migrate component dependencies to have a new composite primary key and remove obsolete indexes and columns

Hubtrick-Git · Hubtrick-Git · commit 459a95a37290 · 2026-05-19T14:36:57.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -32,4 +32,5 @@ key.pem
 cache
 CLAUDE.md
 .claudeignore
-result
+result
+instance_admin_pub_key_new.pem
diff --git a/database/migrations/20260518100544_remove_obsolete_indexes_and_columns_from_component_dependencies.down.sql b/database/migrations/20260518100544_remove_obsolete_indexes_and_columns_from_component_dependencies.down.sql
diff --git a/database/migrations/20260518100544_remove_obsolete_indexes_and_columns_from_component_dependencies.up.sql b/database/migrations/20260518100544_remove_obsolete_indexes_and_columns_from_component_dependencies.up.sql
@@ -0,0 +1,33 @@
+ALTER TABLE public.component_dependencies
+DROP COLUMN IF EXISTS semver_start,
+DROP COLUMN IF EXISTS semver_end;
+
+DROP INDEX IF EXISTS idx_component_dependencies_component_purl; 
+DROP INDEX IF EXISTS component_purl_idx;
+DROP INDEX IF EXISTS asset_version_name_idx; 
+DROP INDEX IF EXISTS idx_component_dependencies_dependency_purl;
+DROP INDEX IF EXISTS idx_component_dependencies_null_roots;
+DROP INDEX IF EXISTS asset_id_idx;
+DROP INDEX IF EXISTS idx_component_dependencies_component_id;
+DROP INDEX IF EXISTS idx_component_dependencies_dependency_id;
+DROP INDEX IF EXISTS idx_component_dependencies_recursive_lookup;
+DROP INDEX IF EXISTS dependency_purl_idx;
+
+-- remove the current id column and replace it with a composite key on all columns to make enforce deduplication on a data level and reduce complexity (also on indexes)
+
+-- currently component_id can be NULL if its a root node; but primary keys cannot contain NULL values, so we replace it with a ROOT constant
+INSERT INTO public.components VALUES('ROOT','',NULL,NULL,NULL); -- add a ROOT component to the components table to be referenced
+UPDATE public.component_dependencies SET component_id = 'ROOT' WHERE component_id IS NULL; -- use an explicit value for ROOT component dependencies instead of NULL
+
+ALTER TABLE public.component_dependencies DROP CONSTRAINT component_dependencies_pkey, DROP COLUMN id; -- drop primary key constraint and the primary key column
+
+ -- remove all duplicate entries from the table so that the new primary key does not fail on creation
+DELETE FROM public.component_dependencies a
+USING public.component_dependencies b
+WHERE a.ctid < b.ctid -- use the internal column id to choose only 1 candidate per duplicate row
+AND a.asset_id = b.asset_id
+AND a.asset_version_name = b.asset_version_name
+AND a.dependency_id = b.dependency_id
+AND a.component_id = b.component_id;       
+
+ALTER TABLE public.component_dependencies ADD PRIMARY KEY (asset_id, asset_version_name, dependency_id, component_id); -- add the new primary key consisting of all 4 attributes
diff --git a/database/models/component_model.go b/database/models/component_model.go
@@ -70,7 +70,7 @@ type ComponentDependency struct {
 	// this means, that the dependency graph between people using the same library might differ, since they use it differently
 	// we use edges, which provide the information, that a component is used by another component in one asset
 	Component    Component `json:"component" gorm:"foreignKey:ComponentID;references:ID;constraint:OnDelete:CASCADE;"`
