Skip to content

Removes the migrateToPurlsWithQualifiers function and its usage in handleScanResult #1541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
refoo0 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Removes the migrateToPurlsWithQualifiers function and its usage in handleScanResult #1541

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 0 additions & 117 deletions services/asset_version_service.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -506,115 +506,6 @@ func diffVulnsBetweenBranches[T Diffable](foundVulnerabilities []T, existingVuln
return newDetectedVulnsNotOnOtherBranch, newDetectedButOnOtherBranchExisting, existingEvents
}

func (s *assetVersionService) migrateToPurlsWithQualifiers(newVulns []models.DependencyVuln, existingVulns []models.DependencyVuln, existingVulnsOnOtherBranch []models.DependencyVuln) ([]models.DependencyVuln, []models.DependencyVuln, error) {

vulnsToUpdate := make([]models.DependencyVuln, 0)

for _, newVuln := range newVulns {
if newVuln.ComponentPurl == nil {
continue
}
fullPurl := newVuln.ComponentPurl
purl := strings.SplitN(*fullPurl, "?", 2)[0]

for i, existingVuln := range existingVulns {
if existingVuln.ComponentPurl != nil && *existingVuln.ComponentPurl == purl &&
existingVuln.CVEID != nil && newVuln.CVEID != nil && *existingVuln.CVEID == *newVuln.CVEID {
existingVulns[i].ComponentPurl = fullPurl
vulnsToUpdate = append(vulnsToUpdate, existingVulns[i])
}

}

for i, existingVuln := range existingVulnsOnOtherBranch {
if existingVuln.ComponentPurl != nil && *existingVuln.ComponentPurl == purl &&
existingVuln.CVEID != nil && newVuln.CVEID != nil && *existingVuln.CVEID == *newVuln.CVEID {
existingVulnsOnOtherBranch[i].ComponentPurl = fullPurl
vulnsToUpdate = append(vulnsToUpdate, existingVulnsOnOtherBranch[i])
}

}
}

if len(vulnsToUpdate) == 0 {
return existingVulns, existingVulnsOnOtherBranch, nil
}

db := s.dependencyVulnRepository.GetDB(nil)

//save all updated vulns back to the database
for _, dependencyVuln := range vulnsToUpdate {
oldHash := dependencyVuln.ID
newHash := dependencyVuln.CalculateHash()

if oldHash == newHash {
continue
}

// Update the hash in the database
err := db.Model(&models.DependencyVuln{}).Where("id = ?", oldHash).UpdateColumn("id", newHash).Error
if err != nil {
slog.Info("could not update dependencyVuln hash, trying to merge", "err", err)
// Handle duplicate key error by merging
var otherVuln models.DependencyVuln
err = db.Model(&models.DependencyVuln{}).Where("id = ?", newHash).First(&otherVuln).Error
if err != nil {
slog.Error("could not fetch other dependencyVuln", "err", err)
return existingVulns, existingVulnsOnOtherBranch, err
}

// Update all vuln events BEFORE deleting the old record
err = db.Model(&models.VulnEvent{}).Where("vuln_id = ?", oldHash).UpdateColumn("vuln_id", newHash).Error
if err != nil {
slog.Error("could not update vuln events", "err", err)
return existingVulns, existingVulnsOnOtherBranch, err
}

// Update artifact dependency vulns BEFORE deleting the old record
err = db.Table("artifact_dependency_vulns").Where("dependency_vuln_id = ?", oldHash).UpdateColumn("dependency_vuln_id", newHash).Error
if err != nil {
//check if the error is because duplicate entries, then we need to ignore it, because the other vuln already has those entries and the id is being updated to the new hash
if !strings.Contains(err.Error(), "duplicate key value") {
slog.Error("could not update artifact dependency vulns", "err", err)
return existingVulns, existingVulnsOnOtherBranch, err
}
}

// Now delete the old record after all references are updated
err = db.Model(&models.DependencyVuln{}).Where("id = ?", oldHash).Delete(&dependencyVuln).Error
if err != nil {
slog.Error("could not delete old dependencyVuln during merge", "err", err)
return existingVulns, existingVulnsOnOtherBranch, err
}

}

err = db.Model(&models.DependencyVuln{}).Where("id = ?", newHash).UpdateColumn("component_purl", dependencyVuln.ComponentPurl).Error
if err != nil {
slog.Error("could not update component purl during dependencyVuln merge", "err", err)
return existingVulns, existingVulnsOnOtherBranch, err
}

// Update all vuln events (in case the update succeeded on first try)
err = db.Model(&models.VulnEvent{}).Where("vuln_id = ?", oldHash).UpdateColumn("vuln_id", newHash).Error
if err != nil {
slog.Error("could not update vuln events", "err", err)
return existingVulns, existingVulnsOnOtherBranch, err
}

// update dependencyVuln in artifacts dependencyVuln table (in case the update succeeded on first try)
err = db.Table("artifact_dependency_vulns").Where("dependency_vuln_id = ?", oldHash).UpdateColumn("dependency_vuln_id", newHash).Error
if err != nil {
slog.Error("could not update artifact dependency vulns", "err", err)
return existingVulns, existingVulnsOnOtherBranch, err
}

}

return existingVulns, existingVulnsOnOtherBranch, nil

}

func (s *assetVersionService) handleScanResult(userID string, artifactName string, assetVersion *models.AssetVersion, sbom *normalize.CdxBom, dependencyVulns []models.DependencyVuln, asset models.Asset, upstream dtos.UpstreamState) ([]models.DependencyVuln, []models.DependencyVuln, []models.DependencyVuln, error) {
existingDependencyVulns, err := s.dependencyVulnRepository.ListByAssetAndAssetVersion(assetVersion.Name, assetVersion.AssetID)
if err != nil {
Expand All @@ -628,14 +519,6 @@ func (s *assetVersionService) handleScanResult(userID string, artifactName strin
return []models.DependencyVuln{}, []models.DependencyVuln{}, []models.DependencyVuln{}, err
}

// this is just for migration.
// the call can be removed after all assets were scanned again
existingDependencyVulns, existingVulnsOnOtherBranch, err = s.migrateToPurlsWithQualifiers(dependencyVulns, existingDependencyVulns, existingVulnsOnOtherBranch)
if err != nil {
slog.Error("could not migrate dependencyVulns to purls with qualifiers", "err", err)
return []models.DependencyVuln{}, []models.DependencyVuln{}, []models.DependencyVuln{}, err
}

existingVulnsOnOtherBranch = utils.Filter(existingVulnsOnOtherBranch, func(dependencyVuln models.DependencyVuln) bool {
return dependencyVuln.State != dtos.VulnStateFixed
})
Expand Down
Loading