Fix vuln policy bundle sync ignoring nested files

[nscuro]

Description

Fixes vuln policy bundle sync ignoring nested files.

The synchronization mechanism would consider files in nested directories as ineligible and skip them. This is a regression of the recent refactoring.

Addressed Issue

Relates to #1975

Additional Details

N/A

Checklist

• I have read and understand the contributing guidelines
• This PR fixes a defect, and I have provided tests to verify that the fix is effective
• This PR implements an enhancement, and I have provided tests to verify that it works as intended
• This PR introduces changes to the database model, and I have updated the migration changelog accordingly
• This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity

Metric	Results
Complexity	0

View in Codacy

🟢 Coverage 75.00% diff coverage · 0.00% coverage variation

Metric	Results
Coverage variation	✅ 0.00% coverage variation (-1.00%)
Diff coverage	✅ 75.00% diff coverage (70.00%)

View coverage diff in Codacy

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (e16ca10)	42825	36044	84.17%
Head commit (fcfc4f0)	42828 (+3)	36046 (+2)	84.16% (0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#1990)	4	3	75.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

_{TIP This summary will be updated as you push new changes. Give us feedback}

[Copilot]

Pull request overview

Fixes a regression in vulnerability policy bundle synchronization where YAML policy files located in nested ZIP directories were incorrectly ignored, ensuring bundles with subdirectory structures are processed as expected.

Changes:

• Update ZIP entry filtering to ignore directory entries and match policy files by basename rather than full entry path.
• Add a regression test verifying that policies inside ZIP subdirectories are processed and persisted.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
apiserver/src/main/java/org/dependencytrack/policy/vulnerability/SyncVulnPolicyBundleActivity.java	Adjusts ZIP entry handling to allow nested policy files by matching on extracted filename and skipping directory entries.
apiserver/src/test/java/org/dependencytrack/policy/vulnerability/SyncVulnPolicyBundleActivityTest.java	Adds a test that builds a ZIP with a subdirectory policy file and asserts the policy is synced.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.