feat(vulnerabilities): add reference_link field with priority-based URL selection

[epipav]

Note

Medium Risk
Touches persistence/query surfaces (Postgres upsert + Tinybird schema/pipe), so deployments must ensure the underlying vulnerabilities.reference_link column exists and data shape changes won’t break downstream consumers.

Overview
Adds a new reference_link field to vulnerability findings end-to-end: the scanner now derives a best reference URL (preferring an NVD link when a CVE exists, otherwise prioritizing OSV reference types) and persists it during the vulnerabilities upsert.

Updates Tinybird ingestion and the vulnerabilities_list pipe to include this referenceLink in the dataset/output (using anyIf to avoid empty values).

^{Written by Cursor Bugbot for commit 2e92aa7. This will update automatically on new commits. Configure here.}

[github-actions]

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

• feat: add user authentication (CM-123)
• feat: add user authentication (IN-123)

Projects:

• CM: Community Data Platform
• IN: Insights

Please add a Jira issue key to your PR title.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[github-actions]

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

• feat: add user authentication (CM-123)
• feat: add user authentication (IN-123)

Projects:

• CM: Community Data Platform
• IN: Insights

Please add a Jira issue key to your PR title.

[github-actions]

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

• feat: add user authentication (CM-123)
• feat: add user authentication (IN-123)

Projects:

• CM: Community Data Platform
• IN: Insights

Please add a Jira issue key to your PR title.

[github-actions]

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

• feat: add user authentication (CM-123)
• feat: add user authentication (IN-123)

Projects:

• CM: Community Data Platform
• IN: Insights

Please add a Jira issue key to your PR title.

[Copilot]

Pull request overview

Adds a reference_link field to vulnerability records end-to-end (scanner → DB upsert → Tinybird datasource → Tinybird list pipe) so clients can display a canonical URL for each vulnerability.

Changes:

• Extend vulnerability scanner output to compute and persist a single “best” reference URL per vulnerability.
• Persist reference_link in the DB upsert and expose it in Tinybird ingestion schema.
• Return referenceLink from the Tinybird vulnerabilities_list pipe output.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
services/apps/git_integration/src/crowdgit/services/vulnerability_scanner/vulnerability_scanner.go	Adds best-reference URL selection and includes it in normalized vulnerability output.
services/apps/git_integration/src/crowdgit/services/vulnerability_scanner/types.go	Adds ReferenceLink to the Vulnerability struct JSON payload.
services/apps/git_integration/src/crowdgit/services/vulnerability_scanner/db.go	Writes reference_link into the vulnerabilities upsert (insert + conflict update).
services/libs/tinybird/datasources/vulnerabilities.datasource	Adds referenceLink column mapping from record.reference_link.
services/libs/tinybird/pipes/vulnerabilities_list.pipe	Returns referenceLink in the aggregated vulnerabilities list response.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

• feat: add user authentication (CM-123)
• feat: add user authentication (IN-123)

Projects:

• CM: Community Data Platform
• IN: Insights

Please add a Jira issue key to your PR title.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[github-actions]

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

• feat: add user authentication (CM-123)
• feat: add user authentication (IN-123)

Projects:

• CM: Community Data Platform
• IN: Insights

Please add a Jira issue key to your PR title.

[github-actions]

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

• feat: add user authentication (CM-123)
• feat: add user authentication (IN-123)

Projects:

• CM: Community Data Platform
• IN: Insights

Please add a Jira issue key to your PR title.