-	ComponentID  *string   `json:"componentPurl" gorm:"column:component_id;index:component_purl_idx"` // will be nil, for direct dependencies
+	ComponentID  *string   `json:"componentPurl" gorm:"column:component_id;index:component_purl_idx"` // will be ROOT, for direct dependencies
 	Dependency   Component `json:"dependency" gorm:"foreignKey:DependencyID;references:ID;constraint:OnDelete:CASCADE;"`
 	DependencyID string    `json:"dependencyPurl" gorm:"column:dependency_id;index:dependency_purl_idx"`
 
diff --git a/database/repositories/component_repository.go b/database/repositories/component_repository.go
@@ -147,7 +147,7 @@ func (c *componentRepository) LoadComponentsWithProject(ctx context.Context, tx
 			componentDependencies[i].Dependency.License = &license
 			componentDependencies[i].Dependency.IsLicenseOverwritten = true
 		}
-		if component.ComponentID != nil {
+		if component.ComponentID != nil && *component.ComponentID != "ROOT" {
 			if license, ok := isPurlOverwrittenMap[*component.ComponentID]; ok {
 				componentDependencies[i].Component.License = &license
 				componentDependencies[i].Component.IsLicenseOverwritten = true
@@ -232,18 +232,18 @@ func (c *componentRepository) HandleStateDiff(ctx context.Context, tx *gorm.DB,
 	for _, edge := range diff.AddedEdges {
 		c1 := wholeAssetGraph.Node(edge[0])
 		c2 := wholeAssetGraph.Node(edge[1])
-		var componentID *string
+		var componentID string
 		if c1.Type == normalize.GraphNodeTypeRoot {
-			// set to nil for root nodes
-			componentID = nil
+			// set to ROOT for root nodes
+			componentID = "ROOT"
 		} else {
-			componentID = utils.Ptr(c1.Component.PackageURL)
+			componentID = c1.Component.PackageURL
 		}
 
 		componentDependency := models.ComponentDependency{
 			AssetID:          assetVersion.AssetID,
 			AssetVersionName: assetVersion.Name,
-			ComponentID:      componentID,
+			ComponentID:      utils.Ptr(componentID),
 			DependencyID:     c2.Component.PackageURL,
 		}
 
diff --git a/database/repositories/gorm_repository.go b/database/repositories/gorm_repository.go
@@ -234,10 +234,10 @@ WHERE NOT EXISTS (SELECT artifact_dependency_vulns.dependency_vuln_id FROM artif
 DELETE FROM license_risks lr
 WHERE NOT EXISTS (SELECT artifact_license_risks.license_risk_id FROM artifact_license_risks WHERE artifact_license_risks.license_risk_id = lr.id);
 
--- Clean up artifact root nodes (component_id IS NULL, dependency_id LIKE 'artifact:%')
+-- Clean up artifact root nodes (component_id = 'ROOT', dependency_id LIKE 'artifact:%')
 -- where the artifact no longer exists
 DELETE FROM component_dependencies cd
-WHERE cd.component_id IS NULL
+WHERE cd.component_id = 'ROOT'
 AND cd.dependency_id LIKE 'artifact:%'
 AND NOT EXISTS (
     SELECT 1 FROM artifacts a
diff --git a/integrations/commonint/integration_helper_test.go b/integrations/commonint/integration_helper_test.go
@@ -398,7 +398,7 @@ func TestRenderPathToComponent(t *testing.T) {
 	t.Run("Everything works as expeted with a non empty component list", func(t *testing.T) {
 		// Create a chain of actual components (all with pkg: prefix) to have a path with edges
 		components := []models.ComponentDependency{
-			{ComponentID: nil, DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},                                         // root --> artifact
+			{ComponentID: utils.Ptr("ROOT"), DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},                           // root --> artifact
