feat(triage-security): add format validation to Step 2.1 matrix loading#244
Conversation
Add Step 2.1.1 to validate each security matrix file against the canonical template before aggregation. Validation checks required sections, Ecosystem Mappings column structure, and table parsability. Auto-repairs missing Forward Pointer and whitespace; warns on missing critical sections or column mismatches. Add eval fixtures for malformed matrices (missing section, wrong columns, no forward pointer) and eval assertions covering all validation scenarios. Implements TC-5136 Assisted-by: Claude Code
Reviewer's GuideAdds a new matrix format validation sub-step to triage-security version impact analysis, and introduces eval fixtures to test valid, missing section, wrong columns, and auto-repair scenarios for security matrix files. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Eval Results
Eval Results: triage-security
| Eval | Passed | Failed | Pass Rate |
|---|---|---|---|
| eval-1 | 11/11 | 0 | 100% |
| eval-10 | 5/5 | 0 | 100% |
| eval-11 | 5/5 | 0 | 100% |
| eval-12 | 5/5 | 0 | 100% |
| eval-13 | 5/5 | 0 | 100% |
| eval-14 | 4/5 | 1 | 80% |
| eval-15 | 5/5 | 0 | 100% |
| eval-16 | 7/7 | 0 | 100% |
| eval-17 | 4/5 | 1 | 80% |
| eval-18 | 5/5 | 0 | 100% |
| eval-19 | 5/5 | 0 | 100% |
| eval-2 | 5/5 | 0 | 100% |
| eval-20 | 4/4 | 0 | 100% |
| eval-21 | 4/4 | 0 | 100% |
| eval-22 | 4/4 | 0 | 100% |
| eval-23 | 4/4 | 0 | 100% |
| eval-24 | 4/4 | 0 | 100% |
| eval-25 | 4/4 | 0 | 100% |
| eval-26 | 5/5 | 0 | 100% |
| eval-27 | 5/5 | 0 | 100% |
| eval-28 | 5/5 | 0 | 100% |
| eval-29 | 5/5 | 0 | 100% |
| eval-3 | 5/5 | 0 | 100% |
| eval-30 | 4/4 | 0 | 100% |
| eval-31 | 4/4 | 0 | 100% |
| eval-32 | 4/4 | 0 | 100% |
| eval-4 | 5/5 | 0 | 100% |
| eval-5 | 6/6 | 0 | 100% |
| eval-6 | 6/6 | 0 | 100% |
| eval-7 | 5/5 | 0 | 100% |
| eval-8 | 8/8 | 0 | 100% |
| eval-9 | 5/5 | 0 | 100% |
Failed Assertions
eval-14: 1 failing assertion
- Assertion: "The SBOM verification result is presented alongside the rpms.lock.yaml result in the dependency chain output, not as a separate section (Step 2.3.5 sub-step 6)"
Evidence: "The SBOM result IS presented alongside rpms.lock.yaml within the dependency chain code block in section 2.3.5 (lines 38-54 show both rpms.lock.yaml and SBOM results in a single block). However, the output ALSO contains a separate '## SBOM Verification Summary' section (lines 86-94) that restates the SBOM verification results outside the dependency chain output. The spec at lines 425-427 explicitly states: 'Present all SBOM verification results inline within the dependency chain output — do not create a separate output file or section for SBOM results.' The separate '## SBOM Verification Summary' heading constitutes a separate section for SBOM results, directly violating this requirement. Contradictory evidence (inline presentation correct, but separate section also exists) means FAIL per grading rules."
eval-17: 1 failing assertion
- Assertion: "Step 0 extracts the Embargo policy URL from the Security Configuration as an optional field without raising an error (§1.71 — backward compatible extraction)"
Evidence: "No Step 0 output file exists. The four output files are: data-extraction.md (Step 1), embargo-check.md (Step 1.7), version-impact.md (Step 2), remediation.md (Step 8). The data extraction step (Step 1, data-extraction.md) does not mention the embargo policy URL at all. The embargo policy URL extraction is instead documented in Step 1.7 (embargo-check.md) under a 'Configuration' section: 'Embargo policy URL is configured in Security Configuration: https://example.com/security/embargo-policy'. While the URL is extracted and treated as optional ('Since the Embargo policy URL is present, this step is active (not skipped)'), it is not extracted in Step 0 as the assertion requires — Step 0 does not exist in the outputs, and the logical data extraction step (Step 1) omits this field entirely."
Pass rate: 99% · Tokens: 48,306 · Duration: 107s
Baseline (4d9733a7): 100% · 0 tokens · 0s
Generated by sdlc-workflow/run-evals v0.13.0
Verification Report for TC-5136 (commit fa88508)
Overall: WARNScope Containment is WARN because 3 new fixture files ( This comment was AI-generated by sdlc-workflow/verify-pr v0.13.0. |
Summary
docs/templates/security-matrix.template.md) before aggregation in Step 2.1Implements TC-5136
Test plan
🤖 Generated with Claude Code
Summary by Sourcery
Introduce a format validation sub-step for security matrix files in the triage security version impact analysis workflow.
New Features:
Enhancements:
Tests: