Update Vulnerability UUID calculation to exclude location fingerprint for definition model (#587624) · Issues · GitLab.org / GitLab

Update Vulnerability UUID calculation to exclude location fingerprint for definition model

<details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=587624) </details>  ## Problem The Vulnerability model is transitioning to a definition model that represents vulnerability types across all contexts (branches/tags), while Vulnerabilities::Finding represents specific instances of that vulnerability in a particular context. Currently, Vulnerability UUID generation includes the location fingerprint, which is inappropriate for a definition model that should be location-agnostic. ## Background **UUID composition for Vulnerability (definition - location-agnostic):** - Report type - Primary identifier fingerprint - Project ID **NOT included** (unlike Finding UUID): - Location fingerprint - Security_project_tracked_context_id This aligns the Vulnerability model with its role as a definition/type rather than a context-specific instance. Multiple Findings (across different branches/locations) can reference the same Vulnerability definition. ## Implementation This issue covers **Phase 1: Start populating new UUID** 1. Add `new_uuid` column to `vulnerabilities` table (if not present) 2. Update `Security::VulnerabilityUUID` to support definition-level UUID generation (without location fingerprint) 3. Modify Vulnerability creation logic to populate `new_uuid` with definition-level UUID 4. Ensure backward compatibility - existing `uuid` column unchanged ## Migration Phases | Phase | Issue | Description | |-------|-------|-------------| | 1 | This issue | Start populating `new_uuid` for new vulnerabilities | | 2 | #587802 | Backfill `new_uuid` for existing vulnerabilities | | 3 | #587803 | Add NOT NULL constraint to `new_uuid` | | 4 | #587804 | Transition GitLab to use `new_uuid` | | 5 | #587805 | Drop old `uuid` column and rename `new_uuid` | ## Acceptance Criteria - [ ] `Security::VulnerabilityUUID` supports definition-level UUID generation (without location) - [ ] New Vulnerabilities have `new_uuid` populated with definition-level UUID - [ ] Vulnerabilities for the same type/identifier across different locations have the same `new_uuid` - [ ] Existing `uuid` column behavior is unchanged (backward compatible) ## Related - Related to #587625 (Finding UUID - context-aware)

issue