feat: vulnerabilities db migrations

[epipav]

No description provided.

[Copilot]

Pull request overview

This PR adds a new database migration to create tables for tracking vulnerability scans and their findings. It introduces two new enum types (vulnerability_severity, vulnerability_status), a vulnerability_scans table for scan metadata, and a vulnerabilities table for individual vulnerability records linked to scans.

Changes:

• Creates vulnerability_severity and vulnerability_status enum types for type-safe status/severity tracking
• Creates vulnerability_scans table with scan metadata (repo URL, timing, counts, scanner version)
• Creates vulnerabilities table with detailed vulnerability data (CVEs, severity, package info, status) with a unique constraint on (repo_url, vulnerability_id, package_name, source_path) and comprehensive indexing

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The foreign key on scan_id is missing an ON DELETE CASCADE clause. Both existing foreign key references in this codebase use ON DELETE CASCADE (see V1749123250__initial.sql:9 and V1759927411__createChatResponseAgentStepsTable.sql:21). Without it, attempting to delete a vulnerability_scans row that has associated vulnerabilities rows will fail with a foreign key violation error, and there's no way to clean up scan data without first manually deleting all related vulnerability rows.

Suggested change

	scan_id UUID NOT NULL REFERENCES vulnerability_scans(id),
	scan_id UUID NOT NULL REFERENCES vulnerability_scans(id) ON DELETE CASCADE,

[Copilot]

The idx_vulnerabilities_repo_url index is redundant because both idx_vulnerabilities_repo_severity_status and idx_vulnerabilities_repo_status have repo_url as the leading column and can efficiently serve queries that filter only on repo_url. This extra index adds unnecessary write overhead (inserts/updates/deletes must maintain it) without providing query benefits. Consider removing it.

Suggested change

CREATE INDEX idx_vulnerabilities_repo_url ON vulnerabilities(repo_url);

[Copilot]

The status column on vulnerability_scans uses unconstrained TEXT, allowing any arbitrary string value. This codebase has a pattern of constraining such fields — for example, security_audit_logs uses a CHECK constraint for its event_type column (see V1770789662__createSecurityAuditLogsTable.sql:11), and this very migration defines enums for the vulnerabilities table. Consider either creating a dedicated enum type for scan status (e.g., vulnerability_scan_status with values like 'RUNNING', 'COMPLETED', 'FAILED') or adding a CHECK constraint to restrict the allowed values.

Suggested change

	CREATE TABLE IF NOT EXISTS vulnerability_scans (
	id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
	repo_url TEXT NOT NULL,
	ran_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
	duration_ms INT NOT NULL DEFAULT 0,
	status TEXT NOT NULL DEFAULT 'running',
	CREATE TYPE vulnerability_scan_status AS ENUM ('RUNNING', 'COMPLETED', 'FAILED');
	CREATE TABLE IF NOT EXISTS vulnerability_scans (
	id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
	repo_url TEXT NOT NULL,
	ran_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
	duration_ms INT NOT NULL DEFAULT 0,
	status vulnerability_scan_status NOT NULL DEFAULT 'RUNNING',