Align AOC tasks for Excititor and Concelier

2025-10-31 18:50:15 +02:00
parent 9e6d9fbae8
commit 8da4e12a90
334 changed files with 35528 additions and 34546 deletions
--- a/src/Concelier/__Tests/StellaOps.Concelier.Core.Tests/Linksets/AdvisoryObservationFactoryTests.cs
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Core.Tests/Linksets/AdvisoryObservationFactoryTests.cs
@@ -34,12 +34,34 @@ public sealed class AdvisoryObservationFactoryTests

        Assert.Equal(SampleTimestamp, observation.CreatedAt);
        Assert.Equal(new[] { "cve-2025-0001", "ghsa-xxxx-yyyy" }, observation.Linkset.Aliases);
-        Assert.Equal(new[] { "pkg:npm/left-pad@1.0.0" }, observation.Linkset.Purls);
-        Assert.Equal(new[] { "cpe:2.3:a:example:product:1.0:*:*:*:*:*:*:*" }, observation.Linkset.Cpes);
-        var reference = Assert.Single(observation.Linkset.References);
-        Assert.Equal("advisory", reference.Type);
-        Assert.Equal("https://example.test/advisory", reference.Url);
-    }
+        Assert.Equal(new[] { "pkg:npm/left-pad@1.0.0" }, observation.Linkset.Purls);
+        Assert.Equal(new[] { "cpe:2.3:a:example:product:1.0:*:*:*:*:*:*:*" }, observation.Linkset.Cpes);
+        var reference = Assert.Single(observation.Linkset.References);
+        Assert.Equal("advisory", reference.Type);
+        Assert.Equal("https://example.test/advisory", reference.Url);
+
+        Assert.Equal(
+            new[] { "GHSA-XXXX-YYYY", "  CVE-2025-0001 ", "ghsa-XXXX-YYYY", "   CVE-2025-0001   " },
+            observation.RawLinkset.Aliases);
+        Assert.Equal(
+            new[] { "pkg:NPM/left-pad@1.0.0", "pkg:npm/left-pad@1.0.0?foo=bar" },
+            observation.RawLinkset.PackageUrls);
+        Assert.Equal(
+            new[] { "cpe:/a:Example:Product:1.0", "cpe:/a:example:product:1.0" },
+            observation.RawLinkset.Cpes);
+        Assert.Collection(
+            observation.RawLinkset.References,
+            first =>
+            {
+                Assert.Equal("Advisory", first.Type);
+                Assert.Equal(" https://example.test/advisory ", first.Url);
+            },
+            second =>
+            {
+                Assert.Equal("ADVISORY", second.Type);
+                Assert.Equal("https://example.test/advisory", second.Url);
+            });
+    }

    [Fact]
    public void Create_SetsSourceAndUpstreamFields()
@@ -96,13 +118,15 @@ public sealed class AdvisoryObservationFactoryTests
            },
            supersedes: "tenant-a:vendor-x:previous:sha256:123");

-        var observation = factory.Create(rawDocument);
-
-        Assert.Equal("1.0.0", observation.Attributes["linkset.note.range-introduced"]);
-        Assert.Equal("1.0.5", observation.Attributes["linkset.note.range-fixed"]);
-        Assert.Equal("tenant-a:vendor-x:previous:sha256:123", observation.Attributes["supersedes"]);
-        Assert.Equal("connector-a;connector-b", observation.Attributes["linkset.reconciled_from"]);
-    }
+        var observation = factory.Create(rawDocument);
+
+        Assert.Equal("1.0.0", observation.Attributes["linkset.note.range-introduced"]);
+        Assert.Equal("1.0.5", observation.Attributes["linkset.note.range-fixed"]);
+        Assert.Equal("tenant-a:vendor-x:previous:sha256:123", observation.Attributes["supersedes"]);
+        Assert.Equal("connector-a;connector-b", observation.Attributes["linkset.reconciled_from"]);
+        Assert.Equal(notes, observation.RawLinkset.Notes);
+        Assert.Equal(new[] { "connector-a", "connector-b" }, observation.RawLinkset.ReconciledFrom);
+    }

    private static AdvisoryRawDocument BuildRawDocument(
        RawSourceMetadata? source = null,
--- a/src/Concelier/__Tests/StellaOps.Concelier.Core.Tests/Observations/AdvisoryObservationQueryServiceTests.cs
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Core.Tests/Observations/AdvisoryObservationQueryServiceTests.cs
@@ -1,7 +1,9 @@
-using System.Collections.Immutable;
+using System.Collections.Immutable;
+using System.Linq;
 using System.Text.Json.Nodes;
-using StellaOps.Concelier.Core.Observations;
-using StellaOps.Concelier.Models.Observations;
+using StellaOps.Concelier.Core.Observations;
+using StellaOps.Concelier.Models.Observations;
+using StellaOps.Concelier.RawModels;
 using Xunit;

 namespace StellaOps.Concelier.Core.Tests.Observations;
@@ -224,18 +226,28 @@ public sealed class AdvisoryObservationQueryServiceTests
            contentHash: $"sha256:{observationId}",
            signature: DefaultSignature);

-        var content = new AdvisoryObservationContent("CSAF", "2.0", raw);
-        var linkset = new AdvisoryObservationLinkset(aliases, purls, cpes, references);
-
-        return new AdvisoryObservation(
-            observationId,
-            tenant,
-            DefaultSource,
-            upstream,
-            content,
-            linkset,
-            createdAt);
-    }
+        var content = new AdvisoryObservationContent("CSAF", "2.0", raw);
+        var linkset = new AdvisoryObservationLinkset(aliases, purls, cpes, references);
+        var rawLinkset = new RawLinkset
+        {
+            Aliases = aliases.ToImmutableArray(),
+            PackageUrls = purls.ToImmutableArray(),
+            Cpes = cpes.ToImmutableArray(),
+            References = references
+                .Select(static reference => new RawReference(reference.Type, reference.Url))
+                .ToImmutableArray()
+        };
+
+        return new AdvisoryObservation(
+            observationId,
+            tenant,
+            DefaultSource,
+            upstream,
+            content,
+            linkset,
+            rawLinkset,
+            createdAt);
+    }

    private sealed class InMemoryLookup : IAdvisoryObservationLookup
    {
--- a/src/Concelier/__Tests/StellaOps.Concelier.Core.Tests/Raw/AdvisoryRawServiceTests.cs
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Core.Tests/Raw/AdvisoryRawServiceTests.cs
@@ -1,5 +1,6 @@
 using System;
-using System.Collections.Immutable;
+using System.Collections.Immutable;
+using System.Linq;
 using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
@@ -66,7 +67,7 @@ public sealed class AdvisoryRawServiceTests
        await service.IngestAsync(document, CancellationToken.None);

        Assert.NotNull(repository.CapturedDocument);
-        Assert.Equal(aliasSeries, repository.CapturedDocument!.Identifiers.Aliases);
+        Assert.True(aliasSeries.SequenceEqual(repository.CapturedDocument!.Identifiers.Aliases));
    }

    private static AdvisoryRawService CreateService(RecordingRepository repository)
--- a/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/ghsa-semver.actual.json
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/ghsa-semver.actual.json
@@ -1,127 +0,0 @@
-{
-  "advisoryKey": "GHSA-aaaa-bbbb-cccc",
-  "affectedPackages": [
-    {
-      "type": "semver",
-      "identifier": "pkg:npm/example-widget",
-      "platform": null,
-      "versionRanges": [
-        {
-          "fixedVersion": "2.5.1",
-          "introducedVersion": null,
-          "lastAffectedVersion": null,
-          "primitives": null,
-          "provenance": {
-            "source": "ghsa",
-            "kind": "map",
-            "value": "ghsa-aaaa-bbbb-cccc",
-            "decisionReason": null,
-            "recordedAt": "2024-03-05T10:00:00+00:00",
-            "fieldMask": []
-          },
-          "rangeExpression": ">=0.0.0 <2.5.1",
-          "rangeKind": "semver"
-        },
-        {
-          "fixedVersion": "3.2.4",
-          "introducedVersion": "3.0.0",
-          "lastAffectedVersion": null,
-          "primitives": null,
-          "provenance": {
-            "source": "ghsa",
-            "kind": "map",
-            "value": "ghsa-aaaa-bbbb-cccc",
-            "decisionReason": null,
-            "recordedAt": "2024-03-05T10:00:00+00:00",
