refactor: replace status table with DeriveActiveEnum

[mrizzi]

Summary

• Replace the static status database table (5 rows) with a PostgreSQL enum type backed by SeaORM's DeriveActiveEnum, eliminating all JOIN operations against the status table
• Remove the DbContext status cache in the ingestor — status values are now parsed directly from strings via Status::from_str()
• Add database migration that converts existing status_id FK columns to inline enum columns via slug-based data migration
• Add defensive validation in migration to catch orphaned status_id references before enum cast (TC-4491)
• Fix cargo fmt formatting (TC-4492)

Details

Entity layer: status.rs transformed from DeriveEntityModel (Model/Entity/Column/Relation) to a standalone DeriveActiveEnum enum. purl_status and product_status entities changed from status_id: Uuid FK to status: Status enum column.

Ingestor layer: DbContext struct simplified to a single parse_status() function. All get_status_id() calls replaced with Status::from_str(). CSAF creator no longer needs async DB lookups for status resolution.

Query layer: All JOIN status ON ... removed from SeaORM queries and raw SQL. Status slug values now come directly from the enum column (status::text cast in raw SQL, .to_string() in Rust).

Migration: Creates the PostgreSQL enum type after dropping the old table (avoids namespace conflict), using a temporary text column to preserve data during the transition. Includes a pre-check assertion that validates no NULL status_text values remain before the enum cast.

Note: UUID computation for purl_status/product_status rows changed from Uuid::as_bytes() to Status::to_string().as_bytes(). A full re-ingestion of advisories is recommended after migration to normalize primary keys.

Implements TC-4488

[sourcery-ai]

Reviewer's Guide

Refactors status handling from a separate status table with UUID FKs to an inline PostgreSQL enum exposed via SeaORM’s DeriveActiveEnum, removes the ingestor’s status cache and DB lookups, simplifies queries by eliminating joins to status, and adds a one-way migration that converts existing FK-based data to the new enum representation while adjusting UUID derivation semantics.

Sequence diagram for CSAF status resolution in the ingestor

sequenceDiagram
    actor CSAFIngestor
    participant StatusCreator
    participant DbStatusParser as DbContext_parse_status
    participant Status

    CSAFIngestor->>StatusCreator: process product_statuses
    loop for each product_status
        StatusCreator->>DbStatusParser: parse_status(product.status)
        DbStatusParser->>Status: from_str(status)
        Status-->>DbStatusParser: Result<Status, Error>
        DbStatusParser-->>StatusCreator: Result<Status, Error>
        StatusCreator->>StatusCreator: create_purl_status(product, purl, scheme, spec, Status)
    end

Loading

Flow diagram for m0002200_replace_status_with_enum migration

flowchart TD
    A[Start migration m0002200_replace_status_with_enum] --> B[Add status_text text columns to purl_status and product_status]
    B --> C[Migrate slugs from status table into status_text via UPDATE ... FROM status]
    C --> D[Drop status_id columns from purl_status and product_status]
    D --> E[Drop status table]
    E --> F[Create PostgreSQL enum type status if not exists]
    F --> G[Add status status columns to purl_status and product_status]
    G --> H[Cast status_text into enum: UPDATE ... SET status = status_text::status]
    H --> I[Set status columns NOT NULL]
    I --> J[Drop status_text columns]
    J --> K[End migration]

