From c03dbdecf4d8ec4d68e3517995332e3c75d66f4f Mon Sep 17 00:00:00 2001 From: Tomasz Janiszewski Date: Tue, 5 May 2026 18:14:40 +0200 Subject: [PATCH] Shift triage logic from container-based to dependency-based team assignment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changed vulnerability triage to assign teams based on dependency language and usage location instead of container names. Key changes: - npm/JavaScript dependencies → @stackrox/ui (95% confidence, only team using JS) - Go dependencies → based on import path (e.g., scanner/** → @stackrox/scanner) - Generic Go deps → use gopls to find where imported - Python dependencies → based on usage location (scanner or test infra) - PostgreSQL → @stackrox/core-workflows Updated files: - reference/team-mappings.md: Added dependency-to-team mappings - reference/vulnerability-decision-tree.md: Step 3 and 6 updated - reference/teams.md: Replaced container mapping with dependency reference - reference/constants.md: Updated false positive patterns - .claude/commands/triage.md: Phase 4b updated for dependency extraction - FIELD_REFERENCE.md: Updated vuln_analysis fields - templates/triage-report.md: Show language/package instead of container - README.md: Updated decision tree description This aligns with how dependencies are actually distributed in the codebase rather than relying on container names which can be misleading. Co-Authored-By: Claude Sonnet 4.5 --- .../.claude/commands/comment-issues.md | 7 +- .../acs-triage/.claude/commands/triage.md | 25 ++- workflows/acs-triage/FIELD_REFERENCE.md | 36 ++-- workflows/acs-triage/README.md | 4 +- workflows/acs-triage/reference/constants.md | 7 +- .../acs-triage/reference/team-mappings.md | 49 ++++- workflows/acs-triage/reference/teams.md | 20 +- .../reference/vulnerability-decision-tree.md | 174 +++++++++++++----- .../acs-triage/templates/triage-report.md | 3 +- 9 files changed, 223 insertions(+), 102 deletions(-) diff --git a/workflows/acs-triage/.claude/commands/comment-issues.md b/workflows/acs-triage/.claude/commands/comment-issues.md index fee5672..dcb8d81 100644 --- a/workflows/acs-triage/.claude/commands/comment-issues.md +++ b/workflows/acs-triage/.claude/commands/comment-issues.md @@ -139,13 +139,13 @@ GraphQL schema validation error pattern matches core-workflows team with 90% con ## 🤖 Automated Triage Analysis **Recommended Team:** @stackrox/scanner -**Confidence:** 85% (container_mapping) +**Confidence:** 90% (dependency_mapping) **Type:** VULNERABILITY ### ProdSec Decision Tree ✅ Step 1: Version Support - Affects supported versions ✅ Step 2: Severity Check - Important (CVSS 8.1) -✅ Step 3: Container Check - scanner container +✅ Step 3: Dependency Check - Go dependency in scanner module ✅ Step 4: Duplicate Check - No duplicates found ⏭️ Step 5: VEX Analysis - Skipped (requires manual review) ➡️ **Recommendation:** ASSIGN to @stackrox/scanner @@ -153,7 +153,8 @@ GraphQL schema validation error pattern matches core-workflows team with 90% con ### Details - **CVE:** CVE-2024-1234 - **Severity:** Important (CVSS 8.1) -- **Container:** scanner +- **Language:** Go +- **Package:** github.com/stackrox/rox/scanner/pkg/example - **Affected Versions:** 4.5.0, 4.5.1 --- diff --git a/workflows/acs-triage/.claude/commands/triage.md b/workflows/acs-triage/.claude/commands/triage.md index d974bba..497c27d 100644 --- a/workflows/acs-triage/.claude/commands/triage.md +++ b/workflows/acs-triage/.claude/commands/triage.md @@ -118,13 +118,18 @@ Apply ProdSec decision tree from `reference/vulnerability-decision-tree.md`: - No → Recommend CLOSE with reason "Unsupported version" 2. **Severity Check**: Is severity Critical/High? - Low → Consider CLOSE or LOW priority -3. **Container Applicability**: Does it affect containers/images? - - No → May be out of scope +3. **Dependency Applicability**: Is this a false positive due to language/dependency mismatch? + - Database images with npm/Go → CLOSE (only have PostgreSQL) + - npm reported in non-UI components → CLOSE (only UI uses JavaScript) 4. **Duplicate Detection**: Search JIRA for existing CVE - Duplicate → Recommend