feat(api): add cwe_id, cvss arrays to threats and alias array to threat models (#108)

* feat(api): add cwe_id, cvss arrays to threats and alias array to threat models

Implements GitHub issue #86:
- Add cwe_id string array to Threat objects (CWE identifiers, pattern: CWE-[0-9]+)
- Add cvss object array to Threat objects (vector string + score float pairs)
- Add alias string array to ThreatModel objects (alternative names/identifiers)
- Add CVSSScore schema component to OpenAPI specification
- Add CVSSArray custom GORM type for cross-database compatibility

All arrays are optional but require at least one element when present (minItems: 1).
Validation constraints:
- cwe_id: 5-16 chars, pattern ^CWE-[0-9]+$, max 50 items
- cvss.vector: 26-250 chars, cvss.score: 0.0-10.0, max 10 items
- alias: 3-30 chars, pattern ^[a-zA-Z0-9_-]+$, max 20 items

Closes #86

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* chore(deps): update integration test dependencies

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: ericfitz

.version

@@ -1,5 +1,5 @@
 {
   "major": 0,
-  "minor": 269,
-  "patch": 2
+  "minor": 270,
+  "patch": 1
 }

api/api.go

@@ -199,6 +199,13 @@ func (s *GormThreatModelStore) convertToAPIModel(tm *models.ThreatModel) (Threat
 		framework = "STRIDE"
 	}
 
+	// Convert alias array
+	var alias *[]string
+	if len(tm.Alias) > 0 {
+		aliasSlice := []string(tm.Alias)
+		alias = &aliasSlice
+	}
+
 	return ThreatModel{
 		Id:                   &tmUUID,
 		Name:                 tm.Name,
@@ -215,6 +222,7 @@ func (s *GormThreatModelStore) convertToAPIModel(tm *models.ThreatModel) (Threat
 		Metadata:             &metadata,
 		Threats:              &threats,
 		Diagrams:             diagrams,
+		Alias:                alias,
 	}, nil
 }
 
@@ -358,6 +366,12 @@ func (s *GormThreatModelStore) Create(item ThreatModel, idSetter func(ThreatMode
 		statusUpdated = &now
 	}
 
+	// Convert alias array if provided
+	var aliasArray models.StringArray
+	if item.Alias != nil && len(*item.Alias) > 0 {
+		aliasArray = models.StringArray(*item.Alias)
+	}
+
 	// Create GORM model
 	tm := models.ThreatModel{
 		ID:                    id,
@@ -369,6 +383,7 @@ func (s *GormThreatModelStore) Create(item ThreatModel, idSetter func(ThreatMode
 		IssueURI:              item.IssueUri,
 		Status:                item.Status,
 		StatusUpdated:         statusUpdated,
+		Alias:                 aliasArray,
 	}
 
 	// Set timestamps
@@ -475,6 +490,12 @@ func (s *GormThreatModelStore) Update(id string, item ThreatModel) error {
 		framework = "STRIDE"
 	}
 
+	// Convert alias array if provided
+	var aliasValue interface{}
+	if item.Alias != nil {
+		aliasValue = models.StringArray(*item.Alias)
+	}
+
 	// Update threat model
 	// Note: modified_at is handled automatically by GORM's autoUpdateTime tag
 	updates := map[string]interface{}{
@@ -489,6 +510,9 @@ func (s *GormThreatModelStore) Update(id string, item ThreatModel) error {
 	if statusUpdated != nil {
 		updates["status_updated"] = statusUpdated
 	}
+	if aliasValue != nil {
+		updates["alias"] = aliasValue
+	}
 
 	result := tx.Model(&models.ThreatModel{}).Where("id = ?", id).Updates(updates)
 	if result.Error != nil {

