Feature/policy driven annotation

[mehab]

Description

Vulnerability policies can attach annotations to matching findings. Multiple policies may match a single finding; annotations are merged and persisted on ANALYSIS.POLICY_ANNOTATIONS. Triage (state, suppress, ratings, etc.) is owned by the first non–annotation-only policy in bundle order.

Addressed Issue

#6205

Additional Details

Checklist

• I have read and understand the contributing guidelines
• This PR fixes a defect, and I have provided tests to verify that the fix is effective
• This PR implements an enhancement, and I have provided tests to verify that it works as intended
• This PR introduces changes to the database model, and I have updated the migration changelog accordingly
• This PR introduces new or alters existing behavior, and I have updated the documentation accordingly
• This PR is a substantial change (per the ADR criteria), and I have added an ADR under docs/adr/

[owasp-dt-bot]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 128 complexity · 3 duplication

Metric	Results
Complexity	128
Duplication	3

View in Codacy

🟢 Coverage 71.01% diff coverage

Metric	Results
Coverage variation	Report missing for 0b9ca3e1
Diff coverage	✅ 71.01% diff coverage (70.00%)

View coverage diff in Codacy

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (0b9ca3e)	Report Missing	Report Missing	Report Missing
Head commit (65f1a32)	42465	36775	86.60%

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#6313)	476	338	71.01%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

¹ Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct.

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[sahibamittal]

Do we need analysis inside vulnerability model? Any analysis should be at project/component level IMO.

[mehab]

separated this out from the Vulnerability class

[sahibamittal]

This changes the logic of analysis matching. This would result in suppression at each component level instead of current project level.

[mehab]

this change is only for view of vulnerabilities/ suppressions and policy annotations on per component basis.
The reconcilliation logic continues to be project level reconcilliation so suppression will continue to happen at project level.
This change will only fetch the project level suppression/ annotation for the specific component where the id match happens.