Shift triage logic to dependency-based team assignment

workflows/acs-triage/.claude/commands/comment-issues.md

@@ -139,21 +139,22 @@ GraphQL schema validation error pattern matches core-workflows team with 90% con
 ## 🤖 Automated Triage Analysis
 
 **Recommended Team:** @stackrox/scanner
-**Confidence:** 85% (container_mapping)
+**Confidence:** 90% (dependency_mapping)
 **Type:** VULNERABILITY
 
 ### ProdSec Decision Tree
 ✅ Step 1: Version Support - Affects supported versions
 ✅ Step 2: Severity Check - Important (CVSS 8.1)
-✅ Step 3: Container Check - scanner container
+✅ Step 3: Dependency Check - Go dependency in scanner module
 ✅ Step 4: Duplicate Check - No duplicates found
 ⏭️ Step 5: VEX Analysis - Skipped (requires manual review)
 ➡️ **Recommendation:** ASSIGN to @stackrox/scanner
 
 ### Details
 - **CVE:** CVE-2024-1234
 - **Severity:** Important (CVSS 8.1)
-- **Container:** scanner
+- **Language:** Go
+- **Package:** github.com/stackrox/rox/scanner/pkg/example
 - **Affected Versions:** 4.5.0, 4.5.1
 
 ---

workflows/acs-triage/.claude/commands/triage.md

@@ -118,13 +118,18 @@ Apply ProdSec decision tree from `reference/vulnerability-decision-tree.md`:
    - No → Recommend CLOSE with reason "Unsupported version"
 2. **Severity Check**: Is severity Critical/High?
    - Low → Consider CLOSE or LOW priority
-3. **Container Applicability**: Does it affect containers/images?
-   - No → May be out of scope
+3. **Dependency Applicability**: Is this a false positive due to language/dependency mismatch?
+   - Database images with npm/Go → CLOSE (only have PostgreSQL)
+   - npm reported in non-UI components → CLOSE (only UI uses JavaScript)
 4. **Duplicate Detection**: Search JIRA for existing CVE
    - Duplicate → Recommend CLOSE, link to original
-5. **Impact Analysis**: What component is affected?
-   - Extract from CVE description or component field
-6. **Team Assignment**: Map component to team
+5. **Impact Analysis**: What component/dependency is affected?
+   - Extract language (npm, Go, Python, PostgreSQL)
+   - Extract package name and import path
+6. **Team Assignment**: Map dependency language and usage location to team
+   - npm → UI team (only team using JavaScript)
+   - Go → based on import path (e.g., scanner/** → scanner team)
+   - Use gopls to find where generic dependencies are imported
 
 Store in `vuln_analysis` object
 
@@ -153,10 +158,14 @@ Apply multi-strategy approach with confidence scoring.
    - Match error_type from ci_analysis
    - Examples: GraphQL → core-workflows (90%), panic → extract service (85%)
 
-3. **Service Ownership Match (80% confidence)** - Component/service → team
+3. **Dependency Ownership Match (90-95% confidence)** - Dependency language/usage → team
    - Source: `reference/team-mappings.md`
-   - Map components field or extracted service name
-   - Examples: scanner → @stackrox/scanner (80%)
+   - For VULNERABILITY issues: Map dependency language and import path to team
+   - Examples:
+     - npm/JavaScript → @stackrox/ui (95%, only team using JavaScript)
+     - Go github.com/stackrox/rox/scanner/** → @stackrox/scanner (90%)
+     - Generic Go deps → use gopls to find importers (75%)
+   - For other issue types: Map components field or extracted service name (80%)
 
 4. **Similar Issue History (70-80% confidence)** - JIRA search for resolved similar issues
    - Search by error message or component

workflows/acs-triage/FIELD_REFERENCE.md

@@ -228,31 +228,34 @@ These fields are added by the `/analyze-vuln` command for VULNERABILITY issues:
 - **Purpose:** CVSS v3 score
 - **Extracted From:** Issue description
 
-#### vuln_analysis.container
+#### vuln_analysis.language
 - **Type:** string
-- **Example:** "scanner", "central", "sensor"
-- **Purpose:** Affected container/service
-- **Extracted From:** Issue description or labels
+- **Example:** "Go", "npm", "Python", "PostgreSQL"
+- **Purpose:** Programming language/ecosystem of affected dependency
+- **Extracted From:** Issue description or CVE details
+- **Note:** Primary field for team assignment
 
-#### vuln_analysis.language
+#### vuln_analysis.package_name
 - **Type:** string
-- **Example:** "Go", "npm", "Python"
-- **Purpose:** Programming language of affected component
-- **Extracted From:** Issue description
+- **Example:** "github.com/stackrox/rox/scanner/pkg", "react-dom", "golang.org/x/net"
+- **Purpose:** Specific package/library affected with full import path
+- **Extracted From:** Issue description or CVE details
+- **Note:** Used for Go dependency team assignment
 
 #### vuln_analysis.component
 - **Type:** string
-- **Example:** "github.com/example/pkg"
-- **Purpose:** Specific package/library affected
-- **Extracted From:** Issue description
+- **Example:** "scanner", "central", "ui"
+- **Purpose:** Affected component/module (informational, secondary to language/package)
+- **Extracted From:** Issue description or labels
+- **Deprecated:** Use language + package_name for team assignment instead
 
 #### vuln_analysis.decision_tree
 - **Type:** object
 - **Purpose:** Documents ProdSec decision tree execution
 - **Fields:**
   - `step1_version_support`: "pass" or "fail"
   - `step2_severity_threshold`: "pass" or "fail"
-  - `step3_container_applicability`: "pass" or "fail"
+  - `step3_dependency_applicability`: "pass" or "fail" (checks for language/dependency mismatches)
   - `step4_duplicate_check`: "pass" or "fail"
   - `step5_impact_analysis`: "pass" or "fail"
   - `step6_team_assignment`: team name
@@ -265,14 +268,15 @@ These fields are added by the `/analyze-vuln` command for VULNERABILITY issues:
 
 #### vuln_analysis.assigned_team
 - **Type:** string
-- **Example:** "@stackrox/scanner"
+- **Example:** "@stackrox/ui", "@stackrox/scanner"
 - **Purpose:** Team assignment for ASSIGN recommendations
-- **Confidence:** 85% (from container mapping)
+- **Confidence:** 90-95% (from dependency language and usage mapping)
+- **Note:** npm/JavaScript → UI team (95%), Go → based on import path (90%)
 
 #### vuln_analysis.reasoning
 - **Type:** string
-- **Example:** "Critical severity Go vulnerability in scanner container, no duplicates found"
-- **Purpose:** Explains decision tree outcome
+- **Example:** "Critical severity npm vulnerability - JavaScript dependencies only used by UI team"
+- **Purpose:** Explains decision tree outcome and team assignment logic
 
 ## Flaky Test Analysis Fields
 

workflows/acs-triage/README.md

@@ -159,10 +159,10 @@ The workflow automatically runs analysis commands in parallel when executed by A
 **ProdSec Decision Tree (6 steps):**
 1. Version support check → CLOSE if unsupported
 2. Severity threshold → CLOSE if Low or Moderate <7.0 CVSS
-3. Container applicability → CLOSE if database with npm/Go (false positive)
+3. Dependency applicability → CLOSE if language/dependency mismatch (e.g., npm in database images)
 4. Duplicate detection → DUPLICATE if CVE already exists
 5. Impact analysis → CLOSE if VEX false positive
-6. Team assignment by container
+6. Team assignment by dependency language and usage location
 
 **Output:** `vuln_analysis` field with decision tree results and team assignment
 

workflows/acs-triage/reference/constants.md

@@ -80,7 +80,7 @@ Central location for all hardcoded values used throughout the ACS triage workflo
 |------|---------------|-----------|
 | 1 | All versions unsupported | CLOSE (Won't Do) |
 | 2 | Severity below threshold | CLOSE (Won't Do) |
-| 3 | Container/language mismatch | CLOSE (Obsolete) |
+| 3 | Dependency/language mismatch | CLOSE (Obsolete) |
 | 4 | CVE already exists | DUPLICATE |
 | 5 | VEX not affected | CLOSE (Not a Bug) |
 | 6 | Passes all checks | ASSIGN |
@@ -89,8 +89,9 @@ Central location for all hardcoded values used throughout the ACS triage workflo
 
 | Pattern | Decision |
 |---------|----------|
-| Database containers (central-db, scanner-db, scanner-v4-db) with npm/Go vulnerabilities | CLOSE (Obsolete) |
-| Non-main containers with npm vulnerabilities | CLOSE (Obsolete) |
+| npm/JavaScript vulnerabilities in database images (central-db, scanner-db, scanner-v4-db) | CLOSE (Obsolete - database images only contain PostgreSQL) |
+| npm/JavaScript vulnerabilities in non-UI components | CLOSE (Obsolete - only UI team uses JavaScript) |
+| Go vulnerabilities in database images | CLOSE (Obsolete - database images only contain PostgreSQL binary) |
 
 ## Repository Paths
 

workflows/acs-triage/reference/team-mappings.md

@@ -18,17 +18,48 @@ Extract component names from JIRA labels, components field, or issue description
 | operator, deploy, helm, roxctl | @stackrox/install |
 | ui, frontend, cypress, e2e-tests | @stackrox/ui |
 
-## Container to Team Mapping
+## Dependency Language to Team Mapping
 
-For vulnerability issues, extract container name from CVE description:
+For vulnerability issues, assign teams based on dependency language/ecosystem and where it's used:
 
-| Container | Team |
-|-----------|------|
-| central, main, central-db | @stackrox/core-workflows |
-| sensor, admission-control | @stackrox/sensor-ecosystem |
-| scanner, scanner-v4, scanner-db | @stackrox/scanner |
-| collector | @stackrox/collector |
-| operator, roxctl | @stackrox/install |
+### npm/JavaScript Dependencies
+All JavaScript dependencies belong to UI team (only UI uses JavaScript):
+
+| Language/Ecosystem | Team | Confidence |
+|-------------------|------|-----------|
+| npm, JavaScript, TypeScript, Node.js | @stackrox/ui | 95% |
+
+### Go Dependencies
+Go dependencies assigned based on import path or usage location:
+
+| Import Path Pattern | Team | Confidence |
+|-------------------|------|-----------|
+| github.com/stackrox/rox/scanner/**, github.com/stackrox/scanner-v4/** | @stackrox/scanner | 90% |
+| github.com/stackrox/rox/sensor/**, github.com/stackrox/rox/compliance/** | @stackrox/sensor-ecosystem | 90% |
+| github.com/stackrox/rox/central/**, github.com/stackrox/rox/migrator/** | @stackrox/core-workflows | 90% |
+| github.com/stackrox/rox/collector/**, github.com/stackrox/rox/pkg/networkgraph/** | @stackrox/collector | 90% |
+| github.com/stackrox/rox/operator/**, github.com/stackrox/rox/roxctl/** | @stackrox/install | 90% |
+
+For generic Go dependencies (e.g., golang.org/x/**, third-party libs), use gopls to find where the dependency is imported:
+- Check which modules import the vulnerable package
+- Map to team based on the modules that use it most
+- If used across multiple teams, assign to team with highest usage count
+
+### Python Dependencies
+Python dependencies assigned based on usage:
+
+| Usage Location | Team | Confidence |
+|---------------|------|-----------|
+| Used in scanner/scanner-v4 code | @stackrox/scanner | 85% |
+| Used in test infrastructure | @janisz | 85% |
+
+### PostgreSQL/Database Dependencies
+Database vulnerabilities require special handling:
+
+| Dependency Type | Team | Notes |
+|----------------|------|-------|
+| PostgreSQL core | @stackrox/core-workflows | Central team owns database layer |
+| PostgreSQL extensions | @stackrox/core-workflows | Central team manages extensions |
 
 ## Service to Team Mapping
 

workflows/acs-triage/reference/teams.md

@@ -102,15 +102,17 @@ Canonical team list with responsibilities and ownership patterns.
 - End-to-end testing
 - Frontend build pipeline
 
-## Container to Team Mapping
-
-| Container | Team |
-|-----------|------|
-| central, main, central-db | @stackrox/core-workflows |
-| sensor, admission-control | @stackrox/sensor-ecosystem |
-| scanner, scanner-v4, scanner-db | @stackrox/scanner |
-| collector | @stackrox/collector |
-| operator, roxctl | @stackrox/install |
+## Dependency-Based Team Assignment
+
+**For vulnerability triage**, teams are assigned based on dependency language and usage location, not container names.
+
+See `reference/team-mappings.md` for complete dependency → team mappings.
+
+**Quick Reference:**
+- npm/JavaScript dependencies → @stackrox/ui (only team using JavaScript)
+- Go dependencies → based on import path (e.g., scanner/** → @stackrox/scanner)
+- Python dependencies → based on usage location (scanner code or test infrastructure)
+- PostgreSQL → @stackrox/core-workflows (core team owns database layer)
 
 ## Test Category Defaults