Rpm improvments

[RedTanny]

Summary

This PR adds Commit Discovery Pipeline - a 4-phase enhancement that extracts fix commit information from upstream repositories when no downstream patch is available. This enables better vulnerability analysis by discovering the actual fix code from advisory references.

Key Features

1. OSIDB Intel Integration - New intel source for internal Red Hat users
2. Reference Mining - Extract commit hints from advisory URLs
3. Repository Resolution - Map package names to upstream git repositories
4. Git Commit Search - Clone repos and find fix commits using extracted hints

New Capabilities

1. OSIDB Integration

• Fetches Red Hat-specific vulnerability data from OSIDB API
• Extracts upstream PURLs, fix versions, and resolution status
• Enabled via rpm_user_type: internal config (requires VPN)

2. Reference Mining Node

Extracts structured hints from advisory URLs when no patch is found:

• Revision hints - SVN revisions (r1234567) or git hashes
• Function hints - Vulnerable function names
• File hints - Affected source file paths
• Version hints - Fixed version numbers

Uses LLM-powered extraction with reflection loop for quality validation.

3. Repository Resolution Node

Maps package name → upstream git repository URL using:

1. OSIDB upstream PURLs (highest priority)
2. Curated package mapping (package_repo_mapping.json)
3. PURL parsing fallback

Supports 100+ C/C++ packages with alias mapping (httpd → apache, etc.)

4. Git Search Node

Searches upstream repos for fix commits:

• Shallow clone with caching (~15s for 1000 commits)
• Search strategies:
  • revision - Direct SVN/git revision lookup (95% confidence)
  • function - Function name in commit message (75% confidence)
• LLM-assisted branch resolution for SVN revision searches
• Converts discovered commits to ParsedPatch for L1 agent

5. Report Display

Git search results now appear in "Fix clues from advisories and reference builds" section showing:

• Repository URL, commit hash, commit URL
• Search method, confidence score
• Commit message preview
• Patch file summary

Files Changed

Category	Files
New Utils	git_commit_searcher.py, git_repo_manager.py, repo_resolver.py, reference_fetcher.py, reference_parser.py, osidb_client.py
Data Models	code_agent_graph_defs.py, checker_status.py, cve_intel.py
Graph Nodes	cve_package_code_agent.py (+667 lines)
Report	cve_checker_report.py
Intel	intel_retriever.py, intel_utils.py, cve_fetch_intel.py
Tests	test_git_commit_searcher.py (33 tests), test_repo_resolver.py (40 tests)
Data	package_repo_mapping.json (100+ packages)

[vbelouso]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[zvigrinberg]

@RedTanny This work looks great.
Please see my comments. ( most are minors).

Thanks.

[zvigrinberg]

@RedTanny LGTM Approved.
Great job as usual.