research(OS_Scan): Research on how to handle component version in policy violation based scanners

[lolaapenna]

Task Description

For the Open Stack Policy scan, we have the first policy violations instead of vulnerabilities and also new kinds of components. This comes with the question of whether the same schema needs/should be applied.

Currently, we do have components that can have multiple versions and those versions can have instances:

erDiagram
    ComponentInstance       }o--|| ComponentVersion: "is an instance of" 
    ComponentVersion        }|--|| Component: "is a version of"

Loading

For an OpenStack Entity such as a Security Group the question now arises if we want to store and represent data in a similar format.

Possible options could be:

• Do not use components and component versions and create component instances/issue matches directly
• Do use the same schema but enhance component versions with context information, and use a hash sum of the context as a version identifier
• Other...

Acceptance Criteria:

• Have decision drivers worked out
• ADR created with multiple options evaluated
• Informed decision taken