Merge pull request #1943 from l3montree-dev/delete-reopened-and-fixed-system-events

Delete reopened and fixed system events

Author: timbastin

database/migrations/20260507143643_delete_fixed_and_reopened_system_events_and_apply_last_event_state.up.sql

@@ -0,0 +1,32 @@
+-- Copyright (C) 2026 l3montree GmbH
+-- 
+-- This program is free software: you can redistribute it and/or modify
+-- it under the terms of the GNU Affero General Public License as
+-- published by the Free Software Foundation, either version 3 of the
+-- License, or (at your option) any later version.
+-- 
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-- GNU Affero General Public License for more details.
+-- 
+-- You should have received a copy of the GNU Affero General Public License
+-- along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+
+DELETE FROM public.vuln_events
+WHERE user_id = 'system'
+  AND dependency_vuln_id IS NOT NULL
+  AND type IN ('fixed', 'reopened');
+
+UPDATE public.dependency_vulns dv
+SET state = CASE last_event.type WHEN 'reopened' THEN 'open' WHEN 'detected' THEN 'open' ELSE last_event.type END
+FROM (
+    SELECT DISTINCT ON (dependency_vuln_id) dependency_vuln_id, type
+    FROM public.vuln_events
+    WHERE dependency_vuln_id IS NOT NULL
+       AND type IN ('falsePositive', 'accepted', 'reopened', 'fixed', 'detected')
+    ORDER BY dependency_vuln_id, created_at DESC
+) AS last_event
+WHERE dv.id = last_event.dependency_vuln_id
+  AND dv.state != last_event.type;

services/dependency_vuln_service.go

@@ -85,7 +85,8 @@ func saveArtifactAssociations(tx shared.DB, vulns []models.DependencyVuln) error
 }
 
 func (s *DependencyVulnService) UserFixedDependencyVulns(ctx context.Context, tx shared.DB, userID string, dependencyVulns []models.DependencyVuln, assetVersion models.AssetVersion, asset models.Asset) error {
-	if len(dependencyVulns) == 0 {
+	// we are not creating fixed or reopened events, if the user is "system", because this can only happen if there is a problem with the scanner or the database.
+	if len(dependencyVulns) == 0 || userID == "system" {
 		return nil
 	}
 
@@ -107,7 +108,8 @@ func (s *DependencyVulnService) UserFixedDependencyVulns(ctx context.Context, tx
 }
 
 func (s *DependencyVulnService) UserReopenedToOpen(ctx context.Context, tx shared.DB, userID string, dependencyVulns []models.DependencyVuln) error {
-	if len(dependencyVulns) == 0 {
+	// we are not creating fixed or reopened events, if the user is "system", because this can only happen if there is a problem with the scanner or the database.
+	if len(dependencyVulns) == 0 || userID == "system" {
 		return nil
 	}
 

transformer/vulnevent_transformer.go

@@ -49,15 +49,16 @@ func ConvertVulnEventsToDtos(events []models.VulnEventDetail) []dtos.VulnEventDT
 
 func ConvertVulnEventToDto(event models.VulnEvent) dtos.VulnEventDTO {
 	return dtos.VulnEventDTO{
-		ID:                      event.ID,
-		Type:                    event.Type,
-		VulnID:                  event.GetVulnID(),
-		VulnType:                event.GetVulnType(),
-		UserID:                  event.UserID,
-		Justification:           event.Justification,
-		MechanicalJustification: event.MechanicalJustification,
-		ArbitraryJSONData:       event.GetArbitraryJSONData(),
-		CreatedAt:               event.CreatedAt,
-		CreatedByVexRule:        event.CreatedByVexRule,
+		ID:                       event.ID,
+		Type:                     event.Type,
+		VulnID:                   event.GetVulnID(),
+		VulnType:                 event.GetVulnType(),
+		UserID:                   event.UserID,
+		Justification:            event.Justification,
+		MechanicalJustification:  event.MechanicalJustification,
+		ArbitraryJSONData:        event.GetArbitraryJSONData(),
+		CreatedAt:                event.CreatedAt,
+		CreatedByVexRule:         event.CreatedByVexRule,
+		OriginalAssetVersionName: event.OriginalAssetVersionName,
 	}
 }