Skip to content

feat: extend Remediation model for Trustify v3 version ranges#113

Merged
ruromero merged 1 commit into
mainfrom
TC-4521
Jun 26, 2026
Merged

feat: extend Remediation model for Trustify v3 version ranges#113
ruromero merged 1 commit into
mainfrom
TC-4521

Conversation

@ruromero

@ruromero ruromero commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Add VersionRange schema to represent Trustify v3's structured version range data (Full, Left, Right, Unbounded variants)
  • Add RemediationCategory enum (VENDOR_FIX, WORKAROUND, MITIGATION, NO_FIX_PLANNED, NONE_AVAILABLE, WILL_NOT_FIX)
  • Add RemediationInfo schema with category, details, and URL fields
  • Extend Remediation with optional remediations and versionRanges arrays
  • Preserve existing fixedIn field for backward compatibility
  • Bump API model version from 5.2.0 to 5.3.0

Jira

TC-4521

Test plan

  • OpenAPI spec validates with Redocly CLI
  • Generated Java model classes compile (mvn clean verify)
  • Generated JavaScript/TypeScript model classes build
  • Existing fixedIn field preserved in generated Remediation class
  • New RemediationCategory, RemediationInfo, VersionRange classes generated

🤖 Generated with Claude Code

Summary by Sourcery

Extend the remediation schema and versioning to support structured remediation and version range data from vulnerability advisories.

New Features:

  • Add detailed remediation entries and affected version ranges to the Remediation schema to capture advisory metadata.
  • Introduce RemediationCategory and RemediationInfo schemas for categorizing and describing remediation actions.
  • Introduce a VersionRange schema to represent structured affected version range information.

Build:

  • Bump API model version from 5.2.0 to 5.3.0 in the OpenAPI specification.

Add VersionRange, RemediationCategory, and RemediationInfo schemas
to represent Trustify v3's structured remediation data. The existing
fixedIn field is preserved for backward compatibility.

Bump API model version from 5.2.0 to 5.3.0.

Ref: TC-4521

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sourcery-ai

sourcery-ai Bot commented Jun 23, 2026

Copy link
Copy Markdown

Reviewer's Guide

Extends the v5 OpenAPI remediation schema to carry structured remediation metadata and Trustify v3-style version range information, and bumps the API model version from 5.2.0 to 5.3.0.

File-Level Changes

Change Details Files
Extend the Remediation schema with structured remediation and version range data while keeping existing fixedIn for backward compatibility.
  • Added optional remediations array on Remediation referencing a new RemediationInfo schema for structured advisory remediation details including category, details, and URL.
  • Added optional versionRanges array on Remediation referencing a new VersionRange schema to represent affected version ranges from Trustify v3, including scheme and low/high bounds with inclusivity flags.
  • Introduced RemediationCategory enum to normalize remediation action types such as VENDOR_FIX, WORKAROUND, and WILL_NOT_FIX while keeping existing fixedIn field unchanged.
api/v5/openapi.yaml
Version bump of the v5 OpenAPI specification for the remediation model change.
  • Incremented OpenAPI info.version from 5.2.0 to 5.3.0 to reflect the extended remediation model.
api/v5/openapi.yaml

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.00%. Comparing base (02571f6) to head (bd0ab48).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff            @@
##               main     #113   +/-   ##
=========================================
  Coverage     95.00%   95.00%           
  Complexity       35       35           
=========================================
  Files             4        4           
  Lines           100      100           
  Branches          9        9           
=========================================
  Hits             95       95           
  Misses            4        4           
  Partials          1        1           
Flag Coverage Δ
unit-tests 95.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 2 issues, and left some high level feedback:

  • Consider marking required properties explicitly on the new schemas (e.g., RemediationInfo and VersionRange) so consumers can rely on which fields are always present rather than inferring this from descriptions.
  • The VersionRange description references different variants (Full/Left/Right/Unbounded) but the schema itself doesn’t encode which variant is in use; consider adding a type discriminator or clarifying how clients should distinguish these cases programmatically.
  • For RemediationCategory, if future categories are expected, you may want to document that clients should handle unknown enum values gracefully or use a more extensible pattern to avoid breaking changes.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- Consider marking required properties explicitly on the new schemas (e.g., `RemediationInfo` and `VersionRange`) so consumers can rely on which fields are always present rather than inferring this from descriptions.
- The `VersionRange` description references different variants (Full/Left/Right/Unbounded) but the schema itself doesn’t encode which variant is in use; consider adding a `type` discriminator or clarifying how clients should distinguish these cases programmatically.
- For `RemediationCategory`, if future categories are expected, you may want to document that clients should handle unknown enum values gracefully or use a more extensible pattern to avoid breaking changes.

## Individual Comments

### Comment 1
<location path="api/v5/openapi.yaml" line_range="580-582" />
<code_context>
+        details:
+          type: string
+          description: Human-readable remediation details
+        url:
+          type: string
+          description: URL with more information about the remediation
+    VersionRange:
+      type: object
</code_context>
<issue_to_address>
**suggestion:** Consider adding a `format: uri` constraint for remediation URLs.

Using `format: uri` for `RemediationInfo.url` will improve client type-safety and OpenAPI-based validation while remaining backward compatible.

```suggestion
        url:
          type: string
          format: uri
          description: URL with more information about the remediation
```
</issue_to_address>

### Comment 2
<location path="api/v5/openapi.yaml" line_range="587-589" />
<code_context>
+      type: object
+      description: Affected version range from a vulnerability advisory. Fields present depend on the range type - Full (all fields), Left (scheme and low bound), Right (scheme and high bound), or Unbounded (empty).
+      properties:
+        versionSchemeId:
+          type: string
+          description: Version scheme identifier (e.g. semver, rpm, generic)
+        lowVersion:
+          type: string
</code_context>
<issue_to_address>
**suggestion:** Version scheme identifiers might benefit from a more constrained type.

`versionSchemeId` is currently an unconstrained string with only descriptive examples. If the set of schemes is relatively stable, consider using an enum (or at least an `enum`/`pattern` constraint in the schema) so clients can validate and branch on this value reliably.

Suggested implementation:

```
      properties:
        versionSchemeId:
          type: string
          description: Version scheme identifier. Supported values: `semver`, `rpm`, `generic`.
          enum:
            - semver
            - rpm
            - generic

        remediations:
          type: array
          description: Detailed remediation information from vulnerability advisories
          items:
            $ref: '#/components/schemas/RemediationInfo'

```

```
        versionRanges:
          type: array
          description: Affected version ranges from vulnerability advisories
          items:
            $ref: '#/components/schemas/VersionRange'

```
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread api/v5/openapi.yaml
Comment thread api/v5/openapi.yaml
@ruromero

Copy link
Copy Markdown
Collaborator Author

[sdlc-workflow/verify-pr] Re: @sourcery-ai review

Classified 3 suggestions:

  • review-body-4554094020-1: suggestion — Mark required properties on new schemas
  • review-body-4554094020-2: suggestion — Add type discriminator for VersionRange
  • review-body-4554094020-3: suggestion — Document unknown enum value handling

None upgraded to code change requests (no matching CONVENTIONS.md rules or codebase patterns).

@ruromero

ruromero commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

Verification Report — TC-4521

Task: TC-4521 — Extend Remediation model for Trustify v3 version ranges
PR: #113 (TC-4521main)
Overall Verdict: ✅ PASS

Verdicts

Check Verdict Summary
Scope Containment ✅ PASS PR modifies exactly the file specified: api/v5/openapi.yaml
Diff Size ✅ PASS 52 additions / 1 deletion — proportionate for 3 new schemas + version bump
Commit Traceability ✅ PASS Single commit references TC-4521
Sensitive Patterns ✅ PASS No secrets or credentials detected
CI Status ✅ PASS All 7 CI checks pass
Acceptance Criteria ✅ PASS All 4 criteria satisfied
Verification Commands ✅ PASS Redocly lint valid (2 pre-existing warnings unrelated to this PR)
Test Quality — N/A No test files in PR
Test Change Classification — N/A No test files in PR

Review Feedback

5 items classified from sourcery-ai — all as suggestion, none upgraded:

ID Classification Summary
3460426247 suggestion format: uri for RemediationInfo.url — existing sourceUrl field uses plain type: string
3460426265 suggestion Enum for versionSchemeId — values are open-ended from external advisories
review-body-1 suggestion Required properties — 20+ schemas in spec omit required
review-body-2 suggestion Type discriminator — no discriminator usage in spec
review-body-3 suggestion Unknown enum handling — no existing pattern for this

Acceptance Criteria Detail

  1. VersionRange defined with 5 fields: versionSchemeId, lowVersion, lowInclusive, highVersion, highInclusive
  2. RemediationCategory enum: VENDOR_FIX, WORKAROUND, MITIGATION, NO_FIX_PLANNED, NONE_AVAILABLE, WILL_NOT_FIX
  3. RemediationInfo with category ($ref), details, url
  4. Remediation extended with remediations and versionRanges arrays; fixedIn preserved

Sub-Tasks Created

None — all checks passed.


This report was AI-generated by sdlc-workflow/verify-pr v0.11.0.

@ruromero ruromero merged commit e5d5f5d into main Jun 26, 2026
7 checks passed
@ruromero ruromero deleted the TC-4521 branch June 26, 2026 14:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants