Added all the different cases to the scanner_id in the component repository as well

patrick.rissmann@l3montree.com · patrick.rissmann@l3montree.com · commit ad93864a2b63 · 2025-04-08T19:26:45.000+02:00
diff --git a/internal/core/assetversion/asset_version_controller.go b/internal/core/assetversion/asset_version_controller.go
@@ -248,7 +248,7 @@ func (a *assetVersionController) Metrics(ctx core.Context) error {
 	assetVersion := core.GetAssetVersion(ctx)
 	scannerIds := []string{}
 	// get the latest events of this asset per scan type
-	err := a.assetVersionRepository.GetDB(nil).Table("dependency_vulns").Select("DISTINCT scanner_id").Where("asset_version_name  = ? AND asset_id = ?", assetVersion.Name, assetVersion.AssetID).Pluck("scanner_id", &scannerIds).Error
+	err := a.assetVersionRepository.GetDB(nil).Table("dependency_vulns").Select("DISTINCT scanner_ids").Where("asset_version_name  = ? AND asset_id = ?", assetVersion.Name, assetVersion.AssetID).Pluck("scanner_ids", &scannerIds).Error
 
 	if err != nil {
 		return err
diff --git a/internal/core/assetversion/asset_version_service.go b/internal/core/assetversion/asset_version_service.go
@@ -336,6 +336,7 @@ func buildBomRefMap(bom normalize.SBOM) map[string]cdx.Component {
 
 func (s *service) UpdateSBOM(assetVersion models.AssetVersion, scannerID string, sbom normalize.SBOM) error {
 	// load the asset components
+	scannerID = "AdditionalScanner"
 	assetComponents, err := s.componentRepository.LoadComponents(nil, assetVersion.Name, assetVersion.AssetID, scannerID)
 	if err != nil {
 		return errors.Wrap(err, "could not load asset components")
@@ -372,7 +373,7 @@ func (s *service) UpdateSBOM(assetVersion models.AssetVersion, scannerID string,
 			dependencies = append(dependencies,
 				models.ComponentDependency{
 					ComponentPurl:  nil, // direct dependency - therefore set it to nil
-					ScannerID:      scannerID,
+					ScannerIDs:     scannerID + " ",
 					DependencyPurl: componentPackageUrl,
 				},
 			)
@@ -398,7 +399,7 @@ func (s *service) UpdateSBOM(assetVersion models.AssetVersion, scannerID string,
 			dependencies = append(dependencies,
 				models.ComponentDependency{
 					ComponentPurl:  utils.EmptyThenNil(compPackageUrl),
-					ScannerID:      scannerID,
+					ScannerIDs:     scannerID + " ",
 					DependencyPurl: depPurlOrName,
 				},
 			)
@@ -431,7 +432,7 @@ func (s *service) UpdateSBOM(assetVersion models.AssetVersion, scannerID string,
 		return err
 	}
 
-	if err = s.componentRepository.HandleStateDiff(nil, assetVersion.Name, assetVersion.AssetID, assetComponents, dependencies); err != nil {
+	if err = s.componentRepository.HandleStateDiff(nil, assetVersion.Name, assetVersion.AssetID, assetComponents, dependencies, scannerID); err != nil {
 		return err
 	}
 
diff --git a/internal/core/common_interfaces.go b/internal/core/common_interfaces.go
@@ -92,7 +92,7 @@ type ComponentRepository interface {
 	LoadPathToComponent(tx DB, assetVersionName string, assetID uuid.UUID, pURL string, scannerID string) ([]models.ComponentDependency, error)
 	SaveBatch(tx DB, components []models.Component) error
 	FindByPurl(tx DB, purl string) (models.Component, error)
-	HandleStateDiff(tx DB, assetVersionName string, assetID uuid.UUID, oldState []models.ComponentDependency, newState []models.ComponentDependency) error
+	HandleStateDiff(tx DB, assetVersionName string, assetID uuid.UUID, oldState []models.ComponentDependency, newState []models.ComponentDependency, scannerID string) error
 	GetDependencyCountPerScanner(assetVersionName string, assetID uuid.UUID) (map[string]int, error)
 	GetLicenseDistribution(tx DB, assetVersionName string, assetID uuid.UUID, scannerID string) (map[string]int, error)
 }
@@ -107,7 +107,6 @@ type DependencyVulnRepository interface {
 	GetDefaultDependencyVulnsByOrgIdPaged(tx DB, userAllowedProjectIds []string, pageInfo PageInfo, search string, filter []FilterQuery, sort []SortQuery) (Paged[models.DependencyVuln], error)
 	GetDefaultDependencyVulnsByProjectIdPaged(tx DB, projectID uuid.UUID, pageInfo PageInfo, search string, filter []FilterQuery, sort []SortQuery) (Paged[models.DependencyVuln], error)
 	GetDependencyVulnsByAssetVersionPagedAndFlat(tx DB, assetVersionName string, assetVersionID uuid.UUID, pageInfo PageInfo, search string, filter []FilterQuery, sort []SortQuery) (Paged[models.DependencyVuln], error)
-	ListByScanner(assetVersionName string, assetID uuid.UUID, scannerID string) ([]models.DependencyVuln, error)
 	ListByAssetAndAssetVersion(assetVersionName string, assetID uuid.UUID) ([]models.DependencyVuln, error)
 	GetDependencyVulnsByPurl(tx DB, purls []string) ([]models.DependencyVuln, error)
 	ApplyAndSave(tx DB, dependencyVuln *models.DependencyVuln, vulnEvent *models.VulnEvent) error
diff --git a/internal/core/component/component_dto.go b/internal/core/component/component_dto.go
@@ -14,7 +14,7 @@ type componentDTO struct {
 	Dependency     models.Component `json:"dependency"`
 	DependencyPurl string           `json:"dependencyPurl"` // will be nil, for direct dependencies
 	AssetID        uuid.UUID        `json:"assetVersionId"`
-	ScannerID      string           `json:"scannerId"` // the id of the scanner
+	ScannerIDs     string           `json:"scanner"` // the id of the scanner
 }
 
 func toDTO(m models.ComponentDependency) componentDTO {
@@ -23,6 +23,6 @@ func toDTO(m models.ComponentDependency) componentDTO {
 		Dependency:     m.Dependency,
 		DependencyPurl: m.DependencyPurl,
 		AssetID:        m.AssetID,
-		ScannerID:      m.ScannerID,
+		ScannerIDs:     m.ScannerIDs,
 	}
 }
diff --git a/internal/core/dependency_vuln/dependency_vuln_controller.go b/internal/core/dependency_vuln/dependency_vuln_controller.go
@@ -135,7 +135,7 @@ func (c dependencyVulnHttpController) ListPaged(ctx core.Context) error {
 		// append the dependencyVuln to the package
 		dependencyVulnsByPackage.DependencyVulns = append(res[*dependencyVuln.ComponentPurl].DependencyVulns, DependencyVulnDTO{
 			ID:                    dependencyVuln.ID,
-			ScannerID:             dependencyVuln.ScannerIDs,
+			ScannerIDs:            dependencyVuln.ScannerIDs