fixes migration

timbastin · timbastin · commit 896867921150 · 2026-05-06T09:42:41.000+02:00
diff --git a/database/migrations/20260415090935_refactor-vulndb-tables.up.sql b/database/migrations/20260415090935_refactor-vulndb-tables.up.sql
@@ -10,20 +10,20 @@ ALTER TABLE public.affected_components DROP COLUMN IF EXISTS qualifiers;
 ALTER TABLE public.dependency_vulns DROP CONSTRAINT IF EXISTS fk_dependency_vulns_cve;
 
 -- Truncate all vulndb tables; CASCADE cleans up internal FKs automatically
-TRUNCATE public.cves, public.affected_components, public.malicious_packages, public.malicious_affected_components CASCADE;
+TRUNCATE public.cves, public.affected_components, public.malicious_packages, public.malicious_affected_components, public.exploits, public.weaknesses, public.cve_affected_component, public.cve_relationships CASCADE;
 
 -- Drop primary keys so we can redefine the column types (look up actual constraint names to handle renames)
 DO $$ DECLARE r record;
 BEGIN
     FOR r IN SELECT constraint_name FROM information_schema.table_constraints
              WHERE table_schema = 'public' AND table_name = 'affected_components' AND constraint_type = 'PRIMARY KEY'
-    LOOP EXECUTE 'ALTER TABLE public.affected_components DROP CONSTRAINT ' || quote_ident(r.constraint_name); END LOOP;
+    LOOP EXECUTE 'ALTER TABLE public.affected_components DROP CONSTRAINT ' || quote_ident(r.constraint_name) || ' CASCADE'; END LOOP;
     FOR r IN SELECT constraint_name FROM information_schema.table_constraints
              WHERE table_schema = 'public' AND table_name = 'cve_affected_component' AND constraint_type = 'PRIMARY KEY'
-    LOOP EXECUTE 'ALTER TABLE public.cve_affected_component DROP CONSTRAINT ' || quote_ident(r.constraint_name); END LOOP;
+    LOOP EXECUTE 'ALTER TABLE public.cve_affected_component DROP CONSTRAINT ' || quote_ident(r.constraint_name) || ' CASCADE'; END LOOP;
     FOR r IN SELECT constraint_name FROM information_schema.table_constraints
              WHERE table_schema = 'public' AND table_name = 'cves' AND constraint_type = 'PRIMARY KEY'
-    LOOP EXECUTE 'ALTER TABLE public.cves DROP CONSTRAINT ' || quote_ident(r.constraint_name); END LOOP;
+    LOOP EXECUTE 'ALTER TABLE public.cves DROP CONSTRAINT ' || quote_ident(r.constraint_name) || ' CASCADE'; END LOOP;
 END $$;
 
 -- Rebuild affected_components with bigint id
@@ -48,10 +48,9 @@ ALTER TABLE public.cves ADD CONSTRAINT cves_cve_unique UNIQUE (cve);
 -- Re-add foreign key constraints
 ALTER TABLE public.cve_affected_component ADD CONSTRAINT fk_cve_affected_component_affected_component FOREIGN KEY (affected_component_id) REFERENCES public.affected_components(id) ON DELETE CASCADE;
 ALTER TABLE public.cve_affected_component ADD CONSTRAINT fk_cve_affected_component_cve FOREIGN KEY (cve_id) REFERENCES public.cves(id) ON DELETE CASCADE;
-ALTER TABLE public.dependency_vulns ADD CONSTRAINT fk_dependency_vulns_cve FOREIGN KEY (cve_id) REFERENCES public.cves(cve) ON DELETE CASCADE;
 ALTER TABLE public.exploits ADD CONSTRAINT fk_cves_exploits FOREIGN KEY (cve_id) REFERENCES public.cves(cve) ON DELETE CASCADE;
 ALTER TABLE public.weaknesses ADD CONSTRAINT fk_cves_weaknesses FOREIGN KEY (cve_id) REFERENCES public.cves(cve) ON DELETE CASCADE;
-ALTER TABLE public.vex_rules ADD CONSTRAINT fk_vex_rules_cve FOREIGN KEY (cve_id) REFERENCES public.cves(cve) ON DELETE CASCADE;
+-- fk_vex_rules_cve is added after the full vulndb import in vulndb_service.go to avoid orphan violations
 ALTER TABLE public.cve_relationships ADD CONSTRAINT fk_cve_relationships_source FOREIGN KEY (source_cve) REFERENCES public.cves(cve) ON DELETE CASCADE;
 
