fix(nvd): support full CVE rebuild without arg overflow#204
Conversation
davida-ps
force-pushed
the
codex/nvd-hermes-query-specs
branch
from
a04a83b to
2638481
Compare
![baz-reviewer[bot]](https://avatars.githubusercontent.com/in/933528?s=60&v=4){kind=small}
| { value: 'all', label: 'All Platforms', active: 'bg-clawd-accent text-white', inactive: 'bg-clawd-800 text-gray-400 border border-clawd-700 hover:border-clawd-accent/50' }, | ||
| { value: 'openclaw', label: 'OpenClaw', active: 'bg-clawd-accent/20 text-clawd-accent border-2 border-clawd-accent', inactive: 'bg-clawd-800 text-gray-400 border border-clawd-700 hover:border-clawd-accent/50' }, | ||
| { value: 'nanoclaw', label: 'NanoClaw', active: 'bg-clawd-secondary/20 text-clawd-secondary border-2 border-clawd-secondary', inactive: 'bg-clawd-800 text-gray-400 border border-clawd-700 hover:border-clawd-secondary/50' }, | ||
| { value: 'hermes', label: 'Hermes', active: 'bg-emerald-500/20 text-emerald-300 border-2 border-emerald-400', inactive: 'bg-clawd-800 text-gray-400 border border-clawd-700 hover:border-emerald-400/50' }, |
There was a problem hiding this comment.
community-advisory.yml still maps arbitrary Other: slugs into platforms even though platform tabs only cover openclaw, nanoclaw, and hermes, so approved nonstandard slugs won’t show in filtered views—should we constrain the contract to that set or add an other/catch-all path?
Finding type: Type Inconsistency | Severity: 🟢 Low
Want Baz to fix this for you? Activate Fixer
Other fix methods
Prompt for AI Agents:
Before applying, verify this suggestion against the current code. In pages/FeedSetup.tsx
around lines 24-27 (the PLATFORM_TABS definition, and related
`selectedPlatform`/`filteredAdvisories` filtering), the UI platform tabs are hard-coded
to only `openclaw`, `nanoclaw`, and `hermes`, but the feed data can include arbitrary
platform slugs (from `Other:`). Refactor so the feed contract and the UI stay
consistent: either constrain/normalize incoming `a.platforms` to only the allowed
literal set before filtering, or add an “Other”/catch-all path (including a tab and
filtering behavior) that surfaces advisories with nonstandard platform slugs when
`selectedPlatform` is set accordingly. Update the relevant TypeScript types so
`selectedPlatform` and the tab values reflect the real set of selectable options, and
ensure nonstandard platforms don’t silently disappear when not on “All Platforms”.
There was a problem hiding this comment.
Commit 30f99eb addressed this comment by introducing a typed platform filter that includes an “Other” tab, normalizing incoming platform slugs, and filtering any advisory whose slug isn’t in the CORE_PLATFORM_SLUGS set under that catch-all option so nonstandard slugs remain discoverable.
| const getPlatformLabel = (platform: string) => { | ||
| switch (platform) { | ||
| case 'openclaw': | ||
| return 'OpenClaw'; | ||
| case 'nanoclaw': | ||
| return 'NanoClaw'; | ||
| case 'hermes': | ||
| return 'Hermes'; | ||
| default: | ||
| return platform; | ||
| } | ||
| }; |
There was a problem hiding this comment.
getPlatformLabel/getPlatformClasses in AdvisoryCard duplicate the platform mapping logic from AdvisoryDetail, so should we extract a shared helper/component like getPlatformDescriptor (or AdvisoryPlatformBadge) to keep both in sync?
Finding type: Code Dedup and Conventions | Severity: 🟢 Low
Want Baz to fix this for you? Activate Fixer
There was a problem hiding this comment.
Commit 4e93032 addressed this comment by factoring the platform label and styling logic into the new AdvisoryPlatformBadge component (with shared getPlatformDescriptor) and swapping both AdvisoryCard and AdvisoryDetail to render that badge instead of duplicating the switch statements.
| interface PlatformDescriptor { | ||
| label: string; | ||
| classes: string; | ||
| } | ||
|
|
||
| const normalizePlatformSlug = (platform: string) => platform.trim().toLowerCase(); | ||
|
|
There was a problem hiding this comment.
normalizePlatformSlug is duplicated in the badge code and pages/FeedSetup.tsx, should we move/export it as a shared utility and reuse it so normalization stays in sync with the filtering/labels?
Finding type: Code Dedup and Conventions | Severity: 🟢 Low
Want Baz to fix this for you? Activate Fixer
There was a problem hiding this comment.
Commit 9677b69 addressed this comment by moving normalizePlatformSlug (along with getPlatformDescriptor) into utils/advisoryPlatforms and reusing those exports from both AdvisoryPlatformBadge and FeedSetup, keeping the normalization logic shared between the badge and filters.
| export const getPlatformDescriptor = (platform: string): PlatformDescriptor => { | ||
| const normalized = normalizePlatformSlug(platform); | ||
| const descriptor = PLATFORM_DESCRIPTOR_BY_SLUG[normalized]; | ||
|
|
||
| if (descriptor) { | ||
| return descriptor; | ||
| } | ||
|
|
||
| return { | ||
| label: platform.trim() || platform, | ||
| classes: 'bg-clawd-700 text-gray-300 border border-clawd-600', | ||
| }; |
There was a problem hiding this comment.
getPlatformDescriptor has extra if/fallback branching after PLATFORM_DESCRIPTOR_BY_SLUG[normalized], should we simplify to return PLATFORM_DESCRIPTOR_BY_SLUG[normalized] ?? { ... }?
Finding type: Conciseness | Severity: 🟢 Low
Want Baz to fix this for you? Activate Fixer
Other fix methods
Prompt for AI Agents:
Before applying, verify this suggestion against the current code. In
utils/advisoryPlatforms.ts around lines 30-41, refactor the `getPlatformDescriptor`
function to remove the extra `if (descriptor) { return descriptor; }` branching.
Instead, compute `normalized`, then directly return
`PLATFORM_DESCRIPTOR_BY_SLUG[normalized] ?? { label: platform.trim() || platform,
classes: 'bg-clawd-700 text-gray-300 border border-clawd-600' }` so the default is only
used when the lookup is `undefined`. Keep the normalization and fallback label logic
exactly the same, but simplify the control flow.
There was a problem hiding this comment.
Commit 899997c addressed this comment by simplifying getPlatformDescriptor to return PLATFORM_DESCRIPTOR_BY_SLUG[normalized] with a ?? fallback, removing the redundant descriptor variable and if branch.
1 participant
User description
Summary
--argjson "$(cat ...)") and switch to file-based--slurpfileusageWhy this fixes the crash
Full scans can produce very large advisory arrays. Passing those arrays through command-line args can exceed OS argument size limits. This PR keeps payloads on disk and lets
jqread them from files, which avoidsARG_MAXfailures.Validation
bash -n scripts/populate-local-feed.shruby -e ...)./scripts/populate-local-feed.sh --days 1with temp feed pathsNotes
Generated description
Below is a concise technical summary of the changes proposed in this PR:
Replace large JSON shell arguments in the NVD transformation workflow with file-based
jq --slurpfileconsumption, add a safe English description fallback, and fail full rebuilds if transformed counts differ from filtered CVEs. Add Hermes-aware platform badges and feed filtering so advisory cards and detail views expose platform visibility alongside the updated feed setup logic.Modified files (6)
Latest Contributors(2)
jqnever receives giant args during the NVD rebuild flow.Modified files (2)
Latest Contributors(2)