feat(backend): finding analysis functionality

Author: taleodor

backend/src/main/java/io/reliza/common/CommonVariables.java

@@ -403,7 +403,8 @@ public enum TableName {
 		USER_GROUPS("user_groups"),
 		VARIANTS("variants"),
 		VCS_REPOSITORIES("vcs_repositories"),
-		VERSION_ASSIGNMENTS("version_assignments")
+		VERSION_ASSIGNMENTS("version_assignments"),
+		VULN_ANALYSIS("vuln_analysis")
 		;
 
 		private String name;

backend/src/main/java/io/reliza/common/Utils.java

@@ -600,4 +600,36 @@ public static SeveritySourceDto createSeveritySourceDto(String vulnId, Vulnerabi
 
 		return new SeveritySourceDto(source, severity);
 	}
+	
+	/**
+	 * Minimizes a PURL by stripping all qualifiers while keeping the core components
+	 * (type, namespace, name, version, subpath).
+	 * 
+	 * @param purl The PURL string to minimize
+	 * @return Minimized PURL string without qualifiers, or null if input is null or invalid
+	 */
+	public static String minimizePurl(String purl) {
+		if (purl == null || purl.isEmpty()) {
+			return null;
+		}
+		
+		try {
+			// Parse the PURL
+			PackageURL packageUrl = new PackageURL(purl);
+			
+			// Build a new PURL with the same components but without qualifiers
+			PackageURLBuilder builder = PackageURLBuilder.aPackageURL()
+					.withType(packageUrl.getType())
+					.withNamespace(packageUrl.getNamespace())
+					.withName(packageUrl.getName())
+					.withVersion(packageUrl.getVersion())
+					.withSubpath(packageUrl.getSubpath());
+			// Note: Not setting qualifiers - they will be empty
+			
+			return builder.build().toString();
+		} catch (MalformedPackageURLException e) {
+			log.warn("Failed to parse PURL for minimization: {}", purl, e);
+			return null;
+		}
+	}
 }

backend/src/main/java/io/reliza/model/AnalysisJustification.java

@@ -0,0 +1,21 @@
+/**
+* Copyright Reliza Incorporated. 2019 - 2025. Licensed under the terms of AGPL-3.0-only.
+*/
+
+package io.reliza.model;
+
+/**
+ * Analysis justification enum based on CycloneDX 1.7 specification
+ * https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_analysis_justification
+ */
+public enum AnalysisJustification {
+	CODE_NOT_PRESENT,
+	CODE_NOT_REACHABLE,
+	REQUIRES_CONFIGURATION,
+	REQUIRES_DEPENDENCY,
+	REQUIRES_ENVIRONMENT,
+	PROTECTED_BY_COMPILER,
+	PROTECTED_AT_RUNTIME,
+	PROTECTED_AT_PERIMETER,
+	PROTECTED_BY_MITIGATING_CONTROL
+}

backend/src/main/java/io/reliza/model/AnalysisScope.java

@@ -0,0 +1,13 @@
+/**
+* Copyright Reliza Incorporated. 2019 - 2025. Licensed under the terms of AGPL-3.0-only.
+*/
+
+package io.reliza.model;
+
+public enum AnalysisScope {
+	ORG,
+	RESOURCE_GROUP,
+	COMPONENT,
+	BRANCH,
+	RELEASE
+}

backend/src/main/java/io/reliza/model/AnalysisState.java

@@ -0,0 +1,12 @@
+/**
+* Copyright Reliza Incorporated. 2019 - 2025. Licensed under the terms of AGPL-3.0-only.
+*/
+
+package io.reliza.model;
+
+public enum AnalysisState {
+	EXPLOITABLE,
+	IN_TRIAGE,
+	FALSE_POSITIVE,
+	NOT_AFFECTED
+}

backend/src/main/java/io/reliza/model/FindingType.java

@@ -0,0 +1,11 @@
+/**
+* Copyright Reliza Incorporated. 2019 - 2025. Licensed under the terms of AGPL-3.0-only.
+*/
+
+package io.reliza.model;
+
+public enum FindingType {
+	VULNERABILITY,
+	VIOLATION,
+	WEAKNESS
+}

backend/src/main/java/io/reliza/model/LocationType.java

@@ -0,0 +1,10 @@
+/**
+* Copyright Reliza Incorporated. 2019 - 2025. Licensed under the terms of AGPL-3.0-only.
+*/
+
+package io.reliza.model;
+
+public enum LocationType {
+	PURL,
+	CODE_POINT
+}

backend/src/main/java/io/reliza/model/VulnAnalysis.java

@@ -0,0 +1,99 @@
+/**
+* Copyright Reliza Incorporated. 2019 - 2025. Licensed under the terms of AGPL-3.0-only.
+*/
+
+package io.reliza.model;
+
+import java.io.Serializable;
+import java.time.ZonedDateTime;
+import java.util.Map;
+import java.util.UUID;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Id;
+import jakarta.persistence.Table;
+
+import org.hibernate.annotations.Type;
+
+import io.hypersistence.utils.hibernate.type.json.JsonBinaryType;
+
+@Entity
+@Table(schema=ModelProperties.DB_SCHEMA, name="vuln_analysis")
+public class VulnAnalysis implements Serializable, RelizaEntity {
+	private static final long serialVersionUID = 234735;
+	
+	@Id
+	private UUID uuid = UUID.randomUUID();
+	
+	@Column(nullable = false)
+	private int revision=0;
+	
+	@Column(nullable = false)
+	private int schemaVersion=0;
+
+	@Column(nullable = false)
+	private ZonedDateTime createdDate = ZonedDateTime.now();
+	
+	@Column(nullable = false)
+	private ZonedDateTime lastUpdatedDate = ZonedDateTime.now();
+	
+	@Type(JsonBinaryType.class)
+	@Column(columnDefinition = ModelProperties.JSONB)
+	private Map<String,Object> recordData;
+	
+	@Override
+	public UUID getUuid() {
+		return uuid;
+	}
+
+	public void setUuid(UUID uuid) {
+		this.uuid = uuid;
+	}
+
+	@Override
+	public int getRevision() {
+		return revision;
+	}
+
+	public void setRevision(int revision) {
+		this.revision = revision;
+	}
+
+	@Override
+	public ZonedDateTime getCreatedDate() {
+		return createdDate;
+	}
+
+	public void setCreatedDate(ZonedDateTime createdDate) {
+		this.createdDate = createdDate;
+	}
+
+	@Override
+	public ZonedDateTime getLastUpdatedDate() {
+		return lastUpdatedDate;
+	}
+
+	public void setLastUpdatedDate(ZonedDateTime lastUpdatedDate) {
+		this.lastUpdatedDate = lastUpdatedDate;
+	}
+
+	@Override
+	public Map<String, Object> getRecordData() {
+		return recordData;
+	}
+
+	@Override
+	public void setRecordData(Map<String, Object> recordData) {
+		this.recordData = recordData;
+	}
+
+	@Override
+	public int getSchemaVersion() {
+		return schemaVersion;
+	}
+
+	public void setSchemaVersion(int schemaVersion) {
+		this.schemaVersion = schemaVersion;
+	}
+}