 -- Drop unnecessary indexes; we add more optimized ones at the end
diff --git a/vulndb/osv_service.go b/vulndb/osv_service.go
@@ -127,7 +127,7 @@ func (s osvService) applyOSVEntries(ctx context.Context, tx pgx.Tx, osvVulns []O
 		return nil
 	}
 
-	rows, err := buildVulnDBRows(ctx, s.affectedCmpRepository, osvVulns)
+	rows, err := buildVulnDBRows(ctx, tx, osvVulns)
 	if err != nil {
 		return fmt.Errorf("could not build rows from osv objects: %w", err)
 	}
@@ -195,7 +195,7 @@ func (s osvService) fetchAndImportOSV(ctx context.Context, tx pgx.Tx, importStar
 		return -v1.ModifiedTimestamp.Compare(v2.ModifiedTimestamp)
 	})
 
-	rows, err := buildVulnDBRows(ctx, s.affectedCmpRepository, allOSVVulns)
+	rows, err := buildVulnDBRows(ctx, tx, allOSVVulns)
 	if err != nil {
 		return nil, nil, fmt.Errorf("could not build vulndb rows: %w", err)
 	}
@@ -335,14 +335,24 @@ func (s osvService) zipWorkerFunction(zipWorkWaitGroup *sync.WaitGroup, zipJobs
 }
 
 // build all the vuln database rows from the OSV objects
-func buildVulnDBRows(ctx context.Context, affectedCmpRepository shared.AffectedComponentRepository, allEntries []OSVEntry) (vulndbRows, error) {
+func buildVulnDBRows(ctx context.Context, tx pgx.Tx, allEntries []OSVEntry) (vulndbRows, error) {
 	// get the current state of the affected components to avoid creating duplicate entries
 	currentCVEAffectedComponents := make([]cveAffectedComponentRow, 0, len(allEntries)*55)
-	err := affectedCmpRepository.GetDB(ctx, nil).Raw(`SELECT * FROM cve_affected_component;`).Find(&currentCVEAffectedComponents).Error
+	rows, err := tx.Query(ctx, `SELECT affected_component_id, cve_id FROM cve_affected_component`)
 	if err != nil {
 		return vulndbRows{}, fmt.Errorf("could not get current state of affected components: %w", err)
 	}
 
