Include CVE data from Insights

[lukehinds]

CVEs gonna be handled in a simplest way so far. We'll improve it later, if needed.

Brief explanation in a comment below

Old description

Introduce Vulnerability / Version data from insights into the Vector Search system to provide contextual augmentation of CVES and version specific fixes

┌───────────────────────────┐
│ 1. CVE / Version Info     │
│    introduced from insight│
└───────────────────────────┘
               │
               ▼
┌───────────────────────────┐
│ 2. Parse code snippet     │
│    and use existing       │
│    Package Extractor      │
│    (Package/Ecosystem)    │
└───────────────────────────┘
               │
               ▼
┌───────────────────────────┐
│ 3. Parse dependency       │
│    dependency matrix      │
│    for the specific       │
│    version of package     │
└───────────────────────────┘
               │
               ▼
┌───────────────────────────┐
│ 4. Perform similarity     │
│    search (Package &      │
│    Version)               │
└───────────────────────────┘
               │
           ┌───┴───┐
           │       │
     CVE Matched?  │
           │       │
           ▼       ▼
    ┌──────────────────────┐
    │ Yes: Augment prompt  │
    │ to guide LLM toward  │
    │ recommending action  │
    │ & fix                │
    └──────────────────────┘

    ┌──────────────────────┐
    │ No: Continue as      │
    │ normal in pipeline   │
    └──────────────────────┘

Explanation:

1. Introduce CVE / Version Info: Collect CVE data or package version details within the insight pipeline
2. Parse Code Snippet & Extract Package: Leverage already existing “Package Extractor” to identify which packages (and their ecosystems) are used in the snippet.
3. Traverse dependency matrix tree: e.g. look up the currently used package(s) captured from code snippet.
4. Perform Similarity Search: Match the discovered package and version against CVEs
5. CVE Matched?:
   • Yes: Prompt augmentation instructs the LLM to recommend a fix (e.g., upgrade package, apply patch, warn or alternative library).
   • No: Proceed without additional guidance or continue searching other data sources.

This would be contingent upon #454 landing first.

cc @yrobla

[lukehinds]

likely requires #454 first.

[lukehinds]

tag @kevinholmesmobile for mapping to insights work, which would land first.

[davolokh]

We make a decision to not have CVEs data in VectorDB, but having a simple data (packageManager + packageName + version) indicating that specific one has CVEs. No severity, no specificity about CVEs. Just a fact that the package is vulnerable.
Data will be provided by Insight team and consumed in CodeGate similarly as malicious / deprecated / archived.

[lukehinds]

Pipeline work needs to be scoped to introduce the checks when a package matrix file is created or modified.