Loading

File-Level Changes

Change	Details	Files
Replace status lookup and caching with direct enum parsing in the ingestor and graph layers.	Remove DbContext struct, its status cache, and async loading of statuses from the database. Introduce a simple parse_status(status: &str) -> Result<Status, Error> helper using Status::from_str. Update CSAF StatusCreator and AdvisoryVulnerabilityContext to use Status enums directly instead of status_id UUIDs and to special-case Affected/Fixed using enum comparisons. Simplify Graph struct so it no longer holds a shared DbContext.	modules/ingestor/src/graph/db_context.rs modules/ingestor/src/graph/mod.rs modules/ingestor/src/service/advisory/csaf/creator.rs modules/ingestor/src/graph/advisory/advisory_vulnerability.rs
Change purl_status and product_status models and creators to store the Status enum directly and update UUID derivation accordingly.	Modify purl_status::Model and product_status::Model to replace status_id: Uuid with status: Status and drop Relatedstatus::Entity relations. Adjust PurlStatus and ProductStatus ingestor structs to carry Status instead of Uuid and set the enum field on ActiveModels. Update PurlStatusCreator to parse Status from slug strings and populate enum fields; remove DB lookups of statuses. Change UUID derivation for PurlStatus and ProductStatus to hash Status::to_string().as_bytes() instead of Uuid::as_bytes(), implying new primary keys and requiring re-ingestion.	entity/src/purl_status.rs entity/src/product_status.rs modules/ingestor/src/graph/purl/status_creator.rs modules/ingestor/src/graph/advisory/purl_status.rs modules/ingestor/src/graph/advisory/product_status.rs
Refactor query and model layers to work with inline status enums instead of joined status rows or status_id FKs.	Remove joins to status::Entity from SeaORM queries related to vulnerability advisories, SBOM details, purl product statuses, and various services, replacing them with direct use of the status enum column. Update filter predicates to compare purl_status::Column::Status or product_status::Column::Status against Status variants or cast-to-text expressions instead of status.slug/status_id. Change FromQueryResult/FromQueryResultMultiModel helper structs (e.g., PurlStatusCatcher, SbomStatusCatcher, ProductStatusCatcher, IdSet, QueryCatcher) to capture status as a slug String or via enum-to-string rather than embedding a status::Model. Simplify prefetch logic in SbomDetails, PurlService, VersionedPurlAdvisory, and related code by removing status table preloads and using the enum’s string form directly for grouping and presentation.	modules/fundamental/src/vulnerability/model/details/vulnerability_advisory.rs modules/fundamental/src/sbom/model/details.rs modules/fundamental/src/purl/model/details/purl.rs modules/fundamental/src/purl/model/details/versioned_purl.rs modules/fundamental/src/purl/service/mod.rs modules/fundamental/src/sbom/service/sbom.rs modules/fundamental/src/sbom/model/raw_sql.rs modules/fundamental/src/vulnerability/service/mod.rs
Introduce a Status DeriveActiveEnum and a one-way migration to replace the status table with a PostgreSQL enum type and migrate existing data.	Redefine entity/src/status.rs as a DeriveActiveEnum-based Status enum with snake_case serialization, SeaORM enum metadata, and fixed string values for affected/fixed/not_affected/under_investigation/recommended. Add migration m0002200_replace_status_with_enum to migrate from status_id FKs to a status enum column using temporary text columns, slug-based data migration, dropping the old status table, creating the enum type, and casting text to the enum. Register the new migration in migration/src/lib.rs and make the down() method non-reversible for safety.	entity/src/status.rs migration/src/m0002200_replace_status_with_enum.rs migration/src/lib.rs
Adapt tests and raw SQL expectations to the new enum-based status representation.	Update recommendation tests to use the Status enum (e.g., Status::Recommended, Status::Fixed) rather than inserting or querying custom status rows, and to assert the new serialized values. Change raw SQL queries and JSON-building logic to select status::text or enum-backed columns instead of joining the status table and using status.slug or status_id. Clean up comments and docs in PurlStatusCreator and related code to reflect the new behavior and remove outdated caching/lookup descriptions.	modules/fundamental/src/purl/endpoints/test.rs modules/fundamental/src/sbom/model/raw_sql.rs modules/ingestor/src/graph/purl/status_creator.rs modules/fundamental/src/vulnerability/model/details/vulnerability_advisory.rs

Possibly linked issues

• #(no explicit ID provided): PR directly implements the issue by dropping the status table and introducing a Status enum-backed column everywhere

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• The m0002200_replace_status_with_enum migration assumes that every status_id in purl_status/product_status has a corresponding row in status; if any orphaned IDs exist, status_text (and then status) will remain NULL and the later SET NOT NULL will fail — consider either asserting row counts or using a defensive default/fallback for unmapped statuses before enforcing NOT NULL.
• Now that Status is a first-class enum, the codebase mixes raw string literals ('fixed', 'not_affected', etc.) and enum usages across SQL and Rust; consolidating these into a small helper or constants (e.g., for building SQL fragments) would reduce the risk of drift between enum variants and hard-coded status strings.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `m0002200_replace_status_with_enum` migration assumes that every `status_id` in `purl_status`/`product_status` has a corresponding row in `status`; if any orphaned IDs exist, `status_text` (and then `status`) will remain NULL and the later `SET NOT NULL` will fail — consider either asserting row counts or using a defensive default/fallback for unmapped statuses before enforcing NOT NULL.
- Now that `Status` is a first-class enum, the codebase mixes raw string literals (`'fixed'`, `'not_affected'`, etc.) and enum usages across SQL and Rust; consolidating these into a small helper or constants (e.g., for building SQL fragments) would reduce the risk of drift between enum variants and hard-coded status strings.

## Individual Comments

### Comment 1
<location path="migration/src/m0002200_replace_status_with_enum.rs" line_range="100-101" />
<code_context>
+                ALTER TABLE product_status
+                    ADD COLUMN IF NOT EXISTS status status;
+
+                UPDATE purl_status SET status = status_text::status;
+                UPDATE product_status SET status = status_text::status;
+
+                ALTER TABLE purl_status
</code_context>
<issue_to_address>
**issue (bug_risk):** Guard against invalid or unexpected `status_text` values when casting to the new enum.