-            "fieldMask": []
-          },
-          "rangeExpression": null,
-          "rangeKind": "semver"
-        }
-      ],
-      "normalizedVersions": [],
-      "statuses": [],
-      "provenance": [
-        {
-          "source": "ghsa",
-          "kind": "map",
-          "value": "ghsa-aaaa-bbbb-cccc",
-          "decisionReason": null,
-          "recordedAt": "2024-03-05T10:00:00+00:00",
-          "fieldMask": []
-        }
-      ]
-    }
-  ],
-  "aliases": [
-    "CVE-2024-2222",
-    "GHSA-aaaa-bbbb-cccc"
-  ],
-  "canonicalMetricId": null,
-  "credits": [],
-  "cvssMetrics": [
-    {
-      "baseScore": 8.8,
-      "baseSeverity": "high",
-      "provenance": {
-        "source": "ghsa",
-        "kind": "map",
-        "value": "ghsa-aaaa-bbbb-cccc",
-        "decisionReason": null,
-        "recordedAt": "2024-03-05T10:00:00+00:00",
-        "fieldMask": []
-      },
-      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
-      "version": "3.1"
-    }
-  ],
-  "cwes": [],
-  "description": null,
-  "exploitKnown": false,
-  "language": "en",
-  "modified": "2024-03-04T12:00:00+00:00",
-  "provenance": [
-    {
-      "source": "ghsa",
-      "kind": "map",
-      "value": "ghsa-aaaa-bbbb-cccc",
-      "decisionReason": null,
-      "recordedAt": "2024-03-05T10:00:00+00:00",
-      "fieldMask": []
-    }
-  ],
-  "published": "2024-03-04T00:00:00+00:00",
-  "references": [
-    {
-      "kind": "patch",
-      "provenance": {
-        "source": "ghsa",
-        "kind": "map",
-        "value": "ghsa-aaaa-bbbb-cccc",
-        "decisionReason": null,
-        "recordedAt": "2024-03-05T10:00:00+00:00",
-        "fieldMask": []
-      },
-      "sourceTag": "ghsa",
-      "summary": "Patch commit",
-      "url": "https://github.com/example/widget/commit/abcd1234"
-    },
-    {
-      "kind": "advisory",
-      "provenance": {
-        "source": "ghsa",
-        "kind": "map",
-        "value": "ghsa-aaaa-bbbb-cccc",
-        "decisionReason": null,
-        "recordedAt": "2024-03-05T10:00:00+00:00",
-        "fieldMask": []
-      },
-      "sourceTag": "ghsa",
-      "summary": "GitHub Security Advisory",
-      "url": "https://github.com/example/widget/security/advisories/GHSA-aaaa-bbbb-cccc"
-    }
-  ],
-  "severity": "high",
-  "summary": "A crafted payload can pollute Object.prototype leading to RCE.",
-  "title": "Prototype pollution in widget.js"
-}
--- a/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/ghsa-semver.json
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/ghsa-semver.json
@@ -1,124 +1,127 @@
-{
-  "advisoryKey": "GHSA-aaaa-bbbb-cccc",
-  "affectedPackages": [
-    {
-      "type": "semver",
-      "identifier": "pkg:npm/example-widget",
-      "platform": null,
-      "versionRanges": [
-        {
-          "fixedVersion": "2.5.1",
-          "introducedVersion": null,
-          "lastAffectedVersion": null,
-          "primitives": null,
-          "provenance": {
-            "source": "ghsa",
-            "kind": "map",
-            "value": "ghsa-aaaa-bbbb-cccc",
-            "decisionReason": null,
-            "recordedAt": "2024-03-05T10:00:00+00:00",
-            "fieldMask": []
-          },
-          "rangeExpression": ">=0.0.0 <2.5.1",
-          "rangeKind": "semver"
-        },
-        {
-          "fixedVersion": "3.2.4",
-          "introducedVersion": "3.0.0",
-          "lastAffectedVersion": null,
-          "primitives": null,
-          "provenance": {
-            "source": "ghsa",
-            "kind": "map",
-            "value": "ghsa-aaaa-bbbb-cccc",
-            "decisionReason": null,
-            "recordedAt": "2024-03-05T10:00:00+00:00",
-            "fieldMask": []
-          },
-          "rangeExpression": null,
-          "rangeKind": "semver"
-        }
-      ],
-      "normalizedVersions": [],
-      "statuses": [],
-      "provenance": [
-        {
-          "source": "ghsa",
-          "kind": "map",
-          "value": "ghsa-aaaa-bbbb-cccc",
-          "decisionReason": null,
-          "recordedAt": "2024-03-05T10:00:00+00:00",
-          "fieldMask": []
-        }
-      ]
-    }
-  ],
-  "aliases": [
-    "CVE-2024-2222",
-    "GHSA-aaaa-bbbb-cccc"
-  ],
-  "credits": [],
-  "cvssMetrics": [
-    {
-      "baseScore": 8.8,
-      "baseSeverity": "high",
-      "provenance": {
-        "source": "ghsa",
-        "kind": "map",
-        "value": "ghsa-aaaa-bbbb-cccc",
-        "decisionReason": null,
-        "recordedAt": "2024-03-05T10:00:00+00:00",
-        "fieldMask": []
-      },
-      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
-      "version": "3.1"
-    }
-  ],
-  "exploitKnown": false,
-  "language": "en",
-  "modified": "2024-03-04T12:00:00+00:00",
-  "provenance": [
-    {
-      "source": "ghsa",
-      "kind": "map",
-      "value": "ghsa-aaaa-bbbb-cccc",
-      "decisionReason": null,
-      "recordedAt": "2024-03-05T10:00:00+00:00",
-      "fieldMask": []
-    }
-  ],
-  "published": "2024-03-04T00:00:00+00:00",
-  "references": [
-    {
-      "kind": "patch",
-      "provenance": {
-        "source": "ghsa",
-        "kind": "map",
-        "value": "ghsa-aaaa-bbbb-cccc",
-        "decisionReason": null,
-        "recordedAt": "2024-03-05T10:00:00+00:00",
-        "fieldMask": []
-      },
-      "sourceTag": "ghsa",
-      "summary": "Patch commit",
-      "url": "https://github.com/example/widget/commit/abcd1234"
-    },
-    {
-      "kind": "advisory",
-      "provenance": {
-        "source": "ghsa",
-        "kind": "map",
-        "value": "ghsa-aaaa-bbbb-cccc",
-        "decisionReason": null,
-        "recordedAt": "2024-03-05T10:00:00+00:00",
-        "fieldMask": []
-      },
-      "sourceTag": "ghsa",
-      "summary": "GitHub Security Advisory",
-      "url": "https://github.com/example/widget/security/advisories/GHSA-aaaa-bbbb-cccc"
-    }
-  ],
-  "severity": "high",
-  "summary": "A crafted payload can pollute Object.prototype leading to RCE.",
-  "title": "Prototype pollution in widget.js"
+{
+  "advisoryKey": "GHSA-aaaa-bbbb-cccc",
+  "affectedPackages": [
+    {
+      "type": "semver",
+      "identifier": "pkg:npm/example-widget",
+      "platform": null,
+      "versionRanges": [
+        {
+          "fixedVersion": "2.5.1",
+          "introducedVersion": null,
+          "lastAffectedVersion": null,
+          "primitives": null,
+          "provenance": {
+            "source": "ghsa",
+            "kind": "map",
+            "value": "ghsa-aaaa-bbbb-cccc",
+            "decisionReason": null,
+            "recordedAt": "2024-03-05T10:00:00+00:00",
+            "fieldMask": []
+          },
+          "rangeExpression": ">=0.0.0 <2.5.1",
+          "rangeKind": "semver"
+        },
+        {
+          "fixedVersion": "3.2.4",
+          "introducedVersion": "3.0.0",
+          "lastAffectedVersion": null,
+          "primitives": null,
+          "provenance": {
+            "source": "ghsa",
+            "kind": "map",
+            "value": "ghsa-aaaa-bbbb-cccc",
+            "decisionReason": null,
+            "recordedAt": "2024-03-05T10:00:00+00:00",
+            "fieldMask": []
+          },
+          "rangeExpression": null,
+          "rangeKind": "semver"
+        }
+      ],
+      "normalizedVersions": [],
+      "statuses": [],
+      "provenance": [
+        {
+          "source": "ghsa",
+          "kind": "map",
+          "value": "ghsa-aaaa-bbbb-cccc",
+          "decisionReason": null,
+          "recordedAt": "2024-03-05T10:00:00+00:00",
+          "fieldMask": []
+        }
+      ]
+    }
+  ],
+  "aliases": [
+    "CVE-2024-2222",
+    "GHSA-aaaa-bbbb-cccc"
+  ],
+  "canonicalMetricId": null,
+  "credits": [],
+  "cvssMetrics": [
+    {
+      "baseScore": 8.8,
+      "baseSeverity": "high",
+      "provenance": {
+        "source": "ghsa",
