Update Vulnerability UUID calculation to exclude location fingerprint for definition model
Problem
The Vulnerability model is transitioning to a definition model that represents vulnerability types across all contexts (branches/tags), while Vulnerabilities::Finding represents specific instances of that vulnerability in a particular context. Currently, Vulnerability UUID generation includes the location fingerprint, which is inappropriate for a definition model that should be location-agnostic.
Background
UUID composition for Vulnerability (definition - location-agnostic):
- Report type
- Primary identifier fingerprint
- Project ID
NOT included (unlike Finding UUID):
- Location fingerprint
- Security_project_tracked_context_id
This aligns the Vulnerability model with its role as a definition/type rather than a context-specific instance. Multiple Findings (across different branches/locations) can reference the same Vulnerability definition.
Implementation
This issue covers Phase 1: Start populating new UUID
- Add
new_uuidcolumn tovulnerabilitiestable (if not present) - Update
Security::VulnerabilityUUIDto support definition-level UUID generation (without location fingerprint) - Modify Vulnerability creation logic to populate
new_uuidwith definition-level UUID - Ensure backward compatibility - existing
uuidcolumn unchanged
Migration Phases
| Phase | Issue | Description |
|---|---|---|
| 1 | This issue | Start populating new_uuid for new vulnerabilities |
| 2 | #587802 | Backfill new_uuid for existing vulnerabilities |
| 3 | #587803 | Add NOT NULL constraint to new_uuid
|
| 4 | #587804 | Transition GitLab to use new_uuid
|
| 5 | #587805 | Drop old uuid column and rename new_uuid
|
Acceptance Criteria
-
Security::VulnerabilityUUIDsupports definition-level UUID generation (without location) -
New Vulnerabilities have
new_uuidpopulated with definition-level UUID -
Vulnerabilities for the same type/identifier across different locations have the same
new_uuid -
Existing
uuidcolumn behavior is unchanged (backward compatible)
Related
- Related to #587625 (closed) (Finding UUID - context-aware)