It's not clear what should be in the `related_event.type_uid` when referencing a finding

[lukas-krecan-s1]

We are using related_event to reference a Finding. It's not clear what should be used as type_uid. The issue is that type_uid in finding contains the activity (for example "200201: Vulnerability Finding: Create") When referencing the finding and not the event, we don't know what the activity ID should contain. We see the following options:

1. Don't use the activity ID. If we are referencing a Vulnerability Finding, we will send 2002: Vulnerability Finding. This may be surprising, as 2002 is not a type_id.
2. Pick one activity and use it. For example we can always send "200200 Vulnerability Finding: Unknown" even though we don't reference any event. Should type_name contain the "Unknown" label?
3. Use type and send Vulnerability Finding

Any ideas?

[mlmitch]

Interesting! I haven't run into this yet as I haven't tried to reference a finding in related events. It is certainly an issue because the activity_id of a finding evolves over the life of the finding. activity_id is relatively immutable for other event types.

The main value I've seen in related_event.type_uid is knowing what class the related event is. I've never particularly cared about the activity_id part when looking at the releated_event object. It sounds like that is what you are ultimately after as well?

Perhaps we can add class_uid to the the related_event object? This matches your first option, but gives a correct field for it instead of abusing type_uid.

[lukas-krecan-s1]

Yes, class_uid would make sense in our case.