adds content hash columns to malicious packages and exploits

Author: timbastin

database/migrations/20260517000000_add_content_hash_to_exploits.up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE public.exploits ADD COLUMN IF NOT EXISTS content_hash bigint NOT NULL DEFAULT 0;
+ALTER TABLE public.malicious_packages ADD COLUMN IF NOT EXISTS content_hash bigint NOT NULL DEFAULT 0;

database/models/cve_model.go

@@ -9,7 +9,6 @@ import (
 
 	"github.com/l3montree-dev/devguard/dtos"
 	"gorm.io/datatypes"
-	"gorm.io/gorm"
 )
 
 type Severity string
@@ -95,10 +94,3 @@ func (cve CVE) GetReferences() ([]cveReference, error) {
 	return refs, nil
 }
 
-func (cve *CVE) BeforeSave(tx *gorm.DB) error {
-	if cve.ID == 0 {
-		cve.ID = cve.CalculateHash()
-	}
-	cve.ContentHash = cve.CalculateContentHash()
-	return nil
-}

database/models/exploit_model.go

@@ -14,10 +14,16 @@
 // along with this program.  If not, see <https://www.gnu.org/licenses/>.
 package models
 
-import "time"
+import (
+	"crypto/md5"
+	"encoding/binary"
+	"fmt"
+	"time"
+)
 
 type Exploit struct {
 	ID          string     `json:"id" gorm:"primaryKey;"`
+	ContentHash int64      `json:"contentHash" gorm:"type:bigint;not null;default:0;"`
 	Published   *time.Time `json:"pushed_at" gorm:"type:date;"`
 	Updated     *time.Time `json:"updated_at" gorm:"type:date;"`
 	Author      string     `json:"author" gorm:"type:text;"`
@@ -34,6 +40,24 @@ type Exploit struct {
 	Stars       int        `json:"stargazers_count" gorm:"type:integer;"`
 }
 
+func (e Exploit) CalculateContentHash() int64 {
+	pub := ""
+	if e.Published != nil {
+		pub = e.Published.Format(time.DateOnly)
+	}
+	upd := ""
+	if e.Updated != nil {
+		upd = e.Updated.Format(time.DateOnly)
+	}
+	h := fmt.Sprintf("%s|%s|%s|%s|%t|%s|%s|%s|%s|%d|%d|%d|%d",
+		pub, upd, e.Author, e.Type, e.Verified, e.SourceURL, e.Description,
+		e.CVEID, e.Tags, e.Forks, e.Watchers, e.Subscribers, e.Stars,
+	)
+	sum := md5.Sum([]byte(h))
+	u := binary.BigEndian.Uint64(sum[:8])
+	return int64(u & 0x7fffffffffffffff)
+}
+
 func (m Exploit) TableName() string {
 	return "exploits"
 }

database/models/malicious_package_model.go

@@ -16,7 +16,9 @@
 package models
 
 import (
+	"crypto/md5"
 	"crypto/sha256"
+	"encoding/binary"
 	"encoding/hex"
 	"fmt"
 	"time"
@@ -29,13 +31,25 @@ import (
 // MaliciousPackage stores metadata for malicious packages from OSV
 type MaliciousPackage struct {
 	ID                          string                       `gorm:"primarykey;type:varchar(255)" json:"id"` // OSV ID
+	ContentHash                 int64                        `gorm:"type:bigint;not null;default:0" json:"contentHash"`
 	Summary                     string                       `gorm:"type:text" json:"summary"`
 	Details                     string                       `gorm:"type:text" json:"details"`
 	Published                   time.Time                    `json:"published"`
 	Modified                    time.Time                    `json:"modified"`
 	MaliciousAffectedComponents []MaliciousAffectedComponent `json:"affectedComponents" gorm:"foreignKey:MaliciousPackageID;constraint:OnUpdate:CASCADE,OnDelete:CASCADE;"`
 }
 
+func (mp MaliciousPackage) CalculateContentHash() int64 {
+	h := fmt.Sprintf("%s|%s|%s|%s",
+		mp.Summary, mp.Details,
+		mp.Published.Format(time.RFC3339),
+		mp.Modified.Format(time.RFC3339),
+	)
+	sum := md5.Sum([]byte(h))
+	u := binary.BigEndian.Uint64(sum[:8])
+	return int64(u & 0x7fffffffffffffff)
+}
+
 func (MaliciousPackage) TableName() string {
 	return "malicious_packages"
 }

vulndb/exploitdb_service.go

@@ -107,10 +107,10 @@ func insertExploitsBulk(ctx context.Context, tx pgx.Tx, exploits []models.Exploi
 		return nil
 	}
 	if _, err := tx.CopyFrom(ctx, pgx.Identifier{table},
-		[]string{"id", "published", "updated", "author", "type", "verified", "source_url", "description", "cve_id", "tags", "forks", "watchers", "subscribers", "stars"},
+		[]string{"id", "content_hash", "published", "updated", "author", "type", "verified", "source_url", "description", "cve_id", "tags", "forks", "watchers", "subscribers", "stars"},
 		pgx.CopyFromSlice(len(exploits), func(i int) ([]any, error) {
 			e := exploits[i]
-			return []any{e.ID, e.Published, e.Updated, e.Author, e.Type, e.Verified, e.SourceURL, e.Description, e.CVEID, e.Tags, e.Forks, e.Watchers, e.Subscribers, e.Stars}, nil
+			return []any{e.ID, e.CalculateContentHash(), e.Published, e.Updated, e.Author, e.Type, e.Verified, e.SourceURL, e.Description, e.CVEID, e.Tags, e.Forks, e.Watchers, e.Subscribers, e.Stars}, nil
 		})); err != nil {
 		return fmt.Errorf("could not copy exploit rows into staging table: %w", err)
 	}

