chore(sca): report advisory id in CVE reachability telemetry

[avara1986]

Description

Switches the SCA loader to emit the top-level id field (the advisory id, e.g. GHSA-652x-xj99-gmcc) in reachability telemetry instead of the inner vulnerability.id (the underlying CVE number, e.g. CVE-2024-35195). The wire contract requires the advisory id so consumers can dedupe across CVE mappings — multiple CVEs can map to the same advisory and vice versa.

Additional Notes

• Ticket: APPSEC-62187
• Since SCA is unreleased and this change is not user-impacting, the PR should carry the changelog/no-changelog label instead of a Reno release note.

[cit-pr-commenter-54b7da]

Codeowners resolved as

ddtrace/appsec/sca/_cve_loader.py                                       @DataDog/asm-python

[datadog-datadog-prod-us1]

 

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 8 Pipeline jobs failed

DataDog/apm-reliability/dd-trace-py | build linux: [arm64, cp315-cp315, v113741589-d2b8243-musllinux_1_2_aarch64]     

🔧 Fix in code (Fix with Cursor).

NotImplementedError: This version of CPython is not supported yet

DataDog/apm-reliability/dd-trace-py | build linux: [amd64, cp315-cp315, v113741491-d2b8243-musllinux_1_2_x86_64]     

🔄 Retry job. This looks flaky and may succeed on retry.

Startup probe failed: HTTP probe failed with statuscode: 503.

DataDog/apm-reliability/dd-trace-py | build linux serverless: [amd64, cp315-cp315, v113741238-d2b8243-manylinux2014_x86_64, 1]     

🛟 This job is unlikely to succeed on retry. Please review your pipeline configuration.

NotImplementedError: This version of CPython is not supported yet

View all 8 failed jobs.

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 420f539 | Docs | Datadog PR Page | Give us feedback!}

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-05-22 10:48:15

Comparing candidate commit 420f539 in PR branch avara1986/APPSEC-62187_runtime_sca with baseline commit 83e6d7c in branch main.

Found 0 performance improvements and 1 performance regressions! Performance is the same for 87 metrics, 0 unstable metrics.

scenario:iastaspectsospath-ospathbasename_aspect

• 🟥 execution_time [+100.233µs; +108.425µs] or [+23.741%; +25.681%]

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1cee82786e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[avara1986]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-05-21 09:43:47 UTC ℹ️ Start processing command /merge

---

2026-05-21 09:43:52 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 56m (p90).

---

2026-05-21 11:44:29 UTC ❌ MergeQueue: The build pipeline has timeout

The merge request has been interrupted because the build 2219997871909141774 took longer than expected. The current limit for the base branch 'main' is 120 minutes.

[avara1986]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-05-21 11:47:21 UTC ℹ️ Start processing command /merge

---

2026-05-21 11:47:26 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 56m (p90).

---

2026-05-21 13:47:34 UTC 🚨 MergeQueue: This merge request is in error

error while getting head build completion result

Details

Error: There was an error while retrieving the result for pipeline 114466753

FullStacktrace:
child workflow execution error (type: mergequeue_private.MergeQueue_WaitForChecksOrUntilIsFinal, workflowID: 019e4a5c-a6c4-712a-afb9-ea5ebc3fe610_74, runID: 019e4a5d-07e8-73ec-9a13-f0eda9a2583e, initiatedEventID: 74, startedEventID: 75): child workflow execution error (type: mergequeue.MergeQueue_WaitForCompletionOfRef, workflowID: 019e4a5d-07e8-73ec-9a13-f0eda9a2583e_8, runID: 019e4a5d-088b-776b-b8f2-afc14d43cfe0, initiatedEventID: 8, startedEventID: 10): There was an error while retrieving the result for pipeline 114466753 (type: FlowError, retryable: false): There was an error while retrieving the result for pipeline 114466753

[avara1986]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-05-21 22:26:08 UTC ℹ️ Start processing command /merge

---

2026-05-21 22:26:13 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 56m (p90).

---

2026-05-22 00:26:34 UTC ❌ MergeQueue: The build pipeline has timeout

The merge request has been interrupted because the build 4590351747145157401 took longer than expected. The current limit for the base branch 'main' is 120 minutes.

[avara1986]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-05-22 07:38:54 UTC ℹ️ Start processing command /merge

---

2026-05-22 07:38:59 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 56m (p90).

---

2026-05-22 09:39:35 UTC ❌ MergeQueue: The build pipeline has timeout

The merge request has been interrupted because the build 8117332190914211808 took longer than expected. The current limit for the base branch 'main' is 120 minutes.

[avara1986]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-05-22 11:28:25 UTC ℹ️ Start processing command /merge
Use /merge -c to cancel this operation!

---

2026-05-22 11:28:30 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 56m (p90).

Use /merge -c to cancel this operation!

---

⏳ Processing