This assumes every non-NULL `status_text` is a valid `status` enum value. Any historical typos or unexpected values will cause `status_text::status` to raise an error and abort the migration. Consider restricting the UPDATE to known-good values and handling the rest separately, or running a pre-check SELECT to detect unknown slugs and fail early with a clear error before applying schema changes.
</issue_to_address>

### Comment 2
<location path="modules/fundamental/src/purl/endpoints/test.rs" line_range="488" />
<code_context>
         .unwrap();

-    assert_eq!(vuln["status"], "custom_status");
+    assert_eq!(vuln["status"], "Recommended");

     Ok(())
</code_context>
<issue_to_address>
**issue (bug_risk):** The expected status string in the assertion is likely incorrect and should match the enum’s serialized/Display form (snake_case).

Given `Status` uses `#[strum(serialize_all = "snake_case")]` and `#[serde(rename_all = "snake_case")]`, the serialized value will be `"recommended"`, not `"Recommended"`. This makes the current assertion inconsistent with the API response. Please assert against the enum’s serialized form instead, for example:

```rust
assert_eq!(vuln["status"], Status::Recommended.to_string());
```

(or the literal `"recommended"`), so the test stays aligned with the enum’s representation.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[mrizzi]

Verification Report for TC-4488 (commit 7756a1b)

Check	Result	Details
Review Feedback	WARN	1 code change request → TC-4491; 1 suggestion dismissed; 1 CI failure → TC-4492
Root-Cause Investigation	DONE	Both defects trace to implement-task phase; no root-cause tasks needed
Scope Containment	PASS	All 21 files match task specification
Diff Size	PASS	256 additions, 344 deletions — proportionate for cross-cutting enum refactor
Commit Traceability	PASS	Single commit references "Implements TC-4488"
Sensitive Patterns	PASS	No secrets detected
CI Status	FAIL	cargo fmt check failed — formatting issue in csaf/creator.rs (TC-4492)
Acceptance Criteria	PASS	All 7 criteria met
Test Quality	PASS	All test functions have doc comments
Test Change Classification	NEUTRAL	Tests simplified to use enum values; no coverage loss
Verification Commands	PASS	323 fundamental tests pass, all ingestor tests pass

Overall: WARN

Sub-tasks created:

• TC-4491 — Add defensive validation in status enum migration (review feedback)
• TC-4492 — Fix cargo fmt formatting in csaf/creator.rs (CI failure)

Root-cause analysis:

• TC-4491 (migration guard): Universal skill gap — implement-task should validate data completeness before schema enforcement steps in migrations. No root-cause task created (general skill improvement).
• TC-4492 (cargo fmt): Convention already documented in CONVENTIONS.md §Pre-commit Workflow. The pre-commit check was interrupted by Podman unavailability before cargo fmt ran. No root-cause task created.

Dismissed feedback:

• Comment 3260174629 (test assertion "Recommended" vs "recommended"): classified as suggestion — test is correct because VexStatus::Recommended serializes as PascalCase via serde default (no rename_all on VexStatus), distinct from Status::to_string() (strum snake_case).

---

This comment was AI-generated by sdlc-workflow/verify-pr v0.9.0.

[ctron]

In general, the new enum type should be used, rather then falling back to strings.

Important is that the ID (UUID v5) issue is sorted out.

[ctron]

Add some test to ensure that the values of SeoORM align with the values or strum and serde.

[mrizzi]

[sdlc-workflow/verify-pr] Classified as code change request — sub-task TC-4508 created to address this feedback.

[ctron]

Wouldn't it be possible to create the new type with a different name, and then rename the type? Making the migration simpler in the process.

[mrizzi]

[sdlc-workflow/verify-pr] Classified as suggestion — proposes alternative migration approach (create enum with different name, then rename). The current approach works correctly. No sub-task created.

[ctron]

Instead of having an explicit list, use strum enumerator.

[mrizzi]

[sdlc-workflow/verify-pr] Classified as code change request — sub-task TC-4508 created to address this feedback.

[ctron]

Yes, this can be reversed. And has to be.

[mrizzi]

[sdlc-workflow/verify-pr] Classified as code change request — sub-task TC-4506 created to implement migration down() and fix test_migrations CI failure.

[ctron]

I'm not sure this test still makes sense. As having an enum removes the whole "custom status" case.

[mrizzi]

[sdlc-workflow/verify-pr] Classified as code change request — sub-task TC-4508 created to address this feedback.

[ctron]

Same here:

That could be a problem. As the UUID is generated with different input, those IDs (the ProductStatus id) would need to be migrated too. .as_bytes() is using the bytes of the UUID, not of the slug (string) representation.

