feat: add patch generation for OSV dependency fixes

[Aharshi3614]

Closes #62

What this PR does

Adds actual code patch generation to the remediation engine for OSV dependency findings. Previously, the /fix endpoint only returned text recommendations with diff: null. Now, for dependency vulnerabilities, it generates unified diffs showing exactly what changes to make (e.g., upgrading requests==2.28.0 to requests==2.31.0 in requirements.txt). This makes remediation suggestions actionable and ready for PR generation.

Type of change

• Bug fix
• New feature
• ML model / training pipeline
• Refactor (no behaviour change)
• Documentation
• Tests only

ML tier (if applicable)

• Tier 1 — Triage
• Tier 2 — Predictive
• Tier 3 — Autonomous
• Not ML-related

Changes

Backend

• Added backend/app/remediation/patch_generator.py - Core patch generation logic using Python's difflib
• Added backend/app/remediation/diff_utils.py - Utility functions for unified diff formatting
• Added backend/app/remediation/osv_parser.py - Parses OSV finding data to extract package name and version info
• Modified backend/app/remediation/engine.py - Integrates patch generation into propose_fixes() for OSV findings
• The diff field in Fix model (already existed) is now populated with actual unified diff strings

Frontend

• No frontend changes (API response format remains backward compatible)

New dependencies

• None - uses Python built-in modules (difflib, json, pathlib)

Database / schema changes

• None

Testing

How did you test this?

1. Created a test repository with a vulnerable requirements.txt (requests==2.28.0)
2. Ran scan to generate OSV finding
3. Called /fix endpoint with the finding ID
4. Verified the response includes a valid unified diff
5. Applied the patch manually to confirm it works
6. Ran unit tests: pytest tests/test_patch_generator.py
7. Ran integration tests: pytest tests/test_integration_patches.py

Checklist

• Tested locally end-to-end (upload ZIP or GitHub URL → scan → findings returned correctly)
• New ML model falls back gracefully when model file is absent (N/A)
• No new console.error or unhandled Python exceptions introduced
• Added or updated tests where applicable
• requirements.txt / package.json updated if new dependencies added (no new deps)
• New model files (.pkl, .pt, etc.) are gitignored, not committed (N/A)

Anything reviewers should focus on

• The patch generation currently supports requirements.txt and package.json. Should we add go.mod, Cargo.toml, etc. in this PR or follow-up?
• The OSV parser uses mock data when OSV output file isn't available. In production, we should read from the actual scan results database.

Screenshots (if UI changed)

N/A - backend change only. Example API response:

{
  "finding_id": "osv:PYSEC-2024-123",
  "diff": "--- a/requirements.txt\n+++ b/requirements.txt\n-requests==2.28.0\n+requests==2.31.0"
}

[Tushar-sonawane06]

@ionfwsrijan this pr is mergeble but there is one thing by this pr the mock data is getting pushed instead of using real OSV database, also check the ci passes too

[Aharshi3614]

@Tushar-sonawane06 Fixed — mock data removed, now raises FileNotFoundError when osv_output.json is missing

[ionfwsrijan]

@Aharshi3614 Great work! I'm running the tests now

[ionfwsrijan]

@Aharshi3614 Fix the failing tests

[Aharshi3614]

@ionfwsrijan I guess it should run now

[ionfwsrijan]

@Aharshi3614 It needs formatting

[Aharshi3614]

@ionfwsrijan Formatter applied. CI should pass now.

[ionfwsrijan]

@Aharshi3614 Still failing. Join our dc server to connect with fellow contributors and mentors. They'll help you out.

https://discord.gg/FcXuyw2Rs