxx accept # accept one (triage→draft) | ||
| ./scripts/run_pvr_triage.sh respond owner/repo GHSA-xxx reject # reject one (triage→closed) | ||
| ./scripts/run_pvr_triage.sh respond_batch owner/repo reject # bulk state transition | ||
| # Then post each *_response_triage.md manually via the advisory URL | ||
| ``` | ||
|
|
||
| --- | ||
|
|
||
| ## Further reading | ||
|
|
||
| - [`taskflows/pvr_triage/README.md`](../src/seclab_taskflows/taskflows/pvr_triage/README.md) — full usage docs for all four taskflows | ||
| - [`taskflows/pvr_triage/SCORING.md`](../src/seclab_taskflows/taskflows/pvr_triage/SCORING.md) — authoritative scoring reference and fast-close decision tables | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The overview lists the batch queue output as
batch_queue_<repo>_<date>.md, butpvr_triage_batchusessave_triage_report, which appends_triage.md. Unless the writer is changed, the actual output will bebatch_queue_<repo>_<date>_triage.md. Align the overview with the real filename to avoid confusion.