🌱 [main] update client/openapi/trustd.yaml

[trustify-ci-bot]

The openapi.yaml of trustify has changed

[sourcery-ai]

Reviewer's Guide

Updates the trustd OpenAPI specification to refine path parameter descriptions, introduce a versioned v3 SBOM listing endpoint with new pagination schemas, adjust SBOM deletion and relationship response types, and deprecate or reshape several licensing and remediation-related schemas for clearer, versioned API behavior.

Class diagram for updated SBOM pagination and listing schemas

classDiagram
  class PaginatedResults_SbomSummary {
    +items: SbomSummary[]
    +total: int64
  }

  class PaginatedResults_SbomPackageRelation_SbomPackage {
    +items: SbomPackageRelationItem[]
    +total: int64
  }

  class SbomPackageRelationItem {
    +package: SbomPackageInline
    +relationship: Relationship
  }

  class PaginatedResults_SbomPackageSummary {
    +items: SbomPackageSummary[]
    +total: int64
  }

  class SbomSummary {
    <<existing_schema>>
  }

  class SbomPackageSummary {
    +id: string
    +name: string
    +group: string? 
    +version: string?
  }

  class SbomPackageInline {
    +id: string
    +name: string
    +purl: PurlSummary[]
    +cpe: string[]
    +group: string?
    +version: string?
    +licenses: LicenseInfo[]
    +licenses_ref_mapping: LicenseRefMapping[] <<deprecated>>
  }

  class Relationship {
    <<existing_schema>>
  }

  class PurlSummary {
    <<existing_schema>>
  }

  class LicenseInfo {
    <<existing_schema>>
  }

  class LicenseRefMapping {
    <<existing_schema>>
  }

  PaginatedResults_SbomSummary --> SbomSummary : items
  PaginatedResults_SbomPackageRelation_SbomPackage --> SbomPackageRelationItem : items
  SbomPackageRelationItem --> SbomPackageInline : package
  SbomPackageRelationItem --> Relationship : relationship
  SbomPackageInline --> PurlSummary : purl
  SbomPackageInline --> LicenseInfo : licenses
  SbomPackageInline --> LicenseRefMapping : licenses_ref_mapping
  PaginatedResults_SbomPackageSummary --> SbomPackageSummary : items

Loading

Class diagram for updated SBOM package and remediation schemas

classDiagram
  class SbomPackage {
    +id: string
    +name: string
    +group: string?
    +version: string?
    +purl: PurlSummary[]
    +cpe: string[]
    +licenses: LicenseInfo[]
    +licenses_ref_mapping: LicenseRefMapping[] <<deprecated>>
  }

  class SbomPackageSummary {
    +id: string
    +name: string
    +group: string?
    +version: string?
  }

  class RemediationSummary {
    +category: RemediationCategory
    +data: object <<deprecated>>
    +details: string?
    +url: string?
  }

  class RemediationCategory {
    <<existing_schema>>
  }

  class PurlSummary {
    <<existing_schema>>
  }

  class LicenseInfo {
    <<existing_schema>>
  }

  class LicenseRefMapping {
    <<existing_schema>>
  }

  SbomPackage --> PurlSummary : purl
  SbomPackage --> LicenseInfo : licenses
  SbomPackage --> LicenseRefMapping : licenses_ref_mapping
  RemediationSummary --> RemediationCategory : category