CLOSE, link to original -5. **Impact Analysis**: What component is affected? - - Extract from CVE description or component field -6. **Team Assignment**: Map component to team +5. **Impact Analysis**: What component/dependency is affected? + - Extract language (npm, Go, Python, PostgreSQL) + - Extract package name and import path +6. **Team Assignment**: Map dependency language and usage location to team + - npm → UI team (only team using JavaScript) + - Go → based on import path (e.g., scanner/** → scanner team) + - Use gopls to find where generic dependencies are imported Store in `vuln_analysis` object @@ -153,10 +158,14 @@ Apply multi-strategy approach with confidence scoring. - Match error_type from ci_analysis - Examples: GraphQL → core-workflows (90%), panic → extract service (85%) -3. **Service Ownership Match (80% confidence)** - Component/service → team +3. **Dependency Ownership Match (90-95% confidence)** - Dependency language/usage → team - Source: `reference/team-mappings.md` - - Map components field or extracted service name - - Examples: scanner → @stackrox/scanner (80%) + - For VULNERABILITY issues: Map dependency language and import path to team + - Examples: + - npm/JavaScript → @stackrox/ui (95%, only team using JavaScript) + - Go github.com/stackrox/rox/scanner/** → @stackrox/scanner (90%) + - Generic Go deps → use gopls to find importers (75%) + - For other issue types: Map components field or extracted service name (80%) 4. **Similar Issue History (70-80% confidence)** - JIRA search for resolved similar issues - Search by error message or component diff --git a/workflows/acs-triage/FIELD_REFERENCE.md b/workflows/acs-triage/FIELD_REFERENCE.md index 238b00c..349ee7b 100644 --- a/workflows/acs-triage/FIELD_REFERENCE.md +++ b/workflows/acs-triage/FIELD_REFERENCE.md @@ -228,23 +228,26 @@ These fields are added by the `/analyze-vuln` command for VULNERABILITY issues: - **Purpose:** CVSS v3 score - **Extracted From:** Issue description -#### vuln_analysis.container +#### vuln_analysis.language - **Type:** string -- **Example:** "scanner", "central", "sensor" -- **Purpose:** Affected container/service -- **Extracted From:** Issue description or labels +- **Example:** "Go", "npm", "Python", "PostgreSQL" +- **Purpose:** Programming language/ecosystem of affected dependency +- **Extracted From:** Issue description or CVE details +- **Note:** Primary field for team assignment -#### vuln_analysis.language +#### vuln_analysis.package_name - **Type:** string -- **Example:** "Go", "npm", "Python" -- **Purpose:** Programming language of affected component -- **Extracted From:** Issue description +- **Example:** "github.com/stackrox/rox/scanner/pkg", "react-dom", "golang.org/x/net" +- **Purpose:** Specific package/library affected with full import path +- **Extracted From:** Issue description or CVE details +- **Note:** Used for Go dependency team assignment #### vuln_analysis.component - **Type:** string -- **Example:** "github.com/example/pkg" -- **Purpose:** Specific package/library affected -- **Extracted From:** Issue description +- **Example:** "scanner", "central", "ui" +- **Purpose:** Affected component/module (informational, secondary to language/package) +- **Extracted From:** Issue description or labels +- **Deprecated:** Use language + package_name for team assignment instead #### vuln_analysis.decision_tree - **Type:** object @@ -252,7 +255,7 @@ These fields are added by the `/analyze-vuln` command for VULNERABILITY issues: - **Fields:** - `step1_version_support`: "pass" or "fail" - `step2_severity_threshold`: "pass" or "fail" - - `step3_container_applicability`: "pass" or "fail" + - `step3_dependency_applicability`: "pass" or "fail" (checks for language/dependency mismatches) - `step4_duplicate_check`: "pass" or "fail" - `step5_impact_analysis`: "pass" or "fail" - `step6_team_assignment`: team name @@ -265,14 +268,15 @@ These fields are added by the `/analyze-vuln` command for VULNERABILITY issues: #### vuln_analysis.assigned_team - **Type:** string -- **Example:** "@stackrox/scanner" +- **Example:** "@stackrox/ui", "@stackrox/scanner" - **Purpose:** Team