doc(adr): add ADR 00011 for CSAF remediation support

dejanb · dejanb · commit e3960a274b4d · 2025-12-10T16:54:03.000+01:00
Propose ingesting CSAF remediation guidance and exposing it via APIs.
Remediations provide actionable guidance (upgrade paths, workarounds)
alongside vulnerability status information.

Assisted-by: Claude
Signed-off-by: Dejan Bosanac &lt;dbosanac@redhat.com&gt;
diff --git a/docs/adrs/00011-csaf-remediation.md b/docs/adrs/00011-csaf-remediation.md
@@ -0,0 +1,197 @@
+# 00011. CSAF Remediation Support
+
+Date: 2025-01-09
+
+## Status
+
+PROPOSED
+
+## Context
+
+Trustify ingests CSAF advisories and exposes which packages are affected by vulnerabilities through the `purl_status` and `product_status` tables. However, CSAF documents also contain **remediation** guidance that tells users HOW to fix vulnerabilities (e.g., "upgrade to version X", "apply workaround Y").
+
+### Current Limitation
+
+When a user queries for vulnerability status, they receive information about WHAT is affected:
+- Package X version 1.2.3 is **affected** by CVE-2024-1234
+- Package X version 2.0.0 is **fixed**
+
+But they don't receive actionable guidance on HOW to fix it:
+- "Upgrade to version 2.0.0 or apply workaround described at https://..."
+- "Restart required after upgrade"
+- "Workaround: disable feature Y"
+
+### CSAF Remediation Structure
+
+CSAF remediations are linked to specific `product_ids` within the advisory, which resolve to specific packages during ingestion. Each remediation includes:
+- **Category**: `vendor_fix`, `workaround`, `mitigation`, `no_fix_planned`, `none_available`, `will_not_fix`
+- **Details**: Human-readable description of the remediation
+- **URL**: Link to detailed guidance
+- **Metadata**: Restart requirements, dates, entitlements
+
+Critically, remediation `product_ids` often overlap with `product_status` product_ids (e.g., vendor_fix applies to the same products marked as "fixed").
+
+## Decision
+
+Add remediation support by creating a `remediation` table with junction tables linking to specific `purl_status` and `product_status` records.
+
+### Schema Design
+
+**Core remediation table:**
+```sql
+CREATE TABLE remediation (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    advisory_id UUID NOT NULL,
+    vulnerability_id VARCHAR NOT NULL,
+    category VARCHAR NOT NULL,  -- vendor_fix, workaround, mitigation,
+                                 -- no_fix_planned, none_available, will_not_fix
+    details TEXT,
+    url VARCHAR,
+    data JSONB,  -- {restart_required, date, entitlements, ...}
+
+    FOREIGN KEY (advisory_id, vulnerability_id)
+        REFERENCES advisory_vulnerability(advisory_id, vulnerability_id)
+        ON DELETE CASCADE
+);
+
+CREATE INDEX idx_remediation_advisory_vuln
+    ON remediation(advisory_id, vulnerability_id);
+```
+
+**Junction tables linking remediations to specific status records:**
+```sql
+CREATE TABLE remediation_purl_status (
+    remediation_id UUID REFERENCES remediation(id) ON DELETE CASCADE,
+    purl_status_id UUID REFERENCES purl_status(id) ON DELETE CASCADE,
+    PRIMARY KEY (remediation_id, purl_status_id)
+);
+
+CREATE INDEX idx_remediation_purl_status_purl
+    ON remediation_purl_status(purl_status_id);
+
+CREATE TABLE remediation_product_status (
+    remediation_id UUID REFERENCES remediation(id) ON DELETE CASCADE,
+    product_status_id UUID REFERENCES product_status(id) ON DELETE CASCADE,
+    PRIMARY KEY (remediation_id, product_status_id)
+);
+
+CREATE INDEX idx_remediation_product_status_product
+    ON remediation_product_status(product_status_id);
+```
+
+**JSONB data field structure:**
+```json
+{
+  "restart_required": {"category": "none|system|zone|service|parent|dependencies|..."},
+  "date": "2024-03-15T10:30:00Z",
+  "entitlements": ["premium-support"],
+}
+```
+
+### Design Choices
+
+- Remediations link to **specific purl_status/product_status records**
+- Keep statuses (category) as VARCHAR. Having separate statuses table have added more complexity to queries than benefits.
