HexmosTech · Amazing-Stardom · Apr 25, 2026 · Apr 7, 2026 · Apr 8, 2026 · Apr 8, 2026
diff --git a/cmd/mrmodel/cli.go b/cmd/mrmodel/cli.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"errors"
 	"flag"
 	"fmt"
@@ -238,7 +239,7 @@ func runBitbucket(args []string) error {
 		return fmt.Errorf("bitbucket provider creation failed: %w", errProv)
 	}
 
-	unifiedArtifact, err := mrModel.BuildBitbucketArtifact(provider, prID, prURL, *outDir)
+	unifiedArtifact, err := mrModel.BuildBitbucketArtifact(context.Background(), provider, prID, prURL, *outDir)
 	if err != nil {
 		return err
 	}

diff --git a/cmd/mrmodel/lib/bitbucket.go b/cmd/mrmodel/lib/bitbucket.go
@@ -15,43 +15,43 @@ import (
 	rm "github.com/livereview/internal/reviewmodel"
 )
 
-func (m *MrModelImpl) FetchBitbucketData(provider interface{}, prID string, prURL string) (details *providers.MergeRequestDetails, diffs string, commits interface{}, comments interface{}, err error) {
+func (m *MrModelImpl) FetchBitbucketData(ctx context.Context, provider interface{}, prID string, prURL string) (details *providers.MergeRequestDetails, diffs string, commits interface{}, comments interface{}, err error) {
 	// Type assertion for Bitbucket provider
 	bbProvider, ok := provider.(interface {
 		GetMergeRequestDetails(ctx context.Context, prURL string) (*providers.MergeRequestDetails, error)
-		GetPullRequestDiff(prID string) (string, error)
-		GetPullRequestCommits(prID string) ([]bitbucket.BitbucketCommit, error)
-		GetPullRequestComments(prID string) ([]bitbucket.BitbucketComment, error)
+		GetPullRequestDiff(ctx context.Context, prID string) (string, error)
+		GetPullRequestCommits(ctx context.Context, prID string) ([]bitbucket.BitbucketCommit, error)
+		GetPullRequestComments(ctx context.Context, prID string) ([]bitbucket.BitbucketComment, error)
 	})
 	if !ok {
 		return nil, "", nil, nil, fmt.Errorf("invalid Bitbucket provider")
 	}
 
-	details, err = bbProvider.GetMergeRequestDetails(context.Background(), prURL)
+	details, err = bbProvider.GetMergeRequestDetails(ctx, prURL)
 	if err != nil {
 		return nil, "", nil, nil, fmt.Errorf("GetMergeRequestDetails failed: %w", err)
 	}
 
-	diffs, err = bbProvider.GetPullRequestDiff(prID)
+	diffs, err = bbProvider.GetPullRequestDiff(ctx, prID)
 	if err != nil {
 		return nil, "", nil, nil, fmt.Errorf("failed to get MR changes: %w", err)
 	}
 
-	commits, err = bbProvider.GetPullRequestCommits(prID)
+	commits, err = bbProvider.GetPullRequestCommits(ctx, prID)
 	if err != nil {
 		return nil, "", nil, nil, fmt.Errorf("GetPullRequestCommits failed: %w", err)
 	}
 
-	comments, err = bbProvider.GetPullRequestComments(prID)
+	comments, err = bbProvider.GetPullRequestComments(ctx, prID)
 	if err != nil {
 		return nil, "", nil, nil, fmt.Errorf("GetPullRequestComments failed: %w", err)
 	}
 
 	return details, diffs, commits, comments, nil
 }
 
-func (m *MrModelImpl) BuildBitbucketArtifact(provider *bitbucket.BitbucketProvider, prID, prURL, outDir string) (*UnifiedArtifact, error) {
-	details, diffs, commitsIface, commentsIface, err := m.FetchBitbucketData(provider, prID, prURL)
+func (m *MrModelImpl) BuildBitbucketArtifact(ctx context.Context, provider *bitbucket.BitbucketProvider, prID, prURL, outDir string) (*UnifiedArtifact, error) {
+	details, diffs, commitsIface, commentsIface, err := m.FetchBitbucketData(ctx, provider, prID, prURL)
 	if err != nil {
 		return nil, err
 	}

diff --git a/docs/security/osv-scanner-fix.md b/docs/security/osv-scanner-fix.md
@@ -0,0 +1,76 @@
+# How to fix OSV scanner vulnerabilities
+
+This document describes how to run the same security scan locally and how to fix the vulnerabilities.
+
+
+## How to run OSV scanner Localy
+
+Generate a security report by running the following command:
+
+```bash
+make security-osv
+```
+
+The `make security-osv` Makefile target runs `osv-scanner` recursively across the repository and writes a dated JSON report to `security_issues/`. 
+
+The output of the scan is:
+
+```
+Scanning dir .
+Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
+Starting filesystem walk for root: /
+Scanned /home/gk/hex/LiveReview/go.mod file and found 148 packages
+Scanned /home/gk/hex/LiveReview/internal/prompts/vendor/cmd file and found 0 packages
+Scanned /home/gk/hex/LiveReview/extension/livereview/package-lock.json file and found 378 packages
+Scanned /home/gk/hex/LiveReview/ui/package-lock.json file and found 1287 packages
+End status: 407 dirs visited, 1971 inodes visited, 4 Extract calls, 602.472549ms elapsed, 602.472606ms wall time
+Wrote security_issues/osv-scanner-05-04-2026.json
+Updated security_issues/osv-scanner-latest.json
+```
+
+So, osv-scan report will be generaed.
+
+This report will have all the vulnerabilities found in the repository.
+
+Ideally, the report should be empty.
+
+```json
+{
+  "results": [],
+  "experimental_config": {
+    "licenses": {
+      "summary": false,
+      "allowlist": null
+    }
+  }
+}
+```
+
+
+## How to fix vulnerabilities
+
+1. Select the osv-scanner report.
+2. Add to AI prompt and ask to fix the vulnerabilities.
+3. AI will fix the vulnerabilities by updating the dependencies.
+4. Run `make security-osv` again to verify that the vulnerabilities are fixed.
+5. If vulnerabilities are still present, repeat the process by actually looking into each vulnerability and fix it manually.
+
+## Verify the fix
+
+If all vulnerabilities are fixed, the `make security-osv` command will not find any vulnerabilities and the report will be empty.
+
+```json
+{
+  "results": [],
+  "experimental_config": {
+    "licenses": {
+      "summary": false,
+      "allowlist": null
+    }
+  }
+}
+```
+
+Now Verify by running ui, server and extension.
+This is for local verification wheather the change in package.json or go.mod is correct or not.
+