 			{ComponentID: utils.Ptr("artifact:test-artifact"), DependencyID: "sbom:test@test-artifact", Dependency: models.Component{ID: "sbom:test@test-artifact"}},       // artifact -> sbom
 			{ComponentID: utils.Ptr("sbom:test@test-artifact"), DependencyID: "pkg:npm/root-dep@1.0.0", Dependency: models.Component{ID: "pkg:npm/root-dep@1.0.0"}},        // sbom -> root-dep (component)
 			{ComponentID: utils.Ptr("pkg:npm/root-dep@1.0.0"), DependencyID: "pkg:npm/test-package@1.0.0", Dependency: models.Component{ID: "pkg:npm/test-package@1.0.0"}}, // root-dep -> test-package (component)
@@ -423,7 +423,7 @@ func TestRenderPathToComponent(t *testing.T) {
 	t.Run("should escape @ symbols", func(t *testing.T) {
 		// Create a chain of actual components to verify @ escaping in mermaid output
 		components := []models.ComponentDependency{
-			{ComponentID: nil, DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},                                         // root --> artifact
+			{ComponentID: utils.Ptr("ROOT"), DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},                           // root --> artifact
 			{ComponentID: utils.Ptr("artifact:test-artifact"), DependencyID: "sbom:test@test-artifact", Dependency: models.Component{ID: "sbom:test@test-artifact"}},       // artifact -> sbom
 			{ComponentID: utils.Ptr("sbom:test@test-artifact"), DependencyID: "pkg:npm/root-dep@1.0.0", Dependency: models.Component{ID: "pkg:npm/root-dep@1.0.0"}},        // sbom -> root-dep (component)
 			{ComponentID: utils.Ptr("pkg:npm/root-dep@1.0.0"), DependencyID: "pkg:npm/test-package@1.0.0", Dependency: models.Component{ID: "pkg:npm/test-package@1.0.0"}}, // root-dep -> test-package (component)
@@ -452,7 +452,7 @@ func TestRenderPathToComponent(t *testing.T) {
 		// The graph requires an artifact and sbom info-source node above the component
 		// so that FindAllComponentOnlyPathsToPURL can terminate the BFS correctly.
 		components := []models.ComponentDependency{
-			{ComponentID: nil, DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},
+			{ComponentID: utils.Ptr("ROOT"), DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},
 			{ComponentID: utils.Ptr("artifact:test-artifact"), DependencyID: "sbom:test@test-artifact", Dependency: models.Component{ID: "sbom:test@test-artifact"}},
 			{ComponentID: utils.Ptr("sbom:test@test-artifact"), DependencyID: "pkg:npm/single@1.0.0", Dependency: models.Component{ID: "pkg:npm/single@1.0.0"}},
 		}
@@ -711,7 +711,7 @@ func TestTicketContentBitwiseReproducibility(t *testing.T) {
 		// Previously, map iteration randomness caused the two path edges to appear
 		// in non-deterministic order in the Mermaid output.
 		components := []models.ComponentDependency{
-			{ComponentID: nil, DependencyID: "artifact:art", Dependency: models.Component{ID: "artifact:art"}},
+			{ComponentID: utils.Ptr("ROOT"), DependencyID: "artifact:art", Dependency: models.Component{ID: "artifact:art"}},
 			{ComponentID: utils.Ptr("artifact:art"), DependencyID: "sbom:s@art", Dependency: models.Component{ID: "sbom:s@art"}},
 			{ComponentID: utils.Ptr("sbom:s@art"), DependencyID: "pkg:npm/route-b@1.0", Dependency: models.Component{ID: "pkg:npm/route-b@1.0"}},
 			{ComponentID: utils.Ptr("sbom:s@art"), DependencyID: "pkg:npm/route-a@1.0", Dependency: models.Component{ID: "pkg:npm/route-a@1.0"}},
diff --git a/tests/component_service_integration_test.go b/tests/component_service_integration_test.go