[mrizzi]

[sdlc-workflow/verify-pr] Classified as code change request — sub-task TC-4508 created to address this feedback.

[ctron]

Don't remove existing documentation, unless it's wrong.

[mrizzi]

[sdlc-workflow/verify-pr] Classified as code change request — sub-task TC-4507 created to restore removed documentation.

[ctron]

Don't remove existing documentation, unless it's wrong.

[mrizzi]

[sdlc-workflow/verify-pr] Classified as code change request — sub-task TC-4507 created to restore removed documentation.

[ctron]

Don't remove existing documentation, unless it's wrong.

[mrizzi]

[sdlc-workflow/verify-pr] Classified as code change request — sub-task TC-4507 created to restore removed documentation.

[ctron]

Don't prefix types, import them.

[mrizzi]

[sdlc-workflow/verify-pr] Classified as code change request — sub-task TC-4507 created to fix import style.

[mrizzi]

Verification Report for TC-4488 (commit 7756a1b) — Final

Check	Result	Details
Review Feedback	WARN	1 code change request → TC-4491; 1 suggestion dismissed; 1 CI failure → TC-4492
Root-Cause Investigation	DONE	2 root-cause tasks created: TC-4493 (convention gap), TC-4494 (skill gap)
Scope Containment	PASS	All 21 files match task specification
Diff Size	PASS	256 additions, 344 deletions — proportionate for cross-cutting enum refactor
Commit Traceability	PASS	Single commit references "Implements TC-4488"
Sensitive Patterns	PASS	No secrets detected
CI Status	FAIL	cargo fmt check failed — formatting issue in csaf/creator.rs (TC-4492)
Acceptance Criteria	PASS	All 7 criteria met
Test Quality	PASS	All test functions have doc comments
Test Change Classification	NEUTRAL	Tests simplified to use enum values; no coverage loss
Verification Commands	PASS	323 fundamental tests pass, all ingestor tests pass

Overall: WARN

Review feedback sub-tasks:

• TC-4491 — Add defensive validation in status enum migration
• TC-4492 — Fix cargo fmt formatting in csaf/creator.rs

Root-cause tasks:

• TC-4493 — Convention gap: document migration data-integrity validation in trustify CONVENTIONS.md (repo-specific pattern, not general-purpose enough for the skill)
• TC-4494 — Skill gap: implement-task must hard-stop on CI check failure instead of continuing to commit (the skill already says "fix the issue before proceeding" but the implementation ignored the failure)

Dismissed feedback:

• Comment 3260174629 (test assertion "Recommended" vs "recommended"): classified as suggestion — test is correct because VexStatus::Recommended serializes as PascalCase via serde default.

---

This comment was AI-generated by sdlc-workflow/verify-pr v0.9.0.

[mrizzi]

Verification Report for TC-4488 (commit 9f2d2ec)

Check	Result	Details
Review Feedback	WARN	18 code change requests → 4 sub-tasks; 1 suggestion dismissed
Root-Cause Investigation	DONE	4 root-cause tasks: TC-4511, TC-4512, TC-4513, TC-4514
Scope Containment	PASS	All 21 files match task specification
Diff Size	PASS	287 additions, 361 deletions — proportionate
Commit Traceability	PASS	Both commits reference TC-4488/TC-4491
Sensitive Patterns	PASS	No secrets detected
CI Status	FAIL	test_migrations fails — migration down() not implemented (TC-4506)
Acceptance Criteria	WARN	Core criteria met but reviewer feedback identifies type safety and reversibility gaps
Test Quality	PASS	All test functions have doc comments
Test Change Classification	NEUTRAL	Tests simplified, no coverage loss
Verification Commands	PASS	323 fundamental + all ingestor tests pass locally

Overall: FAIL

Review feedback sub-tasks (4):

• TC-4505 — Use Status enum type instead of String throughout internal APIs (8 comments)
• TC-4506 — Implement migration down() and fix test_migrations CI failure (1 comment + CI)
• TC-4507 — Restore removed documentation and fix import style (4 comments)
• TC-4508 — Add enum serialization tests and address remaining feedback (6 comments)

Root-cause tasks (4):

• TC-4511 — Convention gap: document enum type propagation in CONVENTIONS.md
• TC-4512 — Convention gap: document migration reversibility requirement in CONVENTIONS.md
• TC-4513 — Linting gap: enable clippy::absolute_paths lint to enforce import style
• TC-4514 — Skill gap: implement-task must preserve existing documentation when modifying code

Dismissed:

• Comment 3264310968: suggestion to use different enum name then rename — valid alternative but current approach works

---

This comment was AI-generated by sdlc-workflow/verify-pr v0.9.0.