+- Normalize only important remediation fields, while keeping the rest in JSON blob
+
+### Ingestion Approach
+
+During CSAF ingestion:
+1. `StatusCreator` resolves product_ids - creates purl_status/product_status records
+2. Track which records were created for each product_id
+3. `RemediationCreator` uses this mapping to create junction table entries
+
+This follows the existing `StatusCreator` pattern and reuses the `ResolveProductIdCache`.
+
+### API Exposure
+
+**New API Model:**
+```rust
+#[derive(Serialize, Deserialize, Debug, Clone, ToSchema)]
+pub struct RemediationSummary {
+    pub id: Uuid,
+    pub category: String,  // vendor_fix, workaround, mitigation, etc.
+    pub details: Option<String>,
+    pub url: Option<String>,
+    pub data: Option<serde_json::Value>,
+}
+```
+
+**Modified Response Structures:**
+
+Add `remediations: Vec<RemediationSummary>` to:
+- `PurlStatus` struct
+- `SbomStatus` struct
+
+**Affected Endpoints:**
+- `GET /v2/purl/{key}` - returns `PurlDetails` with `PurlStatus`
+- `POST /v3/vulnerability/analyze` - returns `AnalysisResponse` with `PurlStatus`
+- `GET /v2/sbom/{id}/advisory` - returns `SbomAdvisory` with `SbomStatus`
+- `GET /v2/sbom/{id}` - returns `SbomDetails` with `SbomStatus`
+
+**Example Response:**
+```json
+{
+  "vulnerability": {"id": "CVE-2024-1234", ...},
+  "status": "affected",
+  "remediations": [
+    {
+      "id": "550e8400-e29b-41d4-a716-446655440000",
+      "category": "vendor_fix",
+      "details": "Upgrade to version 2.0.0 or later",
+      "url": "https://example.com/security/CVE-2024-1234",
+      "data": {"restart_required": {"category": "none"}}
+    },
+    {
+      "id": "660e8400-e29b-41d4-a716-446655440001",
+      "category": "workaround",
+      "details": "Disable the vulnerable feature X",
+      "url": null,
+      "data": null
+    }
+  ]
+}
+```
+
+**Query Strategy:**
+
+Queries will use LEFT JOIN on junction tables:
+```sql
+SELECT ps.*, r.id, r.category, r.details, r.url, r.data
+FROM purl_status ps
+LEFT JOIN remediation_purl_status rps ON rps.purl_status_id = ps.id
+LEFT JOIN remediation r ON r.id = rps.remediation_id
+WHERE ps.id = ?;
+```
+
+Most packages have no remediations, so LEFT JOIN returns NULL efficiently without performance impact.
+
+## Consequences
+
+### Positive
+
+- Users receive actionable remediation guidance alongside vulnerability status
+- Follows Trustify's existing junction table pattern (e.g., `sbom_package_purl_ref`)
+- Maintains proper data integrity with FK constraints and CASCADE delete
+- Enables querying remediations independently ("all vendor_fix remediations")
+- Supports multiple remediations per package (vendor_fix + workaround)
+
+### Trade-offs
+
+- Adds 2 JOINs to status queries (remediation_purl_status + remediation tables)
+- Ingestion complexity: must track created status record IDs
+
+### Future Optimizations
+
+- Can denormalize if query performance becomes an issue
+- Can combine with ADR 00008 (PURL recommendations) to suggest both recommendations and remediations
+
+## Related ADRs
+
+- [ADR 00008](00008-purls-recommendation.md): PURL recommendations endpoint (future: combine recommendations with remediations)
+- [ADR 00010](00010-version-range-in-responses.md): Version range in responses
+
+## References
+
+- CSAF v2.0 Spec: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#3212-vulnerabilities-property---remediations
+- Test data: [rhsa-2024-2705.json](../../etc/test-data/csaf/rhsa-2024-2705.json)
