Add definition-level UUID generation for vulnerabilities

Gregory Havengarequested to merge
ghavenga-587624-vulnerability-uuid-definition-model into master

Summary

This MR implements Phase 1 of the Vulnerability UUID migration to support the definition model transition.

Changes

  • Added generic_vuln_signature_uuid column to vulnerabilities table
  • Extended Security::VulnerabilityUUID with generate_for_vulnerability method that excludes location fingerprint
  • Populates generic_vuln_signature_uuid on vulnerability creation via create services

UUID Composition

The new definition-level UUID (generic_vuln_signature_uuid) includes:

  • Report type
  • Primary identifier fingerprint
  • Project ID

NOT included (unlike Finding UUID):

  • Location fingerprint
  • Security tracked context ID

This allows the same vulnerability type across different locations to share the same generic_vuln_signature_uuid, making it easier to compare vulnerabilities without implementation context.

Migration Phases

Phase Issue Description
1 #587624 (this MR) Start populating generic_vuln_signature_uuid for new vulnerabilities
2 #587802 Backfill generic_vuln_signature_uuid for existing vulnerabilities
3 #587803 Add NOT NULL constraint to generic_vuln_signature_uuid
4 #587804 Transition GitLab to use generic_vuln_signature_uuid
5 #587805 Drop old uuid column and rename

Closes #587624

Edited by Gregory Havenga

Merge request reports