Add UUID generation and storage to Vulnerabilities::Finding with branch context

Problem

As Vulnerabilities::Finding transitions to represent context-specific instances of vulnerabilities (unique per branch/tag), we need to generate and store UUIDs that include both location fingerprint and security_project_tracked_context_id. This enables easy assertion of branch uniqueness and proper deduplication of findings across contexts.

Background

The vulnerability_occurrences table already has a new_uuid column (added in migration 20251002123802) that will store the context-aware UUID. The existing uuid column will continue to be used until the transition is complete.

UUID composition for Findings (context-aware):

  • Report type
  • Primary identifier fingerprint
  • Location fingerprint
  • Security_project_tracked_context_id (branch/tag context)
  • Project ID

This ensures each finding is uniquely identified by both its location AND its context, enabling proper deduplication and uniqueness assertions across branches.

Implementation

This issue covers Phase 1: Start populating new_uuid

  1. Update Security::VulnerabilityUUID.generate to accept optional security_project_tracked_context_id parameter
  2. Add a new method (e.g., generate_with_context) or mode for context-aware UUID generation
  3. Modify vulnerability ingestion process to calculate and save finding UUIDs with context into new_uuid column
  4. Add comprehensive tests for UUID generation with context

Migration Phases

Phase Issue Description
1 This issue Start populating new_uuid for new findings
2 #587798 Backfill new_uuid for existing findings
3 #587799 Add NOT NULL constraint to new_uuid
4 #587800 Transition GitLab to use new_uuid
5 #587801 Drop old uuid column and rename new_uuid

Acceptance Criteria

  • Security::VulnerabilityUUID.generate supports context-aware UUID generation
  • New findings ingested with tracked context have new_uuid populated
  • Findings for the same vulnerability in different branches have different new_uuid values
  • Findings for the same vulnerability in the same branch have the same new_uuid value
  • Existing uuid column behavior is unchanged (backward compatible)

Related

  • Related to #587624 (Vulnerability UUID - definition model)
Edited by Gregory Havenga