vulndb/gob.go

@@ -29,6 +29,7 @@ type CISAKEVEntry struct {
 // It omits the nested CVE field which contains datatypes.Date.
 type GobExploit struct {
 	ID          string
+	ContentHash int64
 	Published   *time.Time
 	Updated     *time.Time
 	Author      string
@@ -91,8 +92,10 @@ func dateToTimePtr(d *datatypes.Date) *time.Time {
 // --- Exploit conversions ---
 
 func exploitToGob(e models.Exploit) GobExploit {
+	e.ContentHash = e.CalculateContentHash()
 	return GobExploit{
 		ID:          e.ID,
+		ContentHash: e.ContentHash,
 		Published:   e.Published,
 		Updated:     e.Updated,
 		Author:      e.Author,
@@ -112,6 +115,7 @@ func exploitToGob(e models.Exploit) GobExploit {
 func gobExploitToModel(g GobExploit) models.Exploit {
 	return models.Exploit{
 		ID:          g.ID,
+		ContentHash: g.ContentHash,
 		Published:   g.Published,
 		Updated:     g.Updated,
 		Author:      g.Author,

vulndb/malicious_packages_checker.go

@@ -143,10 +143,10 @@ func (c *MaliciousPackageChecker) IsMalicious(ctx context.Context, ecosystem, pa
 func insertMaliciousPackagesBulk(ctx context.Context, tx pgx.Tx, pkgs []models.MaliciousPackage, comps []models.MaliciousAffectedComponent, pkgTable, compTable string) error {
 	if len(pkgs) > 0 {
 		if _, err := tx.CopyFrom(ctx, pgx.Identifier{pkgTable},
-			[]string{"id", "summary", "details", "published", "modified"},
+			[]string{"id", "content_hash", "summary", "details", "published", "modified"},
 			pgx.CopyFromSlice(len(pkgs), func(i int) ([]any, error) {
 				p := pkgs[i]
-				return []any{p.ID, p.Summary, p.Details, p.Published, p.Modified}, nil
+				return []any{p.ID, p.CalculateContentHash(), p.Summary, p.Details, p.Published, p.Modified}, nil
 			})); err != nil {
 			return fmt.Errorf("could not copy malicious packages into staging table: %w", err)
 		}

vulndb/osv_service.go

@@ -69,8 +69,8 @@ var liveTableSpecs = func() []syncSpec {
 	acInsertCols := []string{"id", "purl", "ecosystem", "version", "semver_introduced", "semver_fixed", "version_introduced", "version_fixed"}
 	acInsertExprs := []string{"id", "purl", "ecosystem", "version", "semver_introduced::semver", "semver_fixed::semver", "version_introduced", "version_fixed"}
 	pivotAllCols := []string{"affected_component_id", "cve_id"}
-	exploitAllCols := []string{"id", "published", "updated", "author", "type", "verified", "source_url", "description", "cve_id", "tags", "forks", "watchers", "subscribers", "stars"}
-	malPkgAllCols := []string{"id", "summary", "details", "published", "modified"}
+	exploitAllCols := []string{"id", "content_hash", "published", "updated", "author", "type", "verified", "source_url", "description", "cve_id", "tags", "forks", "watchers", "subscribers", "stars"}
+	malPkgAllCols := []string{"id", "content_hash", "summary", "details", "published", "modified"}
 	malCompInsertCols := []string{"id", "malicious_package_id", "purl", "ecosystem", "version", "semver_introduced", "semver_fixed", "version_introduced", "version_fixed"}
 	malCompInsertExprs := []string{"id", "malicious_package_id", "purl", "ecosystem", "version::text", "semver_introduced::semver", "semver_fixed::semver", "version_introduced", "version_fixed"}
 	return []syncSpec{
@@ -97,14 +97,14 @@ var liveTableSpecs = func() []syncSpec {
 		},
 		{
 			live: "exploits", stage: "exploits_stage", keyCols: []string{"id"},
-			contentHashCol: "updated",
-			contentCols:    []string{"published", "updated", "author", "type", "verified", "source_url", "description", "cve_id", "tags", "forks", "watchers", "subscribers", "stars"},
+			contentHashCol: "content_hash",
+			contentCols:    []string{"content_hash", "published", "updated", "author", "type", "verified", "source_url", "description", "cve_id", "tags", "forks", "watchers", "subscribers", "stars"},
 			insertCols:     exploitAllCols, insertSelectExprs: exploitAllCols,
 		},
 		{
 			live: "malicious_packages", stage: "mal_pkgs_stage", keyCols: []string{"id"},
-			contentHashCol: "modified",
-			contentCols:    []string{"summary", "details", "published", "modified"},
+			contentHashCol: "content_hash",
+			contentCols:    []string{"content_hash", "summary", "details", "published", "modified"},
 			insertCols:     malPkgAllCols, insertSelectExprs: malPkgAllCols,
 		},
 		{
@@ -730,13 +730,14 @@ func FlushOSVStagingTables(ctx context.Context, tx pgx.Tx) error {
 