api/database_store_gorm.go

@@ -117,17 +117,18 @@ func (c *ClientCredential) BeforeCreate(tx *gorm.DB) error {
 // Note: Explicit column tags removed for Oracle compatibility (Oracle stores column names as UPPERCASE,
 // and the Oracle GORM driver doesn't handle case-insensitive matching with explicit column tags)
 type ThreatModel struct {
-	ID                    string     `gorm:"primaryKey;type:varchar(36)"`
-	OwnerInternalUUID     string     `gorm:"type:varchar(36);not null;index:idx_tm_owner;index:idx_tm_owner_created,priority:1"`
-	Name                  string     `gorm:"type:varchar(256);not null"`
-	Description           *string    `gorm:"type:varchar(1024)"`
-	CreatedByInternalUUID string     `gorm:"type:varchar(36);not null;index:idx_tm_created_by"`
-	ThreatModelFramework  string     `gorm:"type:varchar(30);default:STRIDE;index:idx_tm_framework"`
-	IssueURI              *string    `gorm:"type:varchar(1000)"`
-	Status                *string    `gorm:"type:varchar(128);index:idx_tm_status"`
-	StatusUpdated         *time.Time `gorm:"index:idx_tm_status_updated"`
-	CreatedAt             time.Time  `gorm:"not null;autoCreateTime;index:idx_tm_owner_created,priority:2"`
-	ModifiedAt            time.Time  `gorm:"not null;autoUpdateTime"`
+	ID                    string      `gorm:"primaryKey;type:varchar(36)"`
+	OwnerInternalUUID     string      `gorm:"type:varchar(36);not null;index:idx_tm_owner;index:idx_tm_owner_created,priority:1"`
+	Name                  string      `gorm:"type:varchar(256);not null"`
+	Description           *string     `gorm:"type:varchar(1024)"`
+	CreatedByInternalUUID string      `gorm:"type:varchar(36);not null;index:idx_tm_created_by"`
+	ThreatModelFramework  string      `gorm:"type:varchar(30);default:STRIDE;index:idx_tm_framework"`
+	IssueURI              *string     `gorm:"type:varchar(1000)"`
+	Status                *string     `gorm:"type:varchar(128);index:idx_tm_status"`
+	StatusUpdated         *time.Time  `gorm:"index:idx_tm_status_updated"`
+	Alias                 StringArray `gorm:"column:alias"` // Alternative names/identifiers
+	CreatedAt             time.Time   `gorm:"not null;autoCreateTime;index:idx_tm_owner_created,priority:2"`
+	ModifiedAt            time.Time   `gorm:"not null;autoUpdateTime"`
 
 	// Relationships
 	Owner     User      `gorm:"foreignKey:OwnerInternalUUID;references:InternalUUID"`
@@ -232,6 +233,8 @@ type Threat struct {
 	Mitigated     DBBool      `gorm:"index:idx_threats_mitigated"`
 	Status        *string     `gorm:"type:varchar(128);index:idx_threats_status"`
 	ThreatType    StringArray `gorm:"not null"`
+	CweID         StringArray `gorm:"column:cwe_id"` // CWE identifiers (e.g., CWE-89)
+	Cvss          CVSSArray   `gorm:"column:cvss"`   // CVSS vector and score pairs
 	Mitigation    *string     `gorm:"type:varchar(1024)"`
 	IssueURI      *string     `gorm:"type:varchar(1000)"`
 	// Note: autoCreateTime/autoUpdateTime tags removed for Oracle compatibility.

api/models/models.go

@@ -118,6 +118,76 @@ func (a *StringArray) Scan(value interface{}) error {
 	return json.Unmarshal(bytes, a)
 }
 
+// CVSSScore represents a CVSS vector and score pair for threat assessment
+type CVSSScore struct {
+	Vector string  `json:"vector"`
+	Score  float64 `json:"score"`
+}
+
+// CVSSArray is a custom type that stores CVSS score arrays as JSON
+// This outputs JSON array format [{"vector":"...","score":9.8}] which works for both
+// PostgreSQL JSONB columns and Oracle JSON columns
+type CVSSArray []CVSSScore
+
+// GormDBDataType implements the GormDBDataTypeInterface to return
+// dialect-specific column types for cross-database compatibility
+func (CVSSArray) GormDBDataType(db *gorm.DB, _ *schema.Field) string {
+	switch db.Name() {
+	case dialectPostgres:
+		return "TEXT"
+	case dialectOracle:
+		return "CLOB"
+	case dialectMySQL:
+		return "LONGTEXT"
+	case dialectSQLServer:
+		return "NVARCHAR(MAX)"
+	case dialectSQLite:
+		return "TEXT"
+	default:
+		return "TEXT"
+	}
+}
+
+// Value implements the driver.Valuer interface for database writes
+// Outputs JSON array format: [{"vector":"...","score":9.8}]
+func (a CVSSArray) Value() (driver.Value, error) {
+	if len(a) == 0 {
+		return "[]", nil
+	}
+	bytes, err := json.Marshal(a)
+	if err != nil {
+		return nil, err
+	}
+	return string(bytes), nil
+}
+
+// Scan implements the sql.Scanner interface for database reads
+func (a *CVSSArray) Scan(value interface{}) error {
+	if value == nil {
+		*a = []CVSSScore{}
+		return nil
+	}
+
+	var bytes []byte
+	switch v := value.(type) {
+	case []byte:
+		bytes = v
+	case string:
+		bytes = []byte(v)
+	default:
+		return fmt.Errorf("cannot scan type %T into CVSSArray", value)
+	}
+
+	// Handle empty values
+	if len(bytes) == 0 || string(bytes) == "[]" {
+		*a = []CVSSScore{}
+		return nil
+	}
+
+	// Handle JSON array format
+	return json.Unmarshal(bytes, a)
+}
+
 // JSONMap is a custom type that stores JSON objects
 // This works across both PostgreSQL JSONB and Oracle JSON
 type JSONMap map[string]interface{}

