refactor: add normalized id field to all three alert sources

Each source now has a pre-computed `id` field so Claude can deduplicate
with simple string matching instead of inferring IDs:
- Trivy: extracted into trivy-alerts.json with id = VulnerabilityID
- Dependabot: id = cve_id (preferred) or ghsa_id (fallback)
- CodeQL: id = "codeql:" + rule_id

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: msukkari

.github/workflows/trivy-vulnerability-triage.yml

@@ -218,11 +218,21 @@ jobs:
         with:
           name: trivy-results
 
-      - name: Ensure Trivy results file exists
+      - name: Normalize Trivy results
         run: |
           if [ ! -f trivy-results.json ]; then
             echo '{"Results":[]}' > trivy-results.json
           fi
+          jq '[.Results[]? | .Vulnerabilities[]? | {
+            id: .VulnerabilityID,
+            severity: .Severity,
+            pkg_name: .PkgName,
+            installed_version: .InstalledVersion,
+            fixed_version: (.FixedVersion // ""),
+            title: (.Title // ""),
+            description: (.Description // ""),
+            references: ([.References[]?] // [])
+          }]' trivy-results.json > trivy-alerts.json
 
       - name: Fetch Dependabot alerts
         env:
@@ -258,6 +268,7 @@ jobs:
             fi
 
             EXTRACTED=$(echo "$BODY" | jq '[.[] | {
+              id: (.security_advisory.cve_id // .security_advisory.ghsa_id // ""),
               cve_id: (.security_advisory.cve_id // empty),
               ghsa_id: (.security_advisory.ghsa_id // empty),
               severity: (.security_advisory.severity // "medium"),
@@ -295,7 +306,7 @@ jobs:
               echo "" >> "$GITHUB_STEP_SUMMARY"
               echo "| CVE / GHSA | Severity | Package | Ecosystem | Patched Version |" >> "$GITHUB_STEP_SUMMARY"
               echo "|------------|----------|---------|-----------|-----------------|" >> "$GITHUB_STEP_SUMMARY"
-              jq -r '.[] | "| \(.cve_id // .ghsa_id) | \(.severity) | \(.package_name) | \(.package_ecosystem) | \(.first_patched_version // "N/A") |"' dependabot-alerts.json >> "$GITHUB_STEP_SUMMARY"
+              jq -r '.[] | "| \(.id) | \(.severity) | \(.package_name) | \(.package_ecosystem) | \(.first_patched_version // "N/A") |"' dependabot-alerts.json >> "$GITHUB_STEP_SUMMARY"
             fi
           fi
 
@@ -333,6 +344,7 @@ jobs:
             fi
 
             EXTRACTED=$(echo "$BODY" | jq '[.[] | {
+              id: ("codeql:" + (.rule.id // "")),
               number: .number,
               rule_id: (.rule.id // ""),
               rule_description: (.rule.description // ""),
@@ -370,7 +382,7 @@ jobs:
               echo "" >> "$GITHUB_STEP_SUMMARY"
               echo "| Rule ID | Severity | Tool | File | Lines |" >> "$GITHUB_STEP_SUMMARY"
               echo "|---------|----------|------|------|-------|" >> "$GITHUB_STEP_SUMMARY"
-              jq -r '.[] | "| \(.rule_id) | \(.security_severity_level) | \(.tool_name) | \(.location_path) | \(.location_start_line)-\(.location_end_line) |"' codeql-alerts.json >> "$GITHUB_STEP_SUMMARY"
+              jq -r '.[] | "| \(.id) | \(.security_severity_level) | \(.tool_name) | \(.location_path) | \(.location_start_line)-\(.location_end_line) |"' codeql-alerts.json >> "$GITHUB_STEP_SUMMARY"
             fi
           fi
 
@@ -388,30 +400,29 @@ jobs:
             --json-schema '{"type":"object","properties":{"cves":{"type":"array","items":{"type":"object","properties":{"cveId":{"type":"string","description":"CVE ID, GHSA ID, or codeql:<rule-id>"},"severity":{"type":"string","enum":["CRITICAL","HIGH","MEDIUM","LOW"]},"source":{"type":"string","enum":["trivy","dependabot","codeql","trivy+dependabot"],"description":"Which scanner(s) reported this finding"},"title":{"type":"string","description":"Short summary for the Linear issue title"},"description":{"type":"string","description":"Markdown analysis: affected packages, direct vs transitive, remediation steps, and references"},"affectedPackage":{"type":"string"},"linearIssueExists":{"type":"boolean"}},"required":["cveId","severity","source","title","description","affectedPackage","linearIssueExists"]}}},"required":["cves"]}'
           prompt: |
             You are a security engineer triaging vulnerabilities and security findings for the Sourcebot Docker image.
-            You have three data sources to analyze:
+            You have three data sources to analyze. Each is a JSON array where every entry has a pre-computed
+            `id` field for deterministic deduplication:
 
-            1. **Trivy scan results** in `trivy-results.json` — container image vulnerability scan (JSON format with `Results[].Vulnerabilities[]` array)
-            2. **Dependabot alerts** in `dependabot-alerts.json` — GitHub dependency vulnerability alerts
-            3. **CodeQL alerts** in `codeql-alerts.json` — GitHub code scanning findings
+            1. **Trivy scan results** in `trivy-alerts.json` — each entry has `id` (CVE ID, e.g., `CVE-2024-1234`)
+            2. **Dependabot alerts** in `dependabot-alerts.json` — each entry has `id` (CVE ID or GHSA ID)
+            3. **CodeQL alerts** in `codeql-alerts.json` — each entry has `id` (prefixed, e.g., `codeql:js/sql-injection`)
 
             ## Your Task
 
-            1. Read and analyze all three data sources. For **each unique finding**, produce a separate entry
-               in the `cves` array.
+            1. Read and analyze all three data sources. For **each unique `id`**, produce a separate entry
+               in the `cves` array. Use the `id` field as the `cveId`.
 
-            2. **Deduplication**: Trivy and Dependabot may report the same CVE. If a CVE ID appears in both
-               Trivy results and Dependabot alerts, merge them into a single entry with `source: "trivy+dependabot"`.
-               Combine information from both sources in the description. CodeQL alerts are always unique — they
-               use rule IDs, not CVE IDs.
+            2. **Deduplication**: If the same `id` appears in both `trivy-alerts.json` and `dependabot-alerts.json`,
+               merge them into a single entry with `source: "trivy+dependabot"`. Combine information from both
+               sources in the description. CodeQL `id` values are prefixed with `codeql:` so they never collide.
 
             3. For **Trivy and Dependabot findings**:
-               - Use the CVE ID (e.g., `CVE-2024-1234`) as `cveId`. If a Dependabot alert only has a GHSA ID
-                 and no CVE ID, use the GHSA ID (e.g., `GHSA-xxxx-xxxx-xxxx`) as `cveId`.
+               - Use the `id` field as `cveId`.
                - Set `source` to `"trivy"`, `"dependabot"`, or `"trivy+dependabot"` as appropriate.
                - Include the affected package, severity, remediation steps, and whether it is direct or transitive.
 
             4. For **CodeQL findings**:
-               - Use `codeql:<rule_id>` as the `cveId` (e.g., `codeql:js/sql-injection`).
+               - Use the `id` field as `cveId` (already prefixed with `codeql:`).
                - Set `source` to `"codeql"`.
                - Include the file location (path and line numbers) and rule description in the `description`.
                - Include the alert URL for reference.