+	// convert the rows to a slice of cveAffectedComponentRow
+	for rows.Next() {
+		var row cveAffectedComponentRow
+		if err := rows.Scan(&row.AffectedComponentID, &row.CveID); err != nil {
+			rows.Close()
+			return vulndbRows{}, fmt.Errorf("could not scan cve_affected_component row: %w", err)
+		}
+		currentCVEAffectedComponents = append(currentCVEAffectedComponents, row)
+	}
+
 	// build a map of the current state for faster lookups of the existing state
 	// used for deduplicating rows in memory rather than on insert
 	isAffectedComponentPresent := make(map[int64]struct{}, len(currentCVEAffectedComponents))
@@ -399,7 +409,7 @@ func buildVulnDBRows(ctx context.Context, affectedCmpRepository shared.AffectedC
 			}
 		}
 	}
-	slog.Info("finished building rows", "building time", time.Since(buildingTime))
+	slog.Info("finished building rows", "buildingTime", time.Since(buildingTime))
 	return vulndbRows{CVEs: cves, CVERelationships: cveRelationships, AffectedComponents: affectedComponents, CVEAffectedComponents: cveAffectedComponents}, nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,7 @@ func (s osvService) applyOSVEntries(ctx context.Context, tx pgx.Tx, osvVulns []O`
`127`	`127`	`return nil`
`128`	`128`	`}`
`129`	`129`
`130`		`- rows, err := buildVulnDBRows(ctx, s.affectedCmpRepository, osvVulns)`
	`130`	`+ rows, err := buildVulnDBRows(ctx, tx, osvVulns)`
`131`	`131`	`if err != nil {`
`132`	`132`	`return fmt.Errorf("could not build rows from osv objects: %w", err)`
`133`	`133`	`}`
`@@ -195,7 +195,7 @@ func (s osvService) fetchAndImportOSV(ctx context.Context, tx pgx.Tx, importStar`
`195`	`195`	`return -v1.ModifiedTimestamp.Compare(v2.ModifiedTimestamp)`
`196`	`196`	`})`
`197`	`197`
`198`		`- rows, err := buildVulnDBRows(ctx, s.affectedCmpRepository, allOSVVulns)`
	`198`	`+ rows, err := buildVulnDBRows(ctx, tx, allOSVVulns)`
`199`	`199`	`if err != nil {`
`200`	`200`	`return nil, nil, fmt.Errorf("could not build vulndb rows: %w", err)`
`201`	`201`	`}`
`@@ -335,14 +335,24 @@ func (s osvService) zipWorkerFunction(zipWorkWaitGroup *sync.WaitGroup, zipJobs`
`335`	`335`	`}`
`336`	`336`
`337`	`337`	`// build all the vuln database rows from the OSV objects`
`338`		`-func buildVulnDBRows(ctx context.Context, affectedCmpRepository shared.AffectedComponentRepository, allEntries []OSVEntry) (vulndbRows, error) {`
	`338`	`+func buildVulnDBRows(ctx context.Context, tx pgx.Tx, allEntries []OSVEntry) (vulndbRows, error) {`
`339`	`339`	`// get the current state of the affected components to avoid creating duplicate entries`
`340`	`340`	`currentCVEAffectedComponents := make([]cveAffectedComponentRow, 0, len(allEntries)*55)`
`341`		- err := affectedCmpRepository.GetDB(ctx, nil).Raw(`SELECT * FROM cve_affected_component;`).Find(&currentCVEAffectedComponents).Error
	`341`	+ rows, err := tx.Query(ctx, `SELECT affected_component_id, cve_id FROM cve_affected_component`)
`342`	`342`	`if err != nil {`
`343`	`343`	`return vulndbRows{}, fmt.Errorf("could not get current state of affected components: %w", err)`
`344`	`344`	`}`
`345`	`345`
	`346`	`+ // convert the rows to a slice of cveAffectedComponentRow`
	`347`	`+ for rows.Next() {`
	`348`	`+ var row cveAffectedComponentRow`
	`349`	`+ if err := rows.Scan(&row.AffectedComponentID, &row.CveID); err != nil {`
	`350`	`+ rows.Close()`
	`351`	`+ return vulndbRows{}, fmt.Errorf("could not scan cve_affected_component row: %w", err)`
	`352`	`+ }`
	`353`	`+ currentCVEAffectedComponents = append(currentCVEAffectedComponents, row)`
	`354`	`+ }`
	`355`	`+`
`346`	`356`	`// build a map of the current state for faster lookups of the existing state`
`347`	`357`	`// used for deduplicating rows in memory rather than on insert`
`348`	`358`	`isAffectedComponentPresent := make(map[int64]struct{}, len(currentCVEAffectedComponents))`
`@@ -399,7 +409,7 @@ func buildVulnDBRows(ctx context.Context, affectedCmpRepository shared.AffectedC`
`399`	`409`	`}`
`400`	`410`	`}`
`401`	`411`	`}`
`402`		`- slog.Info("finished building rows", "building time", time.Since(buildingTime))`
	`412`	`+ slog.Info("finished building rows", "buildingTime", time.Since(buildingTime))`
`403`	`413`	`return vulndbRows{CVEs: cves, CVERelationships: cveRelationships, AffectedComponents: affectedComponents, CVEAffectedComponents: cveAffectedComponents}, nil`
`404`	`414`	`}`
`405`	`415`