+        "kind": "map",
+        "value": "ghsa-aaaa-bbbb-cccc",
+        "decisionReason": null,
+        "recordedAt": "2024-03-05T10:00:00+00:00",
+        "fieldMask": []
+      },
+      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+      "version": "3.1"
+    }
+  ],
+  "cwes": [],
+  "description": null,
+  "exploitKnown": false,
+  "language": "en",
+  "modified": "2024-03-04T12:00:00+00:00",
+  "provenance": [
+    {
+      "source": "ghsa",
+      "kind": "map",
+      "value": "ghsa-aaaa-bbbb-cccc",
+      "decisionReason": null,
+      "recordedAt": "2024-03-05T10:00:00+00:00",
+      "fieldMask": []
+    }
+  ],
+  "published": "2024-03-04T00:00:00+00:00",
+  "references": [
+    {
+      "kind": "patch",
+      "provenance": {
+        "source": "ghsa",
+        "kind": "map",
+        "value": "ghsa-aaaa-bbbb-cccc",
+        "decisionReason": null,
+        "recordedAt": "2024-03-05T10:00:00+00:00",
+        "fieldMask": []
+      },
+      "sourceTag": "ghsa",
+      "summary": "Patch commit",
+      "url": "https://github.com/example/widget/commit/abcd1234"
+    },
+    {
+      "kind": "advisory",
+      "provenance": {
+        "source": "ghsa",
+        "kind": "map",
+        "value": "ghsa-aaaa-bbbb-cccc",
+        "decisionReason": null,
+        "recordedAt": "2024-03-05T10:00:00+00:00",
+        "fieldMask": []
+      },
+      "sourceTag": "ghsa",
+      "summary": "GitHub Security Advisory",
+      "url": "https://github.com/example/widget/security/advisories/GHSA-aaaa-bbbb-cccc"
+    }
+  ],
+  "severity": "high",
+  "summary": "A crafted payload can pollute Object.prototype leading to RCE.",
+  "title": "Prototype pollution in widget.js"
 }
--- a/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/kev-flag.actual.json
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/kev-flag.actual.json
@@ -1,45 +0,0 @@
-{
-  "advisoryKey": "CVE-2023-9999",
-  "affectedPackages": [],
-  "aliases": [
-    "CVE-2023-9999"
-  ],
-  "canonicalMetricId": null,
-  "credits": [],
-  "cvssMetrics": [],
-  "cwes": [],
-  "description": null,
-  "exploitKnown": true,
-  "language": "en",
-  "modified": "2024-02-09T16:22:00+00:00",
-  "provenance": [
-    {
-      "source": "cisa-kev",
-      "kind": "annotate",
-      "value": "kev",
-      "decisionReason": null,
-      "recordedAt": "2024-02-10T09:30:00+00:00",
-      "fieldMask": []
-    }
-  ],
-  "published": "2023-11-20T00:00:00+00:00",
-  "references": [
-    {
-      "kind": "kev",
-      "provenance": {
-        "source": "cisa-kev",
-        "kind": "annotate",
-        "value": "kev",
-        "decisionReason": null,
-        "recordedAt": "2024-02-10T09:30:00+00:00",
-        "fieldMask": []
-      },
-      "sourceTag": "cisa",
-      "summary": "CISA KEV entry",
-      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
-    }
-  ],
-  "severity": "critical",
-  "summary": "Unauthenticated RCE due to unsafe deserialization.",
-  "title": "Remote code execution in LegacyServer"
-}
--- a/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/kev-flag.json
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/kev-flag.json
@@ -1,42 +1,45 @@
-{
-  "advisoryKey": "CVE-2023-9999",
-  "affectedPackages": [],
-  "aliases": [
-    "CVE-2023-9999"
-  ],
-  "credits": [],
-  "cvssMetrics": [],
-  "exploitKnown": true,
-  "language": "en",
-  "modified": "2024-02-09T16:22:00+00:00",
-  "provenance": [
-    {
-      "source": "cisa-kev",
-      "kind": "annotate",
-      "value": "kev",
-      "decisionReason": null,
-      "recordedAt": "2024-02-10T09:30:00+00:00",
-      "fieldMask": []
-    }
-  ],
-  "published": "2023-11-20T00:00:00+00:00",
-  "references": [
-    {
-      "kind": "kev",
-      "provenance": {
-        "source": "cisa-kev",
-        "kind": "annotate",
-        "value": "kev",
-        "decisionReason": null,
-        "recordedAt": "2024-02-10T09:30:00+00:00",
-        "fieldMask": []
-      },
-      "sourceTag": "cisa",
-      "summary": "CISA KEV entry",
-      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
-    }
-  ],
-  "severity": "critical",
-  "summary": "Unauthenticated RCE due to unsafe deserialization.",
-  "title": "Remote code execution in LegacyServer"
+{
+  "advisoryKey": "CVE-2023-9999",
+  "affectedPackages": [],
+  "aliases": [
+    "CVE-2023-9999"
+  ],
+  "canonicalMetricId": null,
+  "credits": [],
+  "cvssMetrics": [],
+  "cwes": [],
+  "description": null,
+  "exploitKnown": true,
+  "language": "en",
+  "modified": "2024-02-09T16:22:00+00:00",
+  "provenance": [
+    {
+      "source": "cisa-kev",
+      "kind": "annotate",
+      "value": "kev",
+      "decisionReason": null,
+      "recordedAt": "2024-02-10T09:30:00+00:00",
+      "fieldMask": []
+    }
+  ],
+  "published": "2023-11-20T00:00:00+00:00",
+  "references": [
+    {
+      "kind": "kev",
+      "provenance": {
+        "source": "cisa-kev",
+        "kind": "annotate",
+        "value": "kev",
+        "decisionReason": null,
+        "recordedAt": "2024-02-10T09:30:00+00:00",
+        "fieldMask": []
+      },
+      "sourceTag": "cisa",
+      "summary": "CISA KEV entry",
+      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+    }
+  ],
+  "severity": "critical",
+  "summary": "Unauthenticated RCE due to unsafe deserialization.",
+  "title": "Remote code execution in LegacyServer"
 }
--- a/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/nvd-basic.actual.json
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/nvd-basic.actual.json
@@ -1,122 +0,0 @@
-{
-  "advisoryKey": "CVE-2024-1234",
-  "affectedPackages": [
-    {
-      "type": "cpe",
-      "identifier": "cpe:/a:examplecms:examplecms:1.0",
-      "platform": null,
-      "versionRanges": [
-        {
-          "fixedVersion": "1.0.5",
-          "introducedVersion": "1.0",
-          "lastAffectedVersion": null,
-          "primitives": null,
-          "provenance": {
-            "source": "nvd",
-            "kind": "map",
-            "value": "cve-2024-1234",
-            "decisionReason": null,
-            "recordedAt": "2024-08-01T12:00:00+00:00",
-            "fieldMask": []
-          },
-          "rangeExpression": null,
-          "rangeKind": "version"
-        }
-      ],
-      "normalizedVersions": [],
-      "statuses": [
-        {
-          "provenance": {
-            "source": "nvd",
-            "kind": "map",
-            "value": "cve-2024-1234",
-            "decisionReason": null,
-            "recordedAt": "2024-08-01T12:00:00+00:00",
-            "fieldMask": []
-          },
-          "status": "affected"
-        }
-      ],
-      "provenance": [
-        {
-          "source": "nvd",
-          "kind": "map",
-          "value": "cve-2024-1234",
-          "decisionReason": null,
-          "recordedAt": "2024-08-01T12:00:00+00:00",
-          "fieldMask": []
-        }
-      ]
-    }
-  ],
-  "aliases": [
-    "CVE-2024-1234"
-  ],
-  "canonicalMetricId": null,
-  "credits": [],
-  "cvssMetrics": [
-    {
-      "baseScore": 9.8,
-      "baseSeverity": "critical",
-      "provenance": {
-        "source": "nvd",
-        "kind": "map",
-        "value": "cve-2024-1234",
-        "decisionReason": null,
-        "recordedAt": "2024-08-01T12:00:00+00:00",
-        "fieldMask": []
-      },
-      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-      "version": "3.1"
-    }
-  ],
-  "cwes": [],
-  "description": null,
-  "exploitKnown": false,
-  "language": "en",
-  "modified": "2024-07-16T10:35:00+00:00",
-  "provenance": [
-    {
-      "source": "nvd",
-      "kind": "map",
-      "value": "cve-2024-1234",
-      "decisionReason": null,
-      "recordedAt": "2024-08-01T12:00:00+00:00",
-      "fieldMask": []
-    }
-  ],
-  "published": "2024-07-15T00:00:00+00:00",
-  "references": [
-    {
-      "kind": "advisory",
