Handle single Jira, single patch, multiple CVE commits

[antbob]

Sometimes we get single Jira, single patch backports that bundle multiple CVEs together as opposed to the regular/standard with one CVE per Jira issue approach. Note that i'm piggybacking on the "cve_id" field here for this which perhaps is not the cleanest solution but it avoids larger refactoring changes. It should be ok as this is not exactly an API and the model is given a clear guidance, examples, and logic on how to do it. Also note that i've tested this with backport only (real backport, real Jira issue) but not other resolution types as we're currently not running rebase and rebuild agents and don't have any such Jiras to test those types on.

[gemini-code-assist]

Code Review

This pull request introduces support for handling multiple CVE IDs within a single Jira issue across triage prompts, schemas, and the git log search tool. The git_log_search tool was updated to extract multiple CVEs and search for them using multiple --grep arguments. However, the current implementation of the search tool and its corresponding test case incorrectly returns a positive match if only one of the multiple CVEs is found, because git log ORs multiple --grep patterns by default. The feedback suggests correcting the test case assertion to expect no matches when some CVEs are missing.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.