feat: hot CVE types and version constraint evaluator (SUB-7220)

[kooomix]

Superseded by #630 (clean branch with only hot CVE changes).

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

The PR adds data models for representing hot CVE information with affected packages, introduces version constraint matching logic, extends notification parameters with a HotCVE filter option, adds new scan failure reason codes (OOM killed, timeout), and includes corresponding tests for constraint matching and reason code behavior.

Changes

Cohort / File(s)	Summary
Hot CVE Data Models armotypes/hot_cve.go	Introduces structs for CVE records (HotCVE), affected packages (HotCVEAffectedPackage), endpoint responses (HotCVEEndpointResponse), and Pulsar completion messages (HotCVEOnFinishedMessage). Adds constants for sentinel layer hash and CVE status strings.
Notification Parameters notifications/usernotificationreporttypes.go	Adds optional HotCVE boolean field to NotificationParams struct with JSON and BSON serialization tags for filtering/config purposes.
Version Constraint Matching package_versions/constraint.go, package_versions/constraint_test.go	Introduces VersionConstraint type with Matches() method to evaluate version ranges and exact-match allowlists. Supports inclusive lower bounds, exclusive upper bounds, and exact-match precedence. Includes comprehensive table-driven test coverage.
Scan Failure Reason Codes scanfailure/types.go, scanfailure/types_test.go	Adds two new failure reason constants (ReasonScannerOOMKilled, ReasonScanTimeout). Updates ReasonFriendlyText() to treat empty reason codes as "unexpected_error" while maintaining forward-compatible fallback for unknown codes. Includes test suites validating mappings and consistency.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: add reason codes, Error field, and ReasonFriendlyText to scanfailure #625: Directly related through addition of new scanfailure reason codes and ReasonFriendlyText updates to the same constants and helper function.
• feat: add scanfailure types for scan failure reporting #620: Both PRs modify scanfailure/types.go; the retrieved PR adds core ScanFailure types while this PR extends with new reason codes and friendly-text mappings.

Suggested reviewers

• matthyx

Poem

🐰 Hot CVEs now hop through the code with care,
Version constraints check their bounds with flair,
When scanners timeout or memory's tight,
New reason codes shine through the night,
A rabbit's delight in each test that's bright! 🔍✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main additions: hot CVE types and version constraint evaluator, directly corresponding to the primary changes in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/SUB-7074-reason-codes-and-error-field

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Coverage Report for CI Build 24387005099

Warning

No base build found for commit 9296d34 on main.
Coverage changes can't be calculated without a base build.
If a base build is processing, this comment will update automatically when it completes.

Coverage: 41.998%

Details

• Patch coverage: 10 uncovered changes across 1 file (35 of 45 lines covered, 77.78%).

Uncovered Changes

File	Changed	Covered	%
package_versions/constraint.go	42	32	76.19%

Coverage Regressions

Requires a base build to compare against. How to fix this →

---

Coverage Stats

Relevant Lines:	4505
Covered Lines:	1892
Line Coverage:	42.0%
Coverage Strength:	6.44 hits per line

---

💛 - Coveralls

[github-actions]

Coverage Report for CI Build 24387039750

Warning

No base build found for commit 9296d34 on main.
Coverage changes can't be calculated without a base build.
If a base build is processing, this comment will update automatically when it completes.

Coverage: 41.998%

Details

• Patch coverage: 10 uncovered changes across 1 file (35 of 45 lines covered, 77.78%).

Uncovered Changes

File	Changed	Covered	%
package_versions/constraint.go	42	32	76.19%

Coverage Regressions

Requires a base build to compare against. How to fix this →

---

Coverage Stats

Relevant Lines:	4505
Covered Lines:	1892
Line Coverage:	42.0%
Coverage Strength:	6.03 hits per line

---

💛 - Coveralls

[Copilot]

Pull request overview

This PR introduces data types and utilities to support “hot CVE” notifications and version-range evaluation, and extends scan-failure reason handling with new reason codes and friendlier text rendering.

Changes:

• Add new hot CVE API/message structs and related sentinel/status constants.
• Add VersionConstraint with Matches() implementing exact-match and [Start, End) range semantics using package-type-aware comparisons.
• Extend scan-failure reason codes + friendly-text mapping, and add test coverage for reason text and version constraint matching.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
armotypes/hot_cve.go	Introduces hot CVE feed types, endpoint response type, and UNS “finished” message payload + constants.
package_versions/constraint.go	Adds version constraint matcher for exact and range-based constraints.
package_versions/constraint_test.go	Adds table-driven tests for VersionConstraint.Matches() across multiple pkg types and semantics.
notifications/usernotificationreporttypes.go	Adds HotCVE notification parameter flag.
scanfailure/types.go	Adds new scan failure reason codes + friendly text; updates ReasonFriendlyText behavior for empty codes.
scanfailure/types_test.go	Adds tests for ReasonFriendlyText and ensures all known codes have non-empty friendly text.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

PR description says the hot CVE types have JSON/BSON tags, but HotCVEEndpointResponse and HotCVEOnFinishedMessage currently have only JSON tags (no BSON). If these structs may be stored/read from Mongo anywhere, add bson tags for consistency; otherwise, update the PR description to reflect that only some structs are BSON-tagged.

[Copilot]

Field name CVEId doesn’t follow the Go initialism convention used elsewhere in the repo (e.g., CVEID, GUID, ID). Consider renaming it to CVEID while keeping the JSON tag cveId unchanged, to improve consistency and avoid confusion for Go callers.

Suggested change

	CVEId string `json:"cveId"`
	CVEID string `json:"cveId"`