api/models/types.go

@@ -887,6 +887,19 @@ func (s *GormThreatStore) toGormModelForCreate(threat *Threat) *models.Threat {
 		assetID := threat.AssetId.String()
 		gm.AssetID = &assetID
 	}
+	if threat.CweId != nil && len(*threat.CweId) > 0 {
+		gm.CweID = models.StringArray(*threat.CweId)
+	}
+	if threat.Cvss != nil && len(*threat.Cvss) > 0 {
+		cvssArray := make(models.CVSSArray, len(*threat.Cvss))
+		for i, c := range *threat.Cvss {
+			cvssArray[i] = models.CVSSScore{
+				Vector: c.Vector,
+				Score:  float64(c.Score),
+			}
+		}
+		gm.Cvss = cvssArray
+	}
 
 	return gm
 }
@@ -962,6 +975,20 @@ func (s *GormThreatStore) toAPIModel(gm *models.Threat) *Threat {
 			threat.AssetId = &assetID
 		}
 	}
+	if len(gm.CweID) > 0 {
+		cweSlice := []string(gm.CweID)
+		threat.CweId = &cweSlice
+	}
+	if len(gm.Cvss) > 0 {
+		cvssSlice := make([]CVSSScore, len(gm.Cvss))
+		for i, c := range gm.Cvss {
+			cvssSlice[i] = CVSSScore{
+				Vector: c.Vector,
+				Score:  float32(c.Score),
+			}
+		}
+		threat.Cvss = &cvssSlice
+	}
 
 	return threat
 }

api/threat_store_gorm.go

@@ -27,9 +27,9 @@ var (
 	// Major version number
 	VersionMajor = "0"
 	// Minor version number
-	VersionMinor = "269"
+	VersionMinor = "270"
 	// Patch version number
-	VersionPatch = "2"
+	VersionPatch = "1"
 	// GitCommit is the git commit hash from build
 	GitCommit = "development"
 	// BuildDate is the build timestamp

api/version.go

@@ -2368,6 +2368,19 @@
             "description": "Status of the threat model in the organization's threat modeling or SDLC process. Examples: \"Not started\", \"In progress\", \"Review\", \"Approved\", \"Closed\"",
             "maxLength": 128,
             "pattern": "^[^\\x00-\\x1F]*$"
+          },
+          "alias": {
+            "type": "array",
+            "description": "Alternative names or identifiers for the threat model",
+            "items": {
+              "type": "string",
+              "minLength": 3,
+              "maxLength": 30,
+              "pattern": "^[a-zA-Z0-9_-]+$"
+            },
+            "minItems": 1,
+            "maxItems": 20,
+            "uniqueItems": true
           }
         },
         "required": [
@@ -2397,6 +2410,10 @@
               "email": "alice@example.com",
               "role": "owner"
             }
+          ],
+          "alias": [
+            "payment-gateway-v2",
+            "PG-TM-2024"
           ]
         }
       },
@@ -2576,6 +2593,28 @@
             "nullable": true,
             "maxLength": 36,
             "pattern": "^[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*$"
+          },
+          "cwe_id": {
+            "type": "array",
+            "description": "CWE (Common Weakness Enumeration) identifiers associated with this threat",
+            "items": {
+              "type": "string",
+              "minLength": 5,
+              "maxLength": 16,
+              "pattern": "^CWE-[0-9]+$"
+            },
+            "minItems": 1,
+            "maxItems": 50,
+            "uniqueItems": true
+          },
+          "cvss": {
+            "type": "array",
+            "description": "CVSS scoring information for this threat",
+            "items": {
+              "$ref": "#/components/schemas/CVSSScore"
+            },
+            "minItems": 1,
+            "maxItems": 10
           }
         },
         "required": [
@@ -2588,7 +2627,16 @@
             "Tampering"
           ],
           "description": "Attacker could inject malicious SQL through payment form fields",
-          "priority": "high"
+          "priority": "high",
+          "cwe_id": [
+            "CWE-89"
+          ],
+          "cvss": [
+            {
+              "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "score": 9.8
+            }
+          ]
         }
       },
       "ThreatInput": {
@@ -6028,6 +6076,35 @@
           "status"
         ],
         "additionalProperties": false
+      },
+      "CVSSScore": {
+        "type": "object",
+        "description": "CVSS vector and score pair",
+        "properties": {
+          "vector": {
+            "type": "string",
+            "description": "CVSS vector string (e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)",
+            "minLength": 26,
+            "maxLength": 250,
+            "pattern": "^[A-Za-z0-9.:/_-]+$"
+          },
+          "score": {
+            "type": "number",
+            "description": "CVSS score (0.0-10.0)",
+            "minimum": 0.0,
+            "maximum": 10.0,
+            "multipleOf": 0.1
+          }
+        },
+        "required": [
+          "vector",
+          "score"
+        ],
+        "additionalProperties": false,
+        "example": {
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+          "score": 9.8
+        }
       }
     },
     "responses": {