RHINENG-21786: add severity name to advisory related APIs

[MichaelMraka]

Secure Coding Practices Checklist GitHub Link

• https://github.com/RedHatInsights/secure-coding-checklist

Secure Coding Checklist

• Input Validation
• Output Encoding
• Authentication and Password Management
• Session Management
• Access Control
• Cryptographic Practices
• Error Handling and Logging
• Data Protection
• Communication Security
• System Configuration
• Database Security
• File Management
• Memory Management
• General Coding Practices

Summary by Sourcery

Add severity name support and JSONB-backed list fields to advisory-related APIs while simplifying advisory metadata lookups and exports.

New Features:

• Expose advisory severity name in list, detail, system advisories, and export APIs, with optional filtering by severity name.

Enhancements:

• Refactor advisory metadata access to query severity and advisory type names directly via joins instead of in-memory lookup tables.
• Store advisory CVEs, packages, and release versions as JSONB slices in the database and API models, removing custom JSON parsing helpers.
• Simplify unnotified advisory retrieval by selecting full advisory metadata in a single database query.
• Align VMaaS errata structures and sync logic with non-pointer slice fields for lists like CVEs, references, and release versions.

Build:

• Add GORM datatypes and MySQL-related dependencies required for JSONB slice handling.

Tests:

• Update advisory sync, advisory detail, and export tests to reflect JSONB-backed list fields and new severity name column in CSV and API outputs.
• Adjust database setup tests to validate only remaining advisory type configuration.

[sourcery-ai]

Reviewer's Guide

Adds severity name support and JSONB-backed list fields to advisory-related APIs, simplifying DB models and queries while exposing new filtering/export capabilities and cleaning up legacy parsing logic.

File-Level Changes

Change	Details	Files
Refactor advisory detail retrieval to query advisory metadata directly with joined severity and type names and JSONB list fields.	Change AdvisoryDetailAttributes to map directly to advisory_metadata, including new SeverityName, JSONB-backed Cves/ReleaseVersions/Packages, and swagger tags Use AdvisoryDetailAttributes as the GORM model, joining advisory_severity and advisory_type to select severity_name and advisory_type_name Remove helper JSON parsing and package parsing functions and return advisoryName as the resource ID	manager/controllers/advisory_detail.go manager/controllers/advisory_detail_test.go base/models/models.go
Extend advisory listing and export APIs to include severity_name and use JSONB release_versions, plus adjust system advisory queries and exports.	Add SeverityName to AdvisoryItemAttributesCommon with proper CSV/query/gorm tags and update release_versions to use RelList/JSONB with swagger metadata Join advisory_severity in advisory list and tagged queries and system advisories query; add severity_name filter annotations to swagger for advisories, system advisories, and their export endpoints Remove fillAdvisoryItemAttributeReleaseVersion helper and related JSON parsing utilities; update CSV export expectations and headers to include severity_name	manager/controllers/advisories.go manager/controllers/advisories_export.go manager/controllers/advisories_export_test.go manager/controllers/system_advisories.go manager/controllers/system_advisories_export.go manager/controllers/system_advisories_export_test.go manager/controllers/utils.go
Simplify VMaaS errata model and sync logic to work with concrete slice types and GORM JSONSlice for stored JSONB fields.	Change ErrataResponseErrataList slice pointer fields to non-pointer slices for references, CVEs, Bugzilla, packages, source packages, and release versions Update vmaasData2AdvisoryMetadata to assign datatypes.JSONSlice values directly from VMaaS data for CveList, PackageData, and ReleaseVersions instead of manual JSON marshaling Adjust tests to validate datatypes.JSONSlice values and updated field shapes	base/vmaas/vmaas.go tasks/vmaas_sync/advisory_sync.go tasks/vmaas_sync/advisory_sync_test.go
Remove global advisory type name cache and use DB joins instead, including for notification advisory lookup.	Delete AdvisoryTypes map loading from database setup and its associated test assertion Update getUnnotifiedAdvisories to select advisory fields (id, name, type name, synopsis) directly from joined advisory_metadata and advisory_type into ntf.Advisory slice, dropping the in-memory join using newAdvs and AdvisoryTypes	base/database/setup.go base/database/setup_test.go evaluator/notifications.go
Introduce GORM datatypes and driver dependencies to support JSONB and relational list handling.	Define RelList as a datatypes.JSONSlice-backed type with String, Value, and Scan to integrate with SQL/GORM for release_versions Import and require gorm.io/datatypes, gorm.io/driver/mysql, filippo.io/edwards25519, and github.com/go-sql-driver/mysql in go.mod/go.sum	manager/controllers/system_advisories.go go.mod go.sum

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[github-actions]

SC Environment Impact Assessment

Overall Impact: ⚪ NONE

No SC Environment-specific impacts detected in this PR.

What was checked

This PR was automatically scanned for:

• Database migrations
• ClowdApp configuration changes
• Kessel integration changes
• AWS service integrations (S3, RDS, ElastiCache)
• Kafka topic changes
• Secrets management changes
• External dependencies

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• In AdvisoryDetailAttributes, fields Topic and Severity are populated via am.* but their names don’t match the underlying column names (summary, severity_id), so you should add explicit gorm:"column:summary" and gorm:"column:severity_id" tags (otherwise they’ll always be zero-valued).
• In buildSystemAdvisoriesQuery you join advisory_severity with LEFT JOIN advisory_severity sev ON sa.advisory_id = sev.id, which looks incorrect – this should likely join on the advisory’s severity ID (e.g. am.severity_id = sev.id) rather than the advisory ID, otherwise the severity name will be wrong or null.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `AdvisoryDetailAttributes`, fields `Topic` and `Severity` are populated via `am.*` but their names don’t match the underlying column names (`summary`, `severity_id`), so you should add explicit `gorm:"column:summary"` and `gorm:"column:severity_id"` tags (otherwise they’ll always be zero-valued).
- In `buildSystemAdvisoriesQuery` you join `advisory_severity` with `LEFT JOIN advisory_severity sev ON sa.advisory_id = sev.id`, which looks incorrect – this should likely join on the advisory’s severity ID (e.g. `am.severity_id = sev.id`) rather than the advisory ID, otherwise the severity name will be wrong or null.

## Individual Comments

### Comment 1
<location path="manager/controllers/advisory_detail.go" line_range="36-40" />
<code_context>
+	Description      string                      `json:"description"`
+	ModifiedDate     *time.Time                  `json:"modified_date"`
+	PublicDate       *time.Time                  `json:"public_date"`
+	Topic            string                      `json:"topic" query:"summary"`
+	Synopsis         string                      `json:"synopsis"`
+	Solution         *string                     `json:"solution"`
+	AdvisoryTypeName string                      `json:"advisory_type_name"`
+	Severity         *int                        `json:"severity" query:"severity_id"`
+	SeverityName     *string                     `json:"severity_name,omitempty"`
+	Fixes            *string                     `json:"fixes"`
</code_context>
<issue_to_address>
**issue (bug_risk):** The `Topic` and `Severity` fields will not be populated correctly from `am.*` due to column name mismatches.

In `getAdvisoryFromDB`, selecting `am.*` into `AdvisoryDetailAttributes` relies on GORM’s default snake_case mapping. Since the DB columns are `summary` and `severity_id` but the struct fields are `Topic` and `Severity`, GORM will look for `topic` and `severity` columns instead, leaving `summary`/`severity_id` unused and changing behavior from the previous explicit mapping.

To preserve correct values, add explicit column tags, e.g.:

```go
Topic    string  `json:"topic" query:"summary" gorm:"column:summary"`
Severity *int    `json:"severity" query:"severity_id" gorm:"column:severity_id"`
```

or rename the fields to match the DB columns.
</issue_to_address>

### Comment 2
<location path="manager/controllers/system_advisories.go" line_range="29-32" />
<code_context>
 }

-type RelList []string
+type RelList datatypes.JSONSlice[string]

 type SystemAdvisoriesDBLookup struct {
</code_context>
<issue_to_address>
**issue (bug_risk):** RelList.String currently won’t compile because it passes a custom type to `strings.Join` without conversion.

With `RelList` now defined as `datatypes.JSONSlice[string]`, it’s no longer directly assignable to `[]string`, so `strings.Join(v, ",")` won’t compile. Convert explicitly:

```go
func (v RelList) String() string {
    return strings.Join([]string(v), ",")
}
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.13%. Comparing base (4c3a143) to head (f4638b9).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2098      +/-   ##
==========================================
- Coverage   59.40%   59.13%   -0.27%     
==========================================
  Files         134      134              
  Lines        8707     8640      -67     
==========================================
- Hits         5172     5109      -63     
- Misses       2989     2996       +7     
+ Partials      546      535      -11     

Flag	Coverage Δ
unittests	59.13% <100.00%> (-0.27%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Dugowitch]

Apart from the mysql driver, looks good to me 👍

[MichaelMraka]

/retest

[MichaelMraka]

/retest