-      "provenance": {
-        "source": "example",
-        "kind": "fetch",
-        "value": "bulletin",
-        "decisionReason": null,
-        "recordedAt": "2024-07-14T15:00:00+00:00",
-        "fieldMask": []
-      },
-      "sourceTag": "vendor",
-      "summary": "Vendor bulletin",
-      "url": "https://example.org/security/CVE-2024-1234"
-    },
-    {
-      "kind": "advisory",
-      "provenance": {
-        "source": "nvd",
-        "kind": "map",
-        "value": "cve-2024-1234",
-        "decisionReason": null,
-        "recordedAt": "2024-08-01T12:00:00+00:00",
-        "fieldMask": []
-      },
-      "sourceTag": "nvd",
-      "summary": "NVD entry",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1234"
-    }
-  ],
-  "severity": "high",
-  "summary": "An integer overflow in ExampleCMS allows remote attackers to escalate privileges.",
-  "title": "Integer overflow in ExampleCMS"
-}
--- a/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/nvd-basic.json
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/nvd-basic.json
@@ -1,119 +1,122 @@
-{
-  "advisoryKey": "CVE-2024-1234",
-  "affectedPackages": [
-    {
-      "type": "cpe",
-      "identifier": "cpe:/a:examplecms:examplecms:1.0",
-      "platform": null,
-      "versionRanges": [
-        {
-          "fixedVersion": "1.0.5",
-          "introducedVersion": "1.0",
-          "lastAffectedVersion": null,
-          "primitives": null,
-          "provenance": {
-            "source": "nvd",
-            "kind": "map",
-            "value": "cve-2024-1234",
-            "decisionReason": null,
-            "recordedAt": "2024-08-01T12:00:00+00:00",
-            "fieldMask": []
-          },
-          "rangeExpression": null,
-          "rangeKind": "version"
-        }
-      ],
-      "normalizedVersions": [],
-      "statuses": [
-        {
-          "provenance": {
-            "source": "nvd",
-            "kind": "map",
-            "value": "cve-2024-1234",
-            "decisionReason": null,
-            "recordedAt": "2024-08-01T12:00:00+00:00",
-            "fieldMask": []
-          },
-          "status": "affected"
-        }
-      ],
-      "provenance": [
-        {
-          "source": "nvd",
-          "kind": "map",
-          "value": "cve-2024-1234",
-          "decisionReason": null,
-          "recordedAt": "2024-08-01T12:00:00+00:00",
-          "fieldMask": []
-        }
-      ]
-    }
-  ],
-  "aliases": [
-    "CVE-2024-1234"
-  ],
-  "credits": [],
-  "cvssMetrics": [
-    {
-      "baseScore": 9.8,
-      "baseSeverity": "critical",
-      "provenance": {
-        "source": "nvd",
-        "kind": "map",
-        "value": "cve-2024-1234",
-        "decisionReason": null,
-        "recordedAt": "2024-08-01T12:00:00+00:00",
-        "fieldMask": []
-      },
-      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-      "version": "3.1"
-    }
-  ],
-  "exploitKnown": false,
-  "language": "en",
-  "modified": "2024-07-16T10:35:00+00:00",
-  "provenance": [
-    {
-      "source": "nvd",
-      "kind": "map",
-      "value": "cve-2024-1234",
-      "decisionReason": null,
-      "recordedAt": "2024-08-01T12:00:00+00:00",
-      "fieldMask": []
-    }
-  ],
-  "published": "2024-07-15T00:00:00+00:00",
-  "references": [
-    {
-      "kind": "advisory",
-      "provenance": {
-        "source": "example",
-        "kind": "fetch",
-        "value": "bulletin",
-        "decisionReason": null,
-        "recordedAt": "2024-07-14T15:00:00+00:00",
-        "fieldMask": []
-      },
-      "sourceTag": "vendor",
-      "summary": "Vendor bulletin",
-      "url": "https://example.org/security/CVE-2024-1234"
-    },
-    {
-      "kind": "advisory",
-      "provenance": {
-        "source": "nvd",
-        "kind": "map",
-        "value": "cve-2024-1234",
-        "decisionReason": null,
-        "recordedAt": "2024-08-01T12:00:00+00:00",
-        "fieldMask": []
-      },
-      "sourceTag": "nvd",
-      "summary": "NVD entry",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1234"
-    }
-  ],
-  "severity": "high",
-  "summary": "An integer overflow in ExampleCMS allows remote attackers to escalate privileges.",
-  "title": "Integer overflow in ExampleCMS"
+{
+  "advisoryKey": "CVE-2024-1234",
+  "affectedPackages": [
+    {
+      "type": "cpe",
+      "identifier": "cpe:/a:examplecms:examplecms:1.0",
+      "platform": null,
+      "versionRanges": [
+        {
+          "fixedVersion": "1.0.5",
+          "introducedVersion": "1.0",
+          "lastAffectedVersion": null,
+          "primitives": null,
+          "provenance": {
+            "source": "nvd",
+            "kind": "map",
+            "value": "cve-2024-1234",
+            "decisionReason": null,
+            "recordedAt": "2024-08-01T12:00:00+00:00",
+            "fieldMask": []
+          },
+          "rangeExpression": null,
+          "rangeKind": "version"
+        }
+      ],
+      "normalizedVersions": [],
+      "statuses": [
+        {
+          "provenance": {
+            "source": "nvd",
+            "kind": "map",
+            "value": "cve-2024-1234",
+            "decisionReason": null,
+            "recordedAt": "2024-08-01T12:00:00+00:00",
+            "fieldMask": []
+          },
+          "status": "affected"
+        }
+      ],
+      "provenance": [
+        {
+          "source": "nvd",
+          "kind": "map",
+          "value": "cve-2024-1234",
+          "decisionReason": null,
+          "recordedAt": "2024-08-01T12:00:00+00:00",
+          "fieldMask": []
+        }
+      ]
+    }
+  ],
+  "aliases": [
+    "CVE-2024-1234"
+  ],
+  "canonicalMetricId": null,
+  "credits": [],
+  "cvssMetrics": [
+    {
+      "baseScore": 9.8,
+      "baseSeverity": "critical",
+      "provenance": {
+        "source": "nvd",
+        "kind": "map",
+        "value": "cve-2024-1234",
+        "decisionReason": null,
+        "recordedAt": "2024-08-01T12:00:00+00:00",
+        "fieldMask": []
+      },
+      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+      "version": "3.1"
+    }
+  ],
+  "cwes": [],
+  "description": null,
+  "exploitKnown": false,
+  "language": "en",
+  "modified": "2024-07-16T10:35:00+00:00",
+  "provenance": [
+    {
+      "source": "nvd",
+      "kind": "map",
+      "value": "cve-2024-1234",
+      "decisionReason": null,
+      "recordedAt": "2024-08-01T12:00:00+00:00",
+      "fieldMask": []
+    }
+  ],
+  "published": "2024-07-15T00:00:00+00:00",
+  "references": [
+    {
+      "kind": "advisory",
+      "provenance": {
+        "source": "example",
+        "kind": "fetch",
+        "value": "bulletin",
+        "decisionReason": null,
+        "recordedAt": "2024-07-14T15:00:00+00:00",
+        "fieldMask": []
+      },
+      "sourceTag": "vendor",
+      "summary": "Vendor bulletin",
+      "url": "https://example.org/security/CVE-2024-1234"
+    },
+    {
+      "kind": "advisory",
+      "provenance": {
+        "source": "nvd",
+        "kind": "map",
+        "value": "cve-2024-1234",
+        "decisionReason": null,
+        "recordedAt": "2024-08-01T12:00:00+00:00",
+        "fieldMask": []
+      },
+      "sourceTag": "nvd",
+      "summary": "NVD entry",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1234"
+    }
+  ],
+  "severity": "high",
+  "summary": "An integer overflow in ExampleCMS allows remote attackers to escalate privileges.",
+  "title": "Integer overflow in ExampleCMS"
 }
--- a/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/psirt-overlay.actual.json
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/psirt-overlay.actual.json
@@ -1,125 +0,0 @@
-{
-  "advisoryKey": "RHSA-2024:0252",
-  "affectedPackages": [
-    {
-      "type": "rpm",
-      "identifier": "kernel-0:4.18.0-553.el8.x86_64",
-      "platform": "rhel-8",
