Expose evaluated / effective severities via Delivery-Service-API

[8R0WNI3]

Context / Motivation

ODG features a somewhat complex contract to rescore findings. Each finding can have a set of rescorings, possibly stemming from different scoping-sources (e.g. there can be resource-version-specific rescorings, or (odg-instance-)global rescorings). The effective rescoring is defined to be the most recent among the most specific existing rescorings.

Consumers of the Delivery-Service-API currently would have to re-implement the aforementioned contract (could be done by consuming Delivery-Service's Source-Code to at least avoid redundant implementation(s)).

To make consumption of effective severities / rescorings easier, Delivery-Service should be extended such as to pre-calculate effective severity for callers.

Implementation Considerations

• ideally prepare route for "bulk-requests"
• should return both effective severity + due-date and the honoured rescoring(s)

Proposal

Route
POST /rescore/applied

Request Body

- finding_type: [str] # if list is empty consider all known types from findings-cfg
  components: # [ComponentArtefactId]
  - component_name: str
    component_version: str
    artefact_kind: str
    artefact:
      artefact_name: str
      artefact_version: str
      artefact_type: str
      artefact_extra_id: {}

Response

results:
- component: # ComponentArtefactId
    component_name: str
    component_version: str
    artefact_kind: str
    artefact:
      artefact_name: str
      artefact_version: str
      artefact_type: str
      artefact_extra_id: {}
  findings:
  - finding: # finding type specific
      cve: str
      package_name: str
      package_versions: [str]
    finding_type: str
    original:
      severity: str
      discovery_date: timestamp
      due_date: timestamp
    effective:
      severity: str
      discovery_date: timestamp
      due_date: timestamp