assignment for ASSIGN recommendations -- **Confidence:** 85% (from container mapping) +- **Confidence:** 90-95% (from dependency language and usage mapping) +- **Note:** npm/JavaScript → UI team (95%), Go → based on import path (90%) #### vuln_analysis.reasoning - **Type:** string -- **Example:** "Critical severity Go vulnerability in scanner container, no duplicates found" -- **Purpose:** Explains decision tree outcome +- **Example:** "Critical severity npm vulnerability - JavaScript dependencies only used by UI team" +- **Purpose:** Explains decision tree outcome and team assignment logic ## Flaky Test Analysis Fields diff --git a/workflows/acs-triage/README.md b/workflows/acs-triage/README.md index 7c187ae..84c7b3b 100644 --- a/workflows/acs-triage/README.md +++ b/workflows/acs-triage/README.md @@ -159,10 +159,10 @@ The workflow automatically runs analysis commands in parallel when executed by A **ProdSec Decision Tree (6 steps):** 1. Version support check → CLOSE if unsupported 2. Severity threshold → CLOSE if Low or Moderate <7.0 CVSS -3. Container applicability → CLOSE if database with npm/Go (false positive) +3. Dependency applicability → CLOSE if language/dependency mismatch (e.g., npm in database images) 4. Duplicate detection → DUPLICATE if CVE already exists 5. Impact analysis → CLOSE if VEX false positive -6. Team assignment by container +6. Team assignment by dependency language and usage location **Output:** `vuln_analysis` field with decision tree results and team assignment diff --git a/workflows/acs-triage/reference/constants.md b/workflows/acs-triage/reference/constants.md index a2ef69f..26f8f34 100644 --- a/workflows/acs-triage/reference/constants.md +++ b/workflows/acs-triage/reference/constants.md @@ -80,7 +80,7 @@ Central location for all hardcoded values used throughout the ACS triage workflo |------|---------------|-----------| | 1 | All versions unsupported | CLOSE (Won't Do) | | 2 | Severity below threshold | CLOSE (Won't Do) | -| 3 | Container/language mismatch | CLOSE (Obsolete) | +| 3 | Dependency/language mismatch | CLOSE (Obsolete) | | 4 | CVE already exists | DUPLICATE | | 5 | VEX not affected | CLOSE (Not a Bug) | | 6 | Passes all checks | ASSIGN | @@ -89,8 +89,9 @@ Central location for all hardcoded values used throughout the ACS triage workflo | Pattern | Decision | |---------|----------| -| Database containers (central-db, scanner-db, scanner-v4-db) with npm/Go vulnerabilities | CLOSE (Obsolete) | -| Non-main containers with npm vulnerabilities | CLOSE (Obsolete) | +| npm/JavaScript vulnerabilities in database images (central-db, scanner-db, scanner-v4-db) | CLOSE (Obsolete - database images only contain PostgreSQL) | +| npm/JavaScript vulnerabilities in non-UI components | CLOSE (Obsolete - only UI team uses JavaScript) | +| Go vulnerabilities in database images | CLOSE (Obsolete - database images only contain PostgreSQL binary) | ## Repository Paths diff --git a/workflows/acs-triage/reference/team-mappings.md b/workflows/acs-triage/reference/team-mappings.md index 8131c66..21182ac 100644 --- a/workflows/acs-triage/reference/team-mappings.md +++ b/workflows/acs-triage/reference/team-mappings.md @@ -18,17 +18,48 @@ Extract component names from JIRA labels, components field, or issue description | operator, deploy, helm, roxctl | @stackrox/install | | ui, frontend, cypress, e2e-tests | @stackrox/ui | -## Container to Team Mapping +## Dependency Language to Team Mapping -For vulnerability issues, extract container name from CVE description: +For vulnerability issues, assign teams based on dependency language/ecosystem and where it's used: -| Container | Team | -|-----------|------| -| central, main, central-db | @stackrox/core-workflows | -| sensor, admission-control | @stackrox/sensor-ecosystem | -| scanner, scanner-v4, scanner-db | @stackrox/scanner | -| collector | @stackrox/collector | -| operator, roxctl | @stackrox/install | +### npm/JavaScript Dependencies +All JavaScript dependencies belong to UI team (only UI uses JavaScript): + +| Language/Ecosystem | Team | Confidence | +|-------------------|------|-----------| +| npm, JavaScript, TypeScript, Node.js | @stackrox/ui | 95% | + +### Go Dependencies +Go dependencies assigned based on import path or usage location: + +| Import Path Pattern | Team | Confidence | +|-------------------|------|-----------| +| github.com/stackrox/rox/scanner/**, github.com/stackrox/scanner-v4/** | @stackrox/scanner | 90% | +| github.com/stackrox/rox/sensor/**, github.com/stackrox/rox/compliance/** | @stackrox/sensor-ecosystem | 90% | +| github.com/stackrox/rox/central/**, github.com/stackrox/rox/migrator/** | @stackrox/core-workflows | 90% | +| github.com/stackrox/rox/collector/**, github.com/stackrox/rox/pkg/networkgraph/** | @stackrox/collector | 90% | +| github.com/stackrox/rox/operator/**, github.com/stackrox/rox/roxctl/** | @stackrox/install | 90% | + +For generic Go dependencies (e.g., golang.org/x/**, third-party libs), use gopls to find where the dependency is imported: +- Check which modules import the vulnerable package +- Map to team based on the modules that use it most +- If used across multiple teams, assign to team with highest usage count + +### Python Dependencies +Python dependencies assigned based on usage: + +| Usage Location | Team | Confidence | +|---------------|------|-----------| +| Used in scanner/scanner-v4 code | @stackrox/scanner | 85% | +| Used in test infrastructure | @janisz | 85% | + +### PostgreSQL/Database Dependencies +Database vulnerabilities require special handling: + +| Dependency Type | Team | Notes | +|----------------|------|-------| +| PostgreSQL core | @stackrox/core-workflows | Central team owns database layer | +| PostgreSQL extensions | @stackrox/core-workflows | Central team manages extensions | ## Service to Team Mapping diff --git a/workflows/acs-triage/reference/teams.md b/workflows/acs-triage/reference/teams.md index 35d8efe..6cad354 100644 --- a/workflows/acs-triage/reference/teams.md +++ b/workflows/acs-triage/reference/teams.md @@ -102,15 +102,17 @@ Canonical team list with responsibilities and ownership patterns. - End-to-end testing - Frontend build pipeline -## Container to Team Mapping - -| Container | Team | -|-----------|------| -| central, main, central-db | @stackrox/core-workflows | -| sensor, admission-control | @stackrox/sensor-ecosystem | -| scanner, scanner-v4, scanner-db | @stackrox/scanner | -| collector | @stackrox/collector | -| operator, roxctl | @stackrox/install | +## Dependency-Based Team Assignment + +**For vulnerability triage**, teams are assigned based on dependency language and usage location, not container names. + +See `reference/team-mappings.md` for complete dependency → team mappings. + +**Quick Reference:** +- npm/JavaScript dependencies → @stackrox/ui (only team using JavaScript) +- Go dependencies → based on import path (e.g., scanner/** → @stackrox/scanner) +- Python dependencies → based on usage location (scanner code or test infrastructure) +- PostgreSQL → @stackrox/core-workflows (core team owns database layer) ## Test Category Defaults diff --git a/workflows/acs-triage/reference/vulnerability-decision-tree.md b/workflows/acs-triage/reference/vulnerability-decision-tree.md index 9798704..bf997d3 100644 --- a/workflows/acs-triage/reference/vulnerability-decision-tree.md +++ b/workflows/acs-triage/reference/vulnerability-decision-tree.md @@ -30,7 +30,7 @@ ProdSec (Product Security) decision tree for vulnerability triage. This 6-step w │ ▼ ┌───────────────────────┐ - │ Step 3: Container │ Language mismatch? + │ Step 3: Dependency │ Language mismatch? │ Applicability │────────────────────► CLOSE (Obsolete) └───────────┬───────────┘ ✗ Continue │ @@ -116,54 +116,62 @@ CVSS: 6.5 Decision: CLOSE - Below threshold (requires ≥7.0 for Moderate) ``` -## Step 3: Container Applicability Check +## Step 3: Dependency Applicability Check -**Question:** Is this a false positive due to container/language mismatch? +**Question:** Is this a false positive due to language/dependency mismatch? **Known False Positives:** -### Database Containers with npm/Go +### npm/JavaScript in Database Images ``` -Containers: central-db, scanner-db, scanner-v4-db -Languages: npm, Go -Reasoning: Database containers only have PostgreSQL, no npm/Go code +Context: Database images (central-db, scanner-db, scanner-v4-db) +Language: npm, JavaScript, TypeScript, Node.js +Reasoning: Database images only contain PostgreSQL, no JavaScript runtime or npm packages Decision: CLOSE (Obsolete/Not Affected) ``` -### Non-main Containers with npm +### Go Dependencies in Database-Only Images ``` -Container: Any except "main" -Language: npm -Reasoning: Only 'main' container has Node.js/npm dependencies +Context: Database images (central-db, scanner-db, scanner-v4-db) +Language: Go +Reasoning: Database images only contain PostgreSQL binary, no Go code Decision: CLOSE (Obsolete/Not Affected) ``` **Logic:** ```python -container = extract_container(issue) # scanner, central, sensor, etc. language = extract_language(issue) # Go, npm, Python, etc. +affected_component = extract_component(issue) # from description or labels + +# Check if this is a database-only image +is_database_only = affected_component in ["central-db", "scanner-db", "scanner-v4-db"] -if container in ["central-db", "scanner-db", "scanner-v4-db"]: - if language in ["npm", "Go"]: +if is_database_only: + if language in ["npm", "javascript", "typescript", "node.js", "Go"]: → CLOSE as "Obsolete (Not Affected)" + reasoning = f"Database images only contain PostgreSQL, no {language} code" -if language == "npm" and container != "main": - → CLOSE as "Obsolete (Not Affected)" +# npm dependencies only exist in UI codebase +# If reported against non-UI component, likely false positive +elif language in ["npm", "javascript", "typescript", "node.js"]: + if affected_component and "ui" not in affected_component.lower(): + → CLOSE as "Obsolete (Not Affected)" + reasoning = "JavaScript/npm only used in UI codebase" else: → Continue to Step 4 ``` **Decision:** CLOSE (Obsolete) -**Reasoning:** "{container} only has PostgreSQL, no {language}" +**Reasoning:** "Database images only contain PostgreSQL, no {language}" or "JavaScript/npm only used in UI codebase" **Action:** Close as Obsolete (Not Affected) **Confidence:** 100% **Example:** ``` -Issue: CVE-2024-9999 in central-db container +Issue: CVE-2024-9999 reported in central-db Language: npm -Decision: CLOSE - central-db only has PostgreSQL, no npm packages +Decision: CLOSE - Database images only contain PostgreSQL, no npm packages ``` ## Step 4: Duplicate Detection @@ -239,53 +247,117 @@ Decision: CLOSE - Not affected (unused code path) **Question:** Which team should fix this vulnerability? -**Assignment by Container:** +**Assignment by Dependency Language and Usage:** + +### JavaScript/npm Dependencies +All npm vulnerabilities go to UI team (only team using JavaScript): + +| Language | Team | Confidence | +|----------|------|-----------| +| npm, JavaScript, TypeScript, Node.js | @stackrox/ui | 95% | + +### Go Dependencies +Assign based on import path or module usage: + +| Import Path Pattern | Team | Confidence | +|-------------------|------|-----------| +| github.com/stackrox/rox/scanner/** | @stackrox/scanner | 90% | +| github.com/stackrox/rox/sensor/** | @stackrox/sensor-ecosystem | 90% | +| github.com/stackrox/rox/central/** | @stackrox/core-workflows | 90% | +| github.com/stackrox/rox/collector/** | @stackrox/collector | 90% | +| github.com/stackrox/rox/operator/** | @stackrox/install | 90% | -| Container | Team | Confidence | -|-----------|------|-----------| -| scanner, scanner-v4, scanner-db | @stackrox/scanner | 85% | -| central, main, central-db | @stackrox/core-workflows | 85% | -| sensor | @stackrox/sensor-ecosystem | 85% | -| collector | @stackrox/collector | 85% | -| operator | @stackrox/install | 85% | -| ui | @stackrox/ui | 85% | +For generic Go dependencies (e.g., golang.org/x/net), use gopls to find importers. + +### Python Dependencies +Assign based on where Python is used: + +| Usage | Team | Confidence | +|-------|------|-----------| +| Scanner/scanner-v4 code | @stackrox/scanner | 85% | +| Test infrastructure | @janisz | 85% | + +### PostgreSQL +Database vulnerabilities go to core team: + +| Type | Team | Confidence | +|------|------|-----------| +| PostgreSQL core/extensions | @stackrox/core-workflows | 90% | **Logic:** ```python -container = result["container"] - -team_map = { - "scanner": "@stackrox/scanner", - "scanner-v4": "@stackrox/scanner", - "scanner-db": "@stackrox/scanner", - "central": "@stackrox/core-workflows", - "main": "@stackrox/core-workflows", - "central-db": "@stackrox/core-workflows", - "sensor": "@stackrox/sensor-ecosystem", - "collector": "@stackrox/collector", - "operator": "@stackrox/install", - "ui": "@stackrox/ui" -} - -assigned_team = team_map.get(container, "Needs Manual Assignment") -confidence = 85 if assigned_team != "Needs Manual Assignment" else 0 +language = extract_language(issue) # npm, Go, Python, PostgreSQL +package_name = extract_package(issue) # e.g., "golang.org/x/net" + +# JavaScript/npm - always UI team +if language in ["npm", "javascript", "typescript", "node.js"]: + assigned_team = "@stackrox/ui" + confidence = 95 + reasoning = "JavaScript dependencies only used by UI team" + +# Go - check import path +elif language == "Go": + # Check if package belongs to stackrox/rox + if "github.com/stackrox/rox/scanner" in package_name: + assigned_team = "@stackrox/scanner" + confidence = 90 + elif "github.com/stackrox/rox/sensor" in package_name: + assigned_team = "@stackrox/sensor-ecosystem" + confidence = 90 + elif "github.com/stackrox/rox/central" in package_name: + assigned_team = "@stackrox/core-workflows" + confidence = 90 + elif "github.com/stackrox/rox/collector" in package_name: + assigned_team = "@stackrox/collector" + confidence = 90 + elif "github.com/stackrox/rox/operator" in package_name: + assigned_team = "@stackrox/install" + confidence = 90 + else: + # Generic dependency - use gopls to find where it's imported + importers = gopls_find_references(package_name) + assigned_team = find_most_common_team(importers) + confidence = 75 + reasoning = f"Generic dependency imported by {assigned_team}" + +# Python - check usage location +elif language == "Python": + if "scanner" in description.lower(): + assigned_team = "@stackrox/scanner" + confidence = 85 + else: + assigned_team = "@janisz" + confidence = 85 + reasoning = "Python used in test infrastructure" + +# PostgreSQL +elif language == "PostgreSQL": + assigned_team = "@stackrox/core-workflows" + confidence = 90 + reasoning = "Core team owns database layer" + +else: + assigned_team = "Needs Manual Assignment" + confidence = 0 → ASSIGN to team ``` **Decision:** ASSIGN_FOR_FIX -**Team:** Based on container mapping -**Confidence:** 85% +**Team:** Based on dependency language and usage +**Confidence:** 90-95% **Action:** Assign to {team} for remediation **SLA:** Based on severity (Critical: 7 days, Important: 30 days, Moderate: 90 days) **Example:** ``` -Issue: CVE-2024-1234 in scanner container -Container: scanner -Team: @stackrox/scanner -Decision: ASSIGN - Scanner team to remediate +Issue: CVE-2024-1234 in react-dom npm package +Language: npm +Package: react-dom +Team: @stackrox/ui +Decision: ASSIGN - UI team owns all JavaScript dependencies SLA: 30 days (Important severity) +Reasoning: JavaScript dependencies only used by UI team ``` ## Exit Points Summary diff --git a/workflows/acs-triage/templates/triage-report.md b/workflows/acs-triage/templates/triage-report.md index f48bc4b..cece591 100644 --- a/workflows/acs-triage/templates/triage-report.md +++ b/workflows/acs-triage/templates/triage-report.md @@ -94,7 +94,8 @@ CODEOWNERS and service ownership confidence reduced to 75%. Manual review recomm - **Team:** {{team_assignment.assigned_team}} ({{team_assignment.confidence}}% confidence) - **CVE:** {{vuln_analysis.cve_id}} - **Severity:** {{vuln_analysis.severity}} (CVSS: {{vuln_analysis.cvss_score}}) -- **Container:** {{vuln_analysis.container}} +- **Language:** {{vuln_analysis.language}} +- **Package:** {{vuln_analysis.package_name}} - **Decision:** {{vuln_analysis.recommendation}} - **Reasoning:** {{vuln_analysis.reasoning}} - **Action:** {{#if vuln_analysis.recommendation == "ASSIGN"}}Assign to {{team_assignment.assigned_team}} for remediation{{else}}{{vuln_analysis.recommendation}}{{/if}}