-      "versionRanges": [
-        {
-          "fixedVersion": null,
-          "introducedVersion": "0:4.18.0-553.el8",
-          "lastAffectedVersion": null,
-          "primitives": null,
-          "provenance": {
-            "source": "redhat",
-            "kind": "map",
-            "value": "rhsa-2024:0252",
-            "decisionReason": null,
-            "recordedAt": "2024-05-11T09:00:00+00:00",
-            "fieldMask": []
-          },
-          "rangeExpression": null,
-          "rangeKind": "nevra"
-        }
-      ],
-      "normalizedVersions": [],
-      "statuses": [
-        {
-          "provenance": {
-            "source": "redhat",
-            "kind": "map",
-            "value": "rhsa-2024:0252",
-            "decisionReason": null,
-            "recordedAt": "2024-05-11T09:00:00+00:00",
-            "fieldMask": []
-          },
-          "status": "fixed"
-        }
-      ],
-      "provenance": [
-        {
-          "source": "redhat",
-          "kind": "enrich",
-          "value": "cve-2024-5678",
-          "decisionReason": null,
-          "recordedAt": "2024-05-11T09:05:00+00:00",
-          "fieldMask": []
-        },
-        {
-          "source": "redhat",
-          "kind": "map",
-          "value": "rhsa-2024:0252",
-          "decisionReason": null,
-          "recordedAt": "2024-05-11T09:00:00+00:00",
-          "fieldMask": []
-        }
-      ]
-    }
-  ],
-  "aliases": [
-    "CVE-2024-5678",
-    "RHSA-2024:0252"
-  ],
-  "canonicalMetricId": null,
-  "credits": [],
-  "cvssMetrics": [
-    {
-      "baseScore": 6.7,
-      "baseSeverity": "medium",
-      "provenance": {
-        "source": "redhat",
-        "kind": "map",
-        "value": "rhsa-2024:0252",
-        "decisionReason": null,
-        "recordedAt": "2024-05-11T09:00:00+00:00",
-        "fieldMask": []
-      },
-      "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
-      "version": "3.1"
-    }
-  ],
-  "cwes": [],
-  "description": null,
-  "exploitKnown": false,
-  "language": "en",
-  "modified": "2024-05-11T08:15:00+00:00",
-  "provenance": [
-    {
-      "source": "redhat",
-      "kind": "enrich",
-      "value": "cve-2024-5678",
-      "decisionReason": null,
-      "recordedAt": "2024-05-11T09:05:00+00:00",
-      "fieldMask": []
-    },
-    {
-      "source": "redhat",
-      "kind": "map",
-      "value": "rhsa-2024:0252",
-      "decisionReason": null,
-      "recordedAt": "2024-05-11T09:00:00+00:00",
-      "fieldMask": []
-    }
-  ],
-  "published": "2024-05-10T19:28:00+00:00",
-  "references": [
-    {
-      "kind": "advisory",
-      "provenance": {
-        "source": "redhat",
-        "kind": "map",
-        "value": "rhsa-2024:0252",
-        "decisionReason": null,
-        "recordedAt": "2024-05-11T09:00:00+00:00",
-        "fieldMask": []
-      },
-      "sourceTag": "redhat",
-      "summary": "Red Hat security advisory",
-      "url": "https://access.redhat.com/errata/RHSA-2024:0252"
-    }
-  ],
-  "severity": "critical",
-  "summary": "Updates the Red Hat Enterprise Linux kernel to address CVE-2024-5678.",
-  "title": "Important: kernel security update"
-}
--- a/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/psirt-overlay.json
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/psirt-overlay.json
@@ -1,122 +1,125 @@
-{
-  "advisoryKey": "RHSA-2024:0252",
-  "affectedPackages": [
-    {
-      "type": "rpm",
-      "identifier": "kernel-0:4.18.0-553.el8.x86_64",
-      "platform": "rhel-8",
-      "versionRanges": [
-        {
-          "fixedVersion": null,
-          "introducedVersion": "0:4.18.0-553.el8",
-          "lastAffectedVersion": null,
-          "primitives": null,
-          "provenance": {
-            "source": "redhat",
-            "kind": "map",
-            "value": "rhsa-2024:0252",
-            "decisionReason": null,
-            "recordedAt": "2024-05-11T09:00:00+00:00",
-            "fieldMask": []
-          },
-          "rangeExpression": null,
-          "rangeKind": "nevra"
-        }
-      ],
-      "normalizedVersions": [],
-      "statuses": [
-        {
-          "provenance": {
-            "source": "redhat",
-            "kind": "map",
-            "value": "rhsa-2024:0252",
-            "decisionReason": null,
-            "recordedAt": "2024-05-11T09:00:00+00:00",
-            "fieldMask": []
-          },
-          "status": "fixed"
-        }
-      ],
-      "provenance": [
-        {
-          "source": "redhat",
-          "kind": "enrich",
-          "value": "cve-2024-5678",
-          "decisionReason": null,
-          "recordedAt": "2024-05-11T09:05:00+00:00",
-          "fieldMask": []
-        },
-        {
-          "source": "redhat",
-          "kind": "map",
-          "value": "rhsa-2024:0252",
-          "decisionReason": null,
-          "recordedAt": "2024-05-11T09:00:00+00:00",
-          "fieldMask": []
-        }
-      ]
-    }
-  ],
-  "aliases": [
-    "CVE-2024-5678",
-    "RHSA-2024:0252"
-  ],
-  "credits": [],
-  "cvssMetrics": [
-    {
-      "baseScore": 6.7,
-      "baseSeverity": "medium",
-      "provenance": {
-        "source": "redhat",
-        "kind": "map",
-        "value": "rhsa-2024:0252",
-        "decisionReason": null,
-        "recordedAt": "2024-05-11T09:00:00+00:00",
-        "fieldMask": []
-      },
-      "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
-      "version": "3.1"
-    }
-  ],
-  "exploitKnown": false,
-  "language": "en",
-  "modified": "2024-05-11T08:15:00+00:00",
-  "provenance": [
-    {
-      "source": "redhat",
-      "kind": "enrich",
-      "value": "cve-2024-5678",
-      "decisionReason": null,
-      "recordedAt": "2024-05-11T09:05:00+00:00",
-      "fieldMask": []
-    },
-    {
-      "source": "redhat",
-      "kind": "map",
-      "value": "rhsa-2024:0252",
-      "decisionReason": null,
-      "recordedAt": "2024-05-11T09:00:00+00:00",
-      "fieldMask": []
-    }
-  ],
-  "published": "2024-05-10T19:28:00+00:00",
-  "references": [
-    {
-      "kind": "advisory",
-      "provenance": {
-        "source": "redhat",
-        "kind": "map",
-        "value": "rhsa-2024:0252",
-        "decisionReason": null,
-        "recordedAt": "2024-05-11T09:00:00+00:00",
-        "fieldMask": []
-      },
-      "sourceTag": "redhat",
-      "summary": "Red Hat security advisory",
-      "url": "https://access.redhat.com/errata/RHSA-2024:0252"
-    }
-  ],
-  "severity": "critical",
-  "summary": "Updates the Red Hat Enterprise Linux kernel to address CVE-2024-5678.",
-  "title": "Important: kernel security update"
+{
+  "advisoryKey": "RHSA-2024:0252",
+  "affectedPackages": [
+    {
+      "type": "rpm",
+      "identifier": "kernel-0:4.18.0-553.el8.x86_64",
+      "platform": "rhel-8",
+      "versionRanges": [
+        {
+          "fixedVersion": null,
+          "introducedVersion": "0:4.18.0-553.el8",
+          "lastAffectedVersion": null,
+          "primitives": null,
+          "provenance": {
+            "source": "redhat",
+            "kind": "map",
+            "value": "rhsa-2024:0252",
+            "decisionReason": null,
+            "recordedAt": "2024-05-11T09:00:00+00:00",
+            "fieldMask": []
+          },
+          "rangeExpression": null,
+          "rangeKind": "nevra"
+        }
+      ],
+      "normalizedVersions": [],
+      "statuses": [
+        {
+          "provenance": {
+            "source": "redhat",
+            "kind": "map",
+            "value": "rhsa-2024:0252",
+            "decisionReason": null,
+            "recordedAt": "2024-05-11T09:00:00+00:00",
+            "fieldMask": []
+          },
+          "status": "fixed"
+        }
+      ],
+      "provenance": [
+        {
+          "source": "redhat",
+          "kind": "enrich",
+          "value": "cve-2024-5678",
+          "decisionReason": null,
+          "recordedAt": "2024-05-11T09:05:00+00:00",
+          "fieldMask": []
+        },
+        {
+          "source": "redhat",
+          "kind": "map",
+          "value": "rhsa-2024:0252",
+          "decisionReason": null,
+          "recordedAt": "2024-05-11T09:00:00+00:00",
+          "fieldMask": []
+        }
+      ]
+    }
+  ],
+  "aliases": [
+    "CVE-2024-5678",
+    "RHSA-2024:0252"
+  ],
+  "canonicalMetricId": null,
+  "credits": [],
+  "cvssMetrics": [
+    {
+      "baseScore": 6.7,
+      "baseSeverity": "medium",
+      "provenance": {
+        "source": "redhat",
+        "kind": "map",
+        "value": "rhsa-2024:0252",
+        "decisionReason": null,
+        "recordedAt": "2024-05-11T09:00:00+00:00",
+        "fieldMask": []
+      },
+      "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
+      "version": "3.1"
+    }
+  ],
+  "cwes": [],
+  "description": null,
+  "exploitKnown": false,
+  "language": "en",
+  "modified": "2024-05-11T08:15:00+00:00",
+  "provenance": [
+    {
+      "source": "redhat",
+      "kind": "enrich",
+      "value": "cve-2024-5678",
+      "decisionReason": null,
+      "recordedAt": "2024-05-11T09:05:00+00:00",
+      "fieldMask": []
+    },
+    {
+      "source": "redhat",
+      "kind": "map",
+      "value": "rhsa-2024:0252",
+      "decisionReason": null,
+      "recordedAt": "2024-05-11T09:00:00+00:00",
+      "fieldMask": []
+    }
+  ],
+  "published": "2024-05-10T19:28:00+00:00",
+  "references": [
+    {
+      "kind": "advisory",
+      "provenance": {
+        "source": "redhat",
+        "kind": "map",
+        "value": "rhsa-2024:0252",
+        "decisionReason": null,
+        "recordedAt": "2024-05-11T09:00:00+00:00",
+        "fieldMask": []
+      },
+      "sourceTag": "redhat",
+      "summary": "Red Hat security advisory",
+      "url": "https://access.redhat.com/errata/RHSA-2024:0252"
+    }
+  ],
+  "severity": "critical",
+  "summary": "Updates the Red Hat Enterprise Linux kernel to address CVE-2024-5678.",
+  "title": "Important: kernel security update"
 }
--- a/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Observations/AdvisoryObservationTests.cs
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Observations/AdvisoryObservationTests.cs
@@ -1,7 +1,8 @@
 using System.Collections.Generic;
 using System.Collections.Immutable;
 using System.Text.Json.Nodes;
-using StellaOps.Concelier.Models.Observations;
+using StellaOps.Concelier.Models.Observations;
+using StellaOps.Concelier.RawModels;
 using Xunit;

 namespace StellaOps.Concelier.Models.Tests.Observations;
@@ -33,21 +34,32 @@ public sealed class AdvisoryObservationTests
                new AdvisoryObservationReference("advisory", "https://example.com/advisory")
            });

-        var attributes = ImmutableDictionary.CreateRange(new Dictionary<string, string>
-        {
-            [" region "] = "emea",
-            ["pipeline"] = "daily"
-        });
-
-        var observation = new AdvisoryObservation(
-            observationId: " tenant-a:CVE-2025-1234:1 ",
-            tenant: " Tenant-A ",
-            source: source,
-            upstream: upstream,
-            content: content,
-            linkset: linkset,
-            createdAt: DateTimeOffset.Parse("2025-10-01T01:00:06Z"),
-            attributes: attributes);
+        var attributes = ImmutableDictionary.CreateRange(new Dictionary<string, string>
+        {
+            [" region "] = "emea",
+            ["pipeline"] = "daily"
+        });
+
+        var rawLinkset = new RawLinkset
+        {
+            Aliases = ImmutableArray.Create(" Cve-2025-1234 ", "cve-2025-1234"),
+            PackageUrls = ImmutableArray.Create("pkg:generic/foo@1.0.0"),
+            Cpes = ImmutableArray.Create("cpe:/a:vendor:product:1"),
+            References = ImmutableArray.Create(new RawReference("ADVISORY", "https://example.com/advisory")),
+            ReconciledFrom = ImmutableArray.Create("pointer-1"),
+            Notes = ImmutableDictionary.CreateRange(new Dictionary<string, string> { ["note"] = "value" })
+        };
+
+        var observation = new AdvisoryObservation(
+            observationId: " tenant-a:CVE-2025-1234:1 ",
+            tenant: " Tenant-A ",
+            source: source,
+            upstream: upstream,
+            content: content,
+            linkset: linkset,
+            rawLinkset: rawLinkset,
+            createdAt: DateTimeOffset.Parse("2025-10-01T01:00:06Z"),
+            attributes: attributes);

        Assert.Equal("tenant-a:CVE-2025-1234:1", observation.ObservationId);
        Assert.Equal("tenant-a", observation.Tenant);
--- a/src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/Migrations/EnsureAdvisoryObservationsRawLinksetMigrationTests.cs
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/Migrations/EnsureAdvisoryObservationsRawLinksetMigrationTests.cs
@@ -0,0 +1,337 @@
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Linq;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging.Abstractions;
+using MongoDB.Bson;
+using MongoDB.Bson.Serialization;
+using MongoDB.Driver;
+using StellaOps.Concelier.RawModels;
+using StellaOps.Concelier.Storage.Mongo;
+using StellaOps.Concelier.Storage.Mongo.Migrations;
+using StellaOps.Concelier.Storage.Mongo.Observations;
+using StellaOps.Concelier.Storage.Mongo.Raw;
+using Xunit;
+
+namespace StellaOps.Concelier.Storage.Mongo.Tests.Migrations;
+
+[Collection("mongo-fixture")]
+public sealed class EnsureAdvisoryObservationsRawLinksetMigrationTests
+{
+    private readonly MongoIntegrationFixture _fixture;
+
+    public EnsureAdvisoryObservationsRawLinksetMigrationTests(MongoIntegrationFixture fixture)
+    {
+        _fixture = fixture;
+    }
+
+    [Fact]
+    public async Task ApplyAsync_BackfillsRawLinksetFromRawDocument()
+    {
+        var databaseName = $"concelier-rawlinkset-{Guid.NewGuid():N}";
+        var database = _fixture.Client.GetDatabase(databaseName);
+        await database.CreateCollectionAsync(MongoStorageDefaults.Collections.Migrations);
+        await database.CreateCollectionAsync(MongoStorageDefaults.Collections.AdvisoryObservations);
+
+        try
+        {
+            var rawRepository = new MongoAdvisoryRawRepository(
+                database,
+                TimeProvider.System,
+                NullLogger<MongoAdvisoryRawRepository>.Instance);
+
+            var rawDocument = RawDocumentFactory.CreateAdvisory(
+                tenant: "tenant-a",
+                source: new RawSourceMetadata("Vendor-X", "connector-y", "1.0.0", "stable"),
+                upstream: new RawUpstreamMetadata(
+                    UpstreamId: "GHSA-2025-0001",
+                    DocumentVersion: "v1",
+                    RetrievedAt: DateTimeOffset.Parse("2025-10-29T12:34:56Z"),
+                    ContentHash: "sha256:abc123",
+                    Signature: new RawSignatureMetadata(true, "dsse", "key1", "sig1"),
+                    Provenance: ImmutableDictionary.CreateRange(new[] { new KeyValuePair<string, string>("api", "https://example.test/api") })),
+                content: new RawContent(
+                    Format: "OSV",
+                    SpecVersion: "1.0.0",
+                    Raw: ParseJsonElement("""{"id":"GHSA-2025-0001"}"""),
+                    Encoding: null),
+                identifiers: new RawIdentifiers(
+                    Aliases: ImmutableArray.Create("CVE-2025-0001", "cve-2025-0001"),
+                    PrimaryId: "CVE-2025-0001"),
+                linkset: new RawLinkset
+                {
+                    Aliases = ImmutableArray.Create("GHSA-xxxx-yyyy"),
+                    PackageUrls = ImmutableArray.Create("pkg:npm/example@1.0.0"),
+                    Cpes = ImmutableArray.Create("cpe:/a:example:product:1.0"),