 	t = time.Now()
 	if _, err := tx.Exec(ctx, `
-		INSERT INTO malicious_packages (id, summary, details, published, modified)
-		SELECT id, summary, details, published, modified FROM mal_pkgs_stage
+		INSERT INTO malicious_packages (id, content_hash, summary, details, published, modified)
+		SELECT id, content_hash, summary, details, published, modified FROM mal_pkgs_stage
 		ON CONFLICT (id) DO UPDATE SET
-			summary   = EXCLUDED.summary,
-			details   = EXCLUDED.details,
-			published = EXCLUDED.published,
-			modified  = EXCLUDED.modified`); err != nil {
+			content_hash = EXCLUDED.content_hash,
+			summary      = EXCLUDED.summary,
+			details      = EXCLUDED.details,
+			published    = EXCLUDED.published,
+			modified     = EXCLUDED.modified`); err != nil {
 		return fmt.Errorf("could not flush malicious_packages: %w", err)
 	}
 	slog.Info("flushed malicious_packages", "took", time.Since(t))
@@ -768,19 +769,24 @@ func flushNonOSVStagingTables(ctx context.Context, tx pgx.Tx) error {
 		return fmt.Errorf("could not delete stale exploits: %w", err)
 	}
 	if _, err := tx.Exec(ctx, `
-		INSERT INTO exploits (id, published, updated, author, type, verified, source_url, description, cve_id, tags, forks, watchers, subscribers, stars)
-		SELECT id, published, updated, author, type, verified, source_url, description, cve_id, tags, forks, watchers, subscribers, stars
+		INSERT INTO exploits (id, content_hash, published, updated, author, type, verified, source_url, description, cve_id, tags, forks, watchers, subscribers, stars)
+		SELECT id, content_hash, published, updated, author, type, verified, source_url, description, cve_id, tags, forks, watchers, subscribers, stars
 		FROM exploits_stage
 		ON CONFLICT (id) DO UPDATE SET
-			published   = EXCLUDED.published,
-			updated     = EXCLUDED.updated,
-			author      = EXCLUDED.author,
-			source_url  = EXCLUDED.source_url,
-			description = EXCLUDED.description,
-			forks       = EXCLUDED.forks,
-			watchers    = EXCLUDED.watchers,
-			subscribers = EXCLUDED.subscribers,
-			stars       = EXCLUDED.stars`); err != nil {
+			content_hash = EXCLUDED.content_hash,
+			published    = EXCLUDED.published,
+			updated      = EXCLUDED.updated,
+			author       = EXCLUDED.author,
+			type         = EXCLUDED.type,
+			verified     = EXCLUDED.verified,
+			source_url   = EXCLUDED.source_url,
+			description  = EXCLUDED.description,
+			cve_id       = EXCLUDED.cve_id,
+			tags         = EXCLUDED.tags,
+			forks        = EXCLUDED.forks,
+			watchers     = EXCLUDED.watchers,
+			subscribers  = EXCLUDED.subscribers,
+			stars        = EXCLUDED.stars`); err != nil {
 		return fmt.Errorf("could not flush exploits: %w", err)
 	}
 	slog.Info("finished flushing non-osv staging tables (exploits)", "total", time.Since(t))
@@ -830,28 +836,30 @@ func CreateStagingTables(ctx context.Context, tx pgx.Tx) error {
 		) ON COMMIT DROP;
 
 		CREATE TEMP TABLE IF NOT EXISTS exploits_stage (
-			id          text,
-			published   date,
-			updated     date,
-			author      text,
-			type        text,
-			verified    boolean,
-			source_url  text,
-			description text,
-			cve_id      text,
-			tags        text,
-			forks       integer,
-			watchers    integer,
-			subscribers integer,
-			stars       integer
+			id           text,
+			content_hash bigint,
+			published    date,
+			updated      date,
+			author       text,
+			type         text,
+			verified     boolean,
+			source_url   text,
+			description  text,
+			cve_id       text,
+			tags         text,
+			forks        integer,
+			watchers     integer,
+			subscribers  integer,
+			stars        integer
 		) ON COMMIT DROP;
 
 		CREATE TEMP TABLE IF NOT EXISTS mal_pkgs_stage (
-			id        text,
-			summary   text,
-			details   text,
-			published timestamptz,
-			modified  timestamptz
+			id           text,
+			content_hash bigint,
+			summary      text,
+			details      text,
+			published    timestamptz,
+			modified     timestamptz
 		) ON COMMIT DROP;
 
 		CREATE TEMP TABLE IF NOT EXISTS mal_comps_stage (