Add policy-driven tags to vulnerability analyses

[sahibamittal]

Current Behavior

Vulnerability Policies don't have support for tagging the analysis if violated.

Proposed Behavior

Allow vulnerability policies to attach string tags to findings when a policy matches. Tags will be strictly policy-driven, user edits should not set or override them.
Policies can specify a list of tags, reconciliation applies them to matching analyses and removes them when policies stop applying.

Design Notes:

1. Store tags inline on the ANALYSIS record, and clear them when a finding is no longer covered by a policy. (For backward-compatible migration, add a nullable POLICY_TAGS column to the ANALYSIS table (JSON/array) and map it on the Analysis domain object.)
2. Extend VulnerabilityPolicyAnalysis with List tags.
3. Reconciliation:

• In AnalysisReconciler derive desired tags from policy analysis.
• If tags differ from stored policyTags, update analysis and add an audit comment.
• When a finding loses policy coverage, clear policyTags.

4. UI exposure: Include policyTags in analysis/findings responses.
5. Audit notification: Optional : Add a tag-change entry to the analysis audit comments.

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested

[nscuro]

Are simple tags sufficient for this, or should this be more like annotations, i.e. key-value pairs? Similar to https://cyclonedx.org/docs/1.7/json/#annotations. Note how that also tracks who created the annotation (in this case it would be a policy), and when.

[sahibamittal]

Are simple tags sufficient for this, or should this be more like annotations, i.e. key-value pairs? Similar to https://cyclonedx.org/docs/1.7/json/#annotations. Note how that also tracks who created the annotation (in this case it would be a policy), and when.

Yes right, having annotations (KV pairs) is more fitting in order to track the timestamp and other details for audit.