fix(vulnfeeds): Cache patch (#4876)

jess-lowe · web-flow · commit e891d00bc2b7 · 2026-02-24T02:35:22.000Z
Sometimes vendor product combinations in the VPRepoCache are given
"successful" repos in its cache that are unrelated to the project. I
believe this is to do with how larger projects that are affected by the
vuln (like Debian/RH etc) are also added to the record.

With the cache, if a record earlier on resolves a repo, but saves it to
a Vendor Product that is unrelated, this might cause a bad cache entry.

This unfortunately might slow things down but its better than bad
misses.
diff --git a/vulnfeeds/cves/versions.go b/vulnfeeds/cves/versions.go
@@ -1133,7 +1133,7 @@ func ReposFromReferences(cache *VPRepoCache, vp *VendorProduct, refs []models.Re
 			continue
 		}
 		repos = append(repos, repo)
-		cache.MaybeUpdate(vp, repo)
+		// cache.MaybeUpdate(vp, repo) // TODO: fix this so that only relevant repos to the project are added to cache
 	}
 	if len(repos) == 0 {
 		return repos

Original file line number	Diff line number	Diff line change
`@@ -1133,7 +1133,7 @@ func ReposFromReferences(cache VPRepoCache, vp VendorProduct, refs []models.Re`
`1133`	`1133`	`continue`
`1134`	`1134`	`}`
`1135`	`1135`	`repos = append(repos, repo)`
`1136`		`- cache.MaybeUpdate(vp, repo)`
	`1136`	`+ // cache.MaybeUpdate(vp, repo) // TODO: fix this so that only relevant repos to the project are added to cache`
`1137`	`1137`	`}`
`1138`	`1138`	`if len(repos) == 0 {`
`1139`	`1139`	`return repos`