+                    References = ImmutableArray.Create(new RawReference("advisory", "https://example.test/advisory", "vendor")),
+                    ReconciledFrom = ImmutableArray.Create("connector-y"),
+                    Notes = ImmutableDictionary.CreateRange(new[] { new KeyValuePair<string, string>("range-fixed", "1.0.1") })
+                });
+
+            await rawRepository.UpsertAsync(rawDocument, CancellationToken.None);
+
+            var expectedRawLinkset = BuildRawLinkset(rawDocument.Identifiers, rawDocument.Linkset);
+            var canonicalAliases = ImmutableArray.Create("cve-2025-0001", "ghsa-xxxx-yyyy");
+            var canonicalPurls = rawDocument.Linkset.PackageUrls;
+            var canonicalCpes = rawDocument.Linkset.Cpes;
+            var canonicalReferences = rawDocument.Linkset.References;
+
+            var observationId = "tenant-a:vendor-x:ghsa-2025-0001:sha256-abc123";
+            var observationBson = BuildObservationDocument(
+                observationId,
+                rawDocument,
+                canonicalAliases,
+                canonicalPurls,
+                canonicalCpes,
+                canonicalReferences,
+                rawDocument.Upstream.RetrievedAt,
+                includeRawLinkset: false);
+            await database
+                .GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryObservations)
+                .InsertOneAsync(observationBson);
+
+            var migration = new EnsureAdvisoryObservationsRawLinksetMigration();
+            await migration.ApplyAsync(database, CancellationToken.None);
+
+            var storedBson = await database
+                .GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryObservations)
+                .Find(Builders<BsonDocument>.Filter.Eq("_id", observationId))
+                .FirstOrDefaultAsync();
+
+            Assert.NotNull(storedBson);
+            Assert.True(storedBson.TryGetValue("rawLinkset", out var rawLinksetValue));
+
+            var storedDocument = BsonSerializer.Deserialize<AdvisoryObservationDocument>(storedBson);
+            var storedObservation = AdvisoryObservationDocumentFactory.ToModel(storedDocument);
+
+            Assert.True(expectedRawLinkset.Aliases.SequenceEqual(storedObservation.RawLinkset.Aliases, StringComparer.Ordinal));
+            Assert.True(expectedRawLinkset.PackageUrls.SequenceEqual(storedObservation.RawLinkset.PackageUrls, StringComparer.Ordinal));
+            Assert.True(expectedRawLinkset.Cpes.SequenceEqual(storedObservation.RawLinkset.Cpes, StringComparer.Ordinal));
+            Assert.True(expectedRawLinkset.References.SequenceEqual(storedObservation.RawLinkset.References));
+            Assert.Equal(expectedRawLinkset.Notes, storedObservation.RawLinkset.Notes);
+        }
+        finally
+        {
+            await _fixture.Client.DropDatabaseAsync(databaseName);
+        }
+    }
+
+    [Fact]
+    public async Task ApplyAsync_ThrowsWhenRawDocumentMissing()
+    {
+        var databaseName = $"concelier-rawlinkset-missing-{Guid.NewGuid():N}";
+        var database = _fixture.Client.GetDatabase(databaseName);
+        await database.CreateCollectionAsync(MongoStorageDefaults.Collections.Migrations);
+        await database.CreateCollectionAsync(MongoStorageDefaults.Collections.AdvisoryObservations);
+
+        try
+        {
+            var rawDocument = RawDocumentFactory.CreateAdvisory(
+                tenant: "tenant-b",
+                source: new RawSourceMetadata("Vendor-Y", "connector-z", "2.0.0", "stable"),
+                upstream: new RawUpstreamMetadata(
+                    UpstreamId: "GHSA-9999-0001",
+                    DocumentVersion: "v2",
+                    RetrievedAt: DateTimeOffset.Parse("2025-10-30T00:00:00Z"),
+                    ContentHash: "sha256:def456",
+                    Signature: new RawSignatureMetadata(false),
+                    Provenance: ImmutableDictionary<string, string>.Empty),
+                content: new RawContent(
+                    Format: "OSV",
+                    SpecVersion: "1.0.0",
+                    Raw: ParseJsonElement("""{"id":"GHSA-9999-0001"}"""),
+                    Encoding: null),
+                identifiers: new RawIdentifiers(
+                    Aliases: ImmutableArray<string>.Empty,
+                    PrimaryId: "GHSA-9999-0001"),
+                linkset: new RawLinkset());
+
+            var observationId = "tenant-b:vendor-y:ghsa-9999-0001:sha256-def456";
+            var document = BuildObservationDocument(
+                observationId,
+                rawDocument,
+                ImmutableArray<string>.Empty,
+                ImmutableArray<string>.Empty,
+                ImmutableArray<string>.Empty,
+                ImmutableArray<RawReference>.Empty,
+                rawDocument.Upstream.RetrievedAt,
+                includeRawLinkset: false);
+
+            await database
+                .GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryObservations)
+                .InsertOneAsync(document);
+
+            var migration = new EnsureAdvisoryObservationsRawLinksetMigration();
+
+            await Assert.ThrowsAsync<InvalidOperationException>(
+                () => migration.ApplyAsync(database, CancellationToken.None));
+        }
+        finally
+        {
+            await _fixture.Client.DropDatabaseAsync(databaseName);
+        }
+    }
+
+    private static BsonDocument BuildObservationDocument(
+        string observationId,
+        AdvisoryRawDocument rawDocument,
+        ImmutableArray<string> canonicalAliases,
+        ImmutableArray<string> canonicalPurls,
+        ImmutableArray<string> canonicalCpes,
+        ImmutableArray<RawReference> canonicalReferences,
+        DateTimeOffset createdAt,
+        bool includeRawLinkset,
+        RawLinkset? rawLinkset = null)
+    {
+        var sourceDocument = new BsonDocument
+        {
+            { "vendor", rawDocument.Source.Vendor },
+            { "stream", string.IsNullOrWhiteSpace(rawDocument.Source.Stream) ? rawDocument.Source.Connector : rawDocument.Source.Stream! },
+            { "api", rawDocument.Upstream.Provenance.TryGetValue("api", out var api) ? api : rawDocument.Source.Connector }
+        };
+        if (!string.IsNullOrWhiteSpace(rawDocument.Source.ConnectorVersion))
+        {
+            sourceDocument["collectorVersion"] = rawDocument.Source.ConnectorVersion;
+        }
+
+        var signatureDocument = new BsonDocument
+        {
+            { "present", rawDocument.Upstream.Signature.Present }
+        };
+        if (!string.IsNullOrWhiteSpace(rawDocument.Upstream.Signature.Format))
+        {
+            signatureDocument["format"] = rawDocument.Upstream.Signature.Format;
+        }
+        if (!string.IsNullOrWhiteSpace(rawDocument.Upstream.Signature.KeyId))
+        {
+            signatureDocument["keyId"] = rawDocument.Upstream.Signature.KeyId;
+        }
+        if (!string.IsNullOrWhiteSpace(rawDocument.Upstream.Signature.Signature))
+        {
+            signatureDocument["signature"] = rawDocument.Upstream.Signature.Signature;
+        }
+
+        var upstreamDocument = new BsonDocument
+        {
+            { "upstream_id", rawDocument.Upstream.UpstreamId },
+            { "document_version", rawDocument.Upstream.DocumentVersion },
+            { "fetchedAt", rawDocument.Upstream.RetrievedAt.UtcDateTime },
+            { "receivedAt", rawDocument.Upstream.RetrievedAt.UtcDateTime },
+            { "contentHash", rawDocument.Upstream.ContentHash },
+            { "signature", signatureDocument },
+            { "metadata", new BsonDocument(rawDocument.Upstream.Provenance) }
+        };
+
+        var contentDocument = new BsonDocument
+        {
+            { "format", rawDocument.Content.Format },
+            { "raw", BsonDocument.Parse(rawDocument.Content.Raw.GetRawText()) }
+        };
+        if (!string.IsNullOrWhiteSpace(rawDocument.Content.SpecVersion))
+        {
+            contentDocument["specVersion"] = rawDocument.Content.SpecVersion;
+        }
+
+        var canonicalLinkset = new BsonDocument
+        {
+            { "aliases", new BsonArray(canonicalAliases) },
+            { "purls", new BsonArray(canonicalPurls) },
+            { "cpes", new BsonArray(canonicalCpes) },
+            { "references", new BsonArray(canonicalReferences.Select(reference => new BsonDocument
+                {
+                    { "type", reference.Type },
+                    { "url", reference.Url }
+                })) }
+        };
+
+        var document = new BsonDocument
+        {
+            { "_id", observationId },
+            { "tenant", rawDocument.Tenant },
+            { "source", sourceDocument },
+            { "upstream", upstreamDocument },
+            { "content", contentDocument },
+            { "linkset", canonicalLinkset },
+            { "createdAt", createdAt.UtcDateTime },
+            { "attributes", new BsonDocument() }
+        };
+
+        if (includeRawLinkset)
+        {
+            var actualRawLinkset = rawLinkset ?? throw new ArgumentNullException(nameof(rawLinkset));
+            document["rawLinkset"] = new BsonDocument
+            {
+                { "aliases", new BsonArray(actualRawLinkset.Aliases) },
+                { "purls", new BsonArray(actualRawLinkset.PackageUrls) },
+                { "cpes", new BsonArray(actualRawLinkset.Cpes) },
+                { "references", new BsonArray(actualRawLinkset.References.Select(reference => new BsonDocument
+                    {
+                        { "type", reference.Type },
+                        { "url", reference.Url },
+                        { "source", reference.Source }
+                    })) },
+                { "reconciled_from", new BsonArray(actualRawLinkset.ReconciledFrom) },
+                { "notes", new BsonDocument(actualRawLinkset.Notes) }
+            };
+        }
+
+        return document;
+    }
+
+    private static JsonElement ParseJsonElement(string json)
+    {
+        using var document = JsonDocument.Parse(json);
+        return document.RootElement.Clone();
+    }
+
+    private static RawLinkset BuildRawLinkset(RawIdentifiers identifiers, RawLinkset linkset)
+    {
+        var aliasBuilder = ImmutableArray.CreateBuilder<string>();
+
+        if (!string.IsNullOrWhiteSpace(identifiers.PrimaryId))
+        {
+            aliasBuilder.Add(identifiers.PrimaryId);
+        }
+
+        if (!identifiers.Aliases.IsDefaultOrEmpty)
+        {
+            foreach (var alias in identifiers.Aliases)
+            {
+                if (!string.IsNullOrEmpty(alias))
+                {
+                    aliasBuilder.Add(alias);
+                }
+            }
+        }
+
+        if (!linkset.Aliases.IsDefaultOrEmpty)
+        {
+            foreach (var alias in linkset.Aliases)
+            {
+                if (!string.IsNullOrEmpty(alias))
+                {
+                    aliasBuilder.Add(alias);
+                }
+            }
+        }
+
+        static ImmutableArray<string> EnsureArray(ImmutableArray<string> values)
+            => values.IsDefault ? ImmutableArray<string>.Empty : values;
+
+        static ImmutableArray<RawReference> EnsureReferences(ImmutableArray<RawReference> values)
+            => values.IsDefault ? ImmutableArray<RawReference>.Empty : values;
+
+        return linkset with
+        {
+            Aliases = aliasBuilder.ToImmutable(),
+            PackageUrls = EnsureArray(linkset.PackageUrls),
+            Cpes = EnsureArray(linkset.Cpes),
+            References = EnsureReferences(linkset.References),
+            ReconciledFrom = EnsureArray(linkset.ReconciledFrom),
+            Notes = linkset.Notes ?? ImmutableDictionary<string, string>.Empty
+        };
+    }
+}
--- a/src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/Observations/AdvisoryObservationDocumentFactoryTests.cs
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/Observations/AdvisoryObservationDocumentFactoryTests.cs
@@ -37,32 +37,48 @@ public sealed class AdvisoryObservationDocumentFactoryTests
                    Signature = "signature"
                }
            },
-            Content = new AdvisoryObservationContentDocument
-            {
-                Format = "CSAF",
-                SpecVersion = "2.0",
-                Raw = BsonDocument.Parse("{\"example\":true}")
-            },
-            Linkset = new AdvisoryObservationLinksetDocument
-            {
-                Aliases = new List<string> { "CVE-2025-1234" },
-                Purls = new List<string> { "pkg:generic/foo@1.0.0" },
-                Cpes = new List<string> { "cpe:/a:vendor:product:1" },
-                References = new List<AdvisoryObservationReferenceDocument>
-                {
-                    new() { Type = "advisory", Url = "https://example.com" }
-                }
-            }
-        };
-
-        var observation = AdvisoryObservationDocumentFactory.ToModel(document);
-
-        Assert.Equal("tenant-a:obs-1", observation.ObservationId);
+            Content = new AdvisoryObservationContentDocument
+            {
+                Format = "CSAF",
+                SpecVersion = "2.0",
+                Raw = BsonDocument.Parse("{\"example\":true}")
+            },
+            Linkset = new AdvisoryObservationLinksetDocument
+            {
+                Aliases = new List<string> { "CVE-2025-1234" },
+                Purls = new List<string> { "pkg:generic/foo@1.0.0" },
+                Cpes = new List<string> { "cpe:/a:vendor:product:1" },
+                References = new List<AdvisoryObservationReferenceDocument>
+                {
+                    new() { Type = "advisory", Url = "https://example.com" }
+                }
+            },
+            RawLinkset = new AdvisoryObservationRawLinksetDocument
+            {
+                Aliases = new List<string> { "CVE-2025-1234", "cve-2025-1234" },
+                PackageUrls = new List<string> { "pkg:generic/foo@1.0.0" },
+                Cpes = new List<string> { "cpe:/a:vendor:product:1" },
+                References = new List<AdvisoryObservationRawReferenceDocument>
+                {
+                    new() { Type = "Advisory", Url = "https://example.com", Source = "vendor" }
+                },
+                ReconciledFrom = new List<string> { "source-a" },
+                Notes = new Dictionary<string, string> { ["note-key"] = "note-value" }
+            }
+        };
+
+        var observation = AdvisoryObservationDocumentFactory.ToModel(document);
+
+        Assert.Equal("tenant-a:obs-1", observation.ObservationId);
        Assert.Equal("tenant-a", observation.Tenant);
        Assert.Equal("CVE-2025-1234", observation.Upstream.UpstreamId);
-        Assert.Contains("pkg:generic/foo@1.0.0", observation.Linkset.Purls);
-        Assert.Equal("CSAF", observation.Content.Format);
-        Assert.True(observation.Content.Raw?["example"]?.GetValue<bool>());
-        Assert.Equal("advisory", observation.Linkset.References[0].Type);
-    }
-}
+        Assert.Contains("pkg:generic/foo@1.0.0", observation.Linkset.Purls);
+        Assert.Equal("CSAF", observation.Content.Format);
+        Assert.True(observation.Content.Raw?["example"]?.GetValue<bool>());
+        Assert.Equal("advisory", observation.Linkset.References[0].Type);
+        Assert.Equal(new[] { "CVE-2025-1234", "cve-2025-1234" }, observation.RawLinkset.Aliases);
+        Assert.Equal("Advisory", observation.RawLinkset.References[0].Type);
+        Assert.Equal("vendor", observation.RawLinkset.References[0].Source);
+        Assert.Equal("note-value", observation.RawLinkset.Notes["note-key"]);
+    }
+}