// Resolve a CVE vulnerability issue from Jira. Reads the CVE details, assesses impact, and either marks "not affected" with a Jira comment and transition, bumps the affected dependency, or implements a code fix. Use when the user says "cve", "resolve CVE", or provides a CVE Jira issue.
Assess whether an application is ready to migrate to OpenShift. Use when the user describes an application and asks about migration, containerization, or moving to Kubernetes/OpenShift.
Triage production incidents involving data corruption, data loss, slow performance, or outages. Classify severity and recommend immediate actions.
Update Python dependencies to latest versions using uv, regenerate lock and requirements.txt, then verify linting and tests pass. Fix breakage from API changes in bumped packages. Use when the user says "deps update", "bump dependencies", or "update deps".
Review PR with structured approach covering architecture, naming, patterns, and critical questions
Troubleshoot ClusterOperator in Degraded, Unavailable, or not Progressing state. Use when operator status shows error conditions, reconciliation failures, or degraded health checks.
Troubleshoot namespace stuck in Terminating state, ResourceQuota exhaustion, or RBAC permission denied errors. Use when resources cannot be created or forbidden errors occur.
| name | resolve-cve |
| description | Resolve a CVE vulnerability issue from Jira. Reads the CVE details, assesses impact, and either marks "not affected" with a Jira comment and transition, bumps the affected dependency, or implements a code fix. Use when the user says "cve", "resolve CVE", or provides a CVE Jira issue. |
The user provides a Jira key (e.g., OLS-789) or a Jira
URL. If no specific issue is given, find CVEs to triage by
searching the current sprint in the OpenShift Lightspeed
Service (OLS) project:
project = OLS AND type = Vulnerability AND sprint in openSprints()
AND summary ~ "openshift-lightspeed/lightspeed-service-api-rhel9"
AND statusCategory = "To Do"
ORDER BY priority DESC
Only process issues whose summary contains
openshift-lightspeed/lightspeed-service-api-rhel9 — these
are the service CVEs. Skip issues targeting other components
(e.g., operator, console plugin).
The summary format is:
CVE-YYYY-NNNNN openshift-lightspeed/lightspeed-service-api-rhel9: {Package}: {Title} [ols-N]
If using Jira MCP and the cloudId is unknown, call
getAccessibleAtlassianResources to discover it, or ask
the user.
Fetch the issue via getJiraIssue with
responseContentFormat: "markdown". The issue type is
Vulnerability, not a regular story.
Parse the data from these locations:
summary field, e.g.,
CVE-2026-33231 openshift-lightspeed/...: NLTK: ...Flaw: section (the description starts with boilerplate
— "Security Tracking Issue", "Do not make this issue
public" — skip to the flaw text after the --- separator)Then look up severity externally:
WebSearch for the CVE ID on NVD
(e.g., CVE-2026-33231 NVD) to get the severity ratingIf the issue is missing a CVE ID or the affected package is unclear from the flaw text, ask the user to clarify.
Determine whether this project is affected:
pyproject.toml and uv.lock for the package name.
Match case-insensitively (Jira may say NLTK, lock
file has nltk). If not present at all, the project
is not affected.uv.lock. Compare against the vulnerable version
range from the advisory.uv.lock. Trace which direct
dependency pulls it in.Present the finding to the user clearly:
CVE Assessment: {CVE-ID}
Package: {package name}
Vulnerable versions: {range}
Installed version: {version from uv.lock}
Direct dependency: {yes/no — if no, pulled in by {parent}}
Verdict: {NOT AFFECTED / AFFECTED — bump needed / AFFECTED — code change needed}
Reasoning:
- {why this verdict — e.g., "package not in dependency tree",
"installed version is outside vulnerable range",
"vulnerable API is not used by this project",
"project uses the affected code path in module X"}
GATE — do not proceed without user acknowledgment. The user may have context that changes the verdict (e.g., the package is used indirectly, or the feature is enabled in production but not in tests). Present the assessment and stop. Only continue after explicit "go".
Based on the verdict and user acknowledgment:
Add a comment to the Jira issue via
addCommentToJiraIssue with contentFormat: "markdown":
**Assessment: Not Affected**
{CVE-ID} targets {package} versions {range}.
{Reason — one of:}
- Package is not in the dependency tree.
- Installed version ({version}) is outside the
vulnerable range.
- The vulnerable code path ({specific API/module}) is
not used by this project.
No action required.
Transition the issue to Done / Closed with
resolution "Won't Do". Call
getTransitionsForJiraIssue to find the transition ID
for "Done" or "Closed", then transitionJiraIssue with
that ID and resolution: { name: "Won't Do" } in the
fields.
Follow the deps-update skill with the specific package
name. It will bump only that package, run all verification
gates, and raise a PR.
After the bump, verify the new version in uv.lock is
outside the vulnerable range. If the latest release is
still vulnerable, stop and tell the user — no fix is
available upstream yet.
Then add a Jira comment:
**Resolution: Dependency bumped**
{CVE-ID} targets {package} versions {range}.
Bumped {package} from {old version} to {new version}.
Lint/types/tests: passing.
Ask user about Jira transition (same as Path A step 2).
make verify && make check-types && make test-unit.CVE {CVE-ID} resolved for {story_id}.
Verdict: {Not Affected / Bumped {package} to {version} / Code fix applied}
Jira: {commented / commented + transitioned to {status}}
{If files changed:}
Files changed:
- {list files}
Ready to commit.
{End if}
If the user wants a commit (Path B or C), use message:
fix: resolve {CVE-ID} — bump {package} to {version}
or for code changes:
fix: resolve {CVE-ID} — {brief description}
--upgrade-package, not
--upgrade.