git.stella-ops.org/docs/features/unchecked/scanner/bug-id-to-cve-mapping-in-changelog-parsing.md

# Bug ID to CVE Mapping in Changelog Parsing

## Module
Scanner

## Status
IMPLEMENTED

## Description
Regex-based extraction of bug tracker references (Debian "Closes: #123456", RHBZ#123456, Launchpad "LP: #123456") from changelogs, with cross-reference to CVE IDs for Tier 2 backport evidence.

## Implementation Details
- **Changelog Parsing (OS Analyzers)**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/RpmPackageAnalyzer.cs` - RPM package analyzer with changelog parsing
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeaderParser.cs` - Parses RPM headers including changelog entries
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeader.cs` - RPM header model with changelog tags
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmTags.cs` - RPM tag definitions including changelog-related tags
- **Pedigree & Commit Mapping**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/FeedserPedigreeDataProvider.cs` - Provides pedigree data including changelog-derived CVE references
  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/CommitInfoBuilder.cs` - Builds commit info with bug tracker cross-references
- **Material Changes Integration**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/CardGenerators.cs` - Generates material change cards including changelog-derived bug-to-CVE mappings

## E2E Test Plan
- [ ] Scan a container image with Debian packages containing changelogs with "Closes: #NNNNNN" references and verify bug IDs are extracted
- [ ] Scan an image with RPM packages containing changelogs with RHBZ# references and verify extraction
- [ ] Verify extracted bug IDs are cross-referenced to CVE IDs and appear as Tier 2 backport evidence
- [ ] Verify the pedigree data includes changelog-derived CVE mappings in the scan report
- [ ] Verify material change cards reference changelog bug-to-CVE correlations
- [ ] Verify Launchpad "LP: #NNNNNN" references are extracted from Ubuntu package changelogs