Loading

File-Level Changes

Change	Details	Files
Clarify path parameter semantics for advisory and SBOM identifiers and PURLs.	Add explicit description for advisory path parameter key to accept UUID URNs or digest-based identifiers. Refine description for base PURL path parameter key to specify URL-encoded full PURLs beginning with pkg: and provide an example. Add explicit description for SBOM download path parameter key to accept UUID URNs or digest-based identifiers.	client/openapi/trustd.yaml
Adjust SBOM v2 operations to reflect new behavior and types, and deprecate old listing endpoint.	Rename v2 list SBOMs operationId from listSboms to v2/listSboms and mark the endpoint as deprecated. Change SBOM delete response from HTTP 200 with an SbomSummary body to HTTP 204 with no content, indicating successful deletion. Update the SBOM relationships listing response schema to use PaginatedResults_SbomPackageRelation_SbomPackage instead of the previous PaginatedResults_SbomPackageRelation. Introduce PaginatedResults_SbomPackageRelation_SbomPackage as a paginated result type whose items[].package is an inline SBOM package object with explicit fields and a deprecated licenses_ref_mapping. Deprecate license reference mapping fields in package-related schemas by adding deprecation text and deprecated: true metadata.	client/openapi/trustd.yaml
Add a new v3 SBOM listing endpoint and supporting summary pagination schema.	Introduce /api/v3/sbom GET endpoint with detailed q, sort, offset, limit, and group query parameters mirroring the documented EBNF query language and pagination behavior. Define the 200 OK response of /api/v3/sbom to return PaginatedResults_SbomPackageSummary. Add PaginatedResults_SbomPackageSummary schema for paginated SBOM package summaries, including id, name, optional group, and optional version fields. Add SbomPackageSummary schema as a concise SBOM package representation (id, name, optional group and version).	client/openapi/trustd.yaml
Reshape remediation and license-related schemas to deprecate internal fields and remove unused identifiers.	Modify RemediationSummary by removing required id, dropping the id property, and constraining data to a deprecated, internal-use-only field with a clarifying description. Mark multiple licenses_ref_mapping fields in package schemas as deprecated and document that they are always empty due to pre-expanded license data. Tidy up trailing schema details and maintain descriptions without functional changes (e.g., preserve Severity description while adjusting structure).	client/openapi/trustd.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The new operationId: v2/listSboms for /api/v2/sbom includes a slash, which can cause odd method names in some client generators; consider using a consistent, slash-free naming convention (e.g. listSbomsV2).
• The /api/v3/sbom GET endpoint is described as returning matching SBOMs but its schema is PaginatedResults_SbomPackageSummary; double-check whether this should instead point to an SBOM summary type to avoid confusion between SBOM-level and package-level resources.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The new `operationId: v2/listSboms` for `/api/v2/sbom` includes a slash, which can cause odd method names in some client generators; consider using a consistent, slash-free naming convention (e.g. `listSbomsV2`).
- The `/api/v3/sbom` GET endpoint is described as returning matching SBOMs but its schema is `PaginatedResults_SbomPackageSummary`; double-check whether this should instead point to an SBOM summary type to avoid confusion between SBOM-level and package-level resources.

## Individual Comments

### Comment 1
<location path="client/openapi/trustd.yaml" line_range="2743-2749" />
<code_context>
         schema:
           $ref: '#/components/schemas/Id'
       responses:
-        '200':
-          description: Matching SBOM
-          content:
</code_context>
<issue_to_address>
**issue (bug_risk):** The v3 `GET /api/v3/sbom` response schema looks like it returns package summaries rather than SBOMs.

The response schema currently uses `PaginatedResults_SbomPackageSummary`, whose items describe SBOM *packages* (package ID/name within an SBOM), not SBOMs. If this endpoint is meant to list SBOMs (as in v2), it should instead use `PaginatedResults_SbomSummary` or another SBOM-level type. If it’s meant to list packages, the endpoint name/summary/operationId should be updated to reflect that and avoid confusion for API consumers.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): The v3 GET /api/v3/sbom response schema looks like it returns package summaries rather than SBOMs.

The response schema currently uses PaginatedResults_SbomPackageSummary, whose items describe SBOM packages (package ID/name within an SBOM), not SBOMs. If this endpoint is meant to list SBOMs (as in v2), it should instead use PaginatedResults_SbomSummary or another SBOM-level type. If it’s meant to list packages, the endpoint name/summary/operationId should be updated to reflect that and avoid confusion for API consumers.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.50%. Comparing base (a676b36) to head (7758a5d).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #971   +/-   ##
=======================================
  Coverage   66.50%   66.50%           
=======================================
  Files         218      218           
  Lines        3828     3828           
  Branches      873      873           
=======================================
  Hits         2546     2546           
  Misses        948      948           
  Partials      334      334           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.