# Bug ID to CVE Mapping in Changelog Parsing

## Module
Scanner

## Status
VERIFIED

## Description
Regex-based extraction of changelog bug references (Debian `Closes: #123456`, `RHBZ#123456`, Launchpad `LP: #123456`) with deterministic bug-to-CVE correlation for backport evidence metadata.

## Implementation Details
- **Shared extraction helper**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/Helpers/ChangelogBugReferenceExtractor.cs` - Extracts bug references and bug-to-CVE mappings from changelog text.
- **RPM wiring**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/RpmPackageAnalyzer.cs` - Applies extractor to RPM changelog entries and emits `vendor.changelogBugRefs` / `vendor.changelogBugToCves`.
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeaderParser.cs` - Supplies `ChangeLogText` entries from RPM metadata.
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeader.cs`
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmTags.cs`
- **DPKG wiring**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Dpkg/DpkgPackageAnalyzer.cs` - Reads package changelog files (including `.gz`), extracts bug mappings, and merges CVE hints.
- **Behavioral coverage**:
  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/Helpers/ChangelogBugReferenceExtractorTests.cs`
  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/Dpkg/DpkgChangelogBugCorrelationTests.cs`
  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/OsAnalyzerDeterminismTests.cs`

## E2E Test Plan
- [x] Verify Debian `Closes: #NNNNNN` references are extracted and preserved in metadata.
- [x] Verify RPM changelog `RHBZ#NNNNNN` references are extracted.
- [x] Verify Launchpad `LP: #NNNNNN` references are extracted.
- [x] Verify bug references are cross-referenced with CVE IDs from the same changelog entry.
- [x] Verify deterministic metadata and golden snapshot behavior through OS analyzer test runs.

## Verification
- Run: `run-001`
- Date (UTC): 2026-02-12
- Artifacts: `docs/qa/feature-checks/runs/scanner/bug-id-to-cve-mapping-in-changelog-parsing/run-001/`