Relax CVE triage and open thresholds for distributed team#53
Open
abstractj wants to merge 1 commit into
Open
Conversation
stianst
requested changes
Jun 11, 2026
stianst
left a comment
stianst
left a comment
Contributor
There was a problem hiding this comment.
Blocked external can not just be hidden on the dashboard; it is also the teams responsibility to chase this to make sure they are resolved in a timely manner.
For bugs we move blocked external to a separate column, which we can do for CVEs as well.
For missing information that can be moved from the team table, but should be visible on the dashboard.
* Fix timezone bug in DateUtil.minusBusinessDays() — was using system default timezone instead of UTC, producing inconsistent results depending on which GitHub Action runner executed the job. * Fix NPE in Bugs.convertToTeamCount() when a flaky test references a team not present in the teams map. * Update GitHubLoader.sanitize() to preserve status/blocked-external and status/missing-information labels for private issues. Avoid penalizing teams when there's an approved pull-request * Added label status/ready for issues with pull-requests reviewed and approved by teams, but not merged yet Separate blocked-external into its own CVE column and show missing-information globally * Blocked-external CVEs are now shown in a dedicated column in both public and private CVE team tables (with -1/-1 thresholds, visible but not color-coded). * CVE Missing Information is shown as a global stat in the Bugs section, sourced from keycloak-private. The row always appears, even when there are no private issues (shows 0). * Also fixes: severity/ labels are now preserved in sanitize() so SeverityTriageOverdueFilter works correctly for private CVEs. Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Exclude blocked-external and missing-information CVEs from all triage
and open counts — these represent work blocked on external factors, not
team inaction.
Raise thresholds to reduce alert fatigue:
Widen triage deadline windows:
Fix timezone bug in DateUtil.minusBusinessDays() — was using system
default timezone instead of UTC, producing inconsistent results
depending on which GitHub Action runner executed the job.
Fix NPE in Bugs.convertToTeamCount() when a flaky test references a team
not present in the teams map.
Update GitHubLoader.sanitize() to preserve status/blocked-external and
status/missing-information labels for private issues.
Signed-off-by: Bruno Oliveira da Silva bruno@abstractj.com