@@ -97,7 +97,7 @@ func TestGetAndSaveLicenseInformation(t *testing.T) {
 			err = f.DB.Create(&models.ComponentDependency{
 				AssetVersionName: assetVersion.Name,
 				AssetID:          assetVersion.AssetID,
-				ComponentID:      nil,
+				ComponentID:      utils.Ptr("ROOT"),
 				DependencyID:     artifactRoot,
 			}).Error
 			assert.NoError(t, err)
@@ -219,7 +219,7 @@ func TestGetAndSaveLicenseInformation(t *testing.T) {
 			err = f.DB.Create(&models.ComponentDependency{
 				AssetVersionName: assetVersion.Name,
 				AssetID:          assetVersion.AssetID,
-				ComponentID:      nil,
+				ComponentID:      utils.Ptr("ROOT"),
 				DependencyID:     artifactRoot,
 			}).Error
 			assert.NoError(t, err)
diff --git a/tests/daemon_pipeline_test.go b/tests/daemon_pipeline_test.go
@@ -51,7 +51,7 @@ func createSBOMStructure(f *TestFixture, asset models.Asset, assetVersion models
 	artifactRootDep := models.ComponentDependency{
 		AssetID:          asset.ID,
 		AssetVersionName: assetVersion.Name,
-		ComponentID:      nil,
+		ComponentID:      utils.Ptr("ROOT"),
 		DependencyID:     artifactRoot,
 	}
 	if err := f.DB.Create(&artifactRootDep).Error; err != nil {
@@ -179,7 +179,7 @@ func TestDaemonPipelineEndToEnd(t *testing.T) {
 			artifactRootDep := models.ComponentDependency{
 				AssetID:          asset.ID,
 				AssetVersionName: assetVersion.Name,
-				ComponentID:      nil,
+				ComponentID:      utils.Ptr("ROOT"),
 				DependencyID:     artifactRoot,
 			}
 			err = f.DB.Create(&artifactRootDep).Error
@@ -580,7 +580,7 @@ func TestDaemonPipelineScanAssetDetectVulns(t *testing.T) {
 		artifactRootDep := models.ComponentDependency{
 			AssetID:          asset.ID,
 			AssetVersionName: assetVersion.Name,
-			ComponentID:      nil,
+			ComponentID:      utils.Ptr("ROOT"),
 			DependencyID:     artifactRoot,
 		}
 		err = f.DB.Create(&artifactRootDep).Error
@@ -772,7 +772,7 @@ func TestDaemonPipelineRiskCalculation(t *testing.T) {
 			artifactRootDep := models.ComponentDependency{
 				AssetID:          asset.ID,
 				AssetVersionName: assetVersion.Name,
-				ComponentID:      nil,
+				ComponentID:      utils.Ptr("ROOT"),
 				DependencyID:     artifactRoot,
 			}
 			err = f.DB.Create(&artifactRootDep).Error
diff --git a/tests/release_integration_test.go b/tests/release_integration_test.go
@@ -26,6 +26,7 @@ import (
 	"github.com/l3montree-dev/devguard/controllers"
 	"github.com/l3montree-dev/devguard/database/models"
 	"github.com/l3montree-dev/devguard/shared"
+	"github.com/l3montree-dev/devguard/utils"
 	"github.com/labstack/echo/v4"
 	"github.com/stretchr/testify/assert"
 )
@@ -79,8 +80,8 @@ func TestReleaseSBOMMergeIntegration(t *testing.T) {
 			ID: artifactRoot2,
 		})
 
-		rootDep1 := models.ComponentDependency{DependencyID: artifactRoot1, AssetVersionName: assetVersion.Name, AssetID: asset.ID, ComponentID: nil}
-		rootDep2 := models.ComponentDependency{DependencyID: artifactRoot2, AssetVersionName: assetVersion.Name, AssetID: asset.ID, ComponentID: nil}
+		rootDep1 := models.ComponentDependency{DependencyID: artifactRoot1, AssetVersionName: assetVersion.Name, AssetID: asset.ID, ComponentID: utils.Ptr("ROOT")}
+		rootDep2 := models.ComponentDependency{DependencyID: artifactRoot2, AssetVersionName: assetVersion.Name, AssetID: asset.ID, ComponentID: utils.Ptr("ROOT")}
 		if err := f.DB.Create(&rootDep1).Error; err != nil {
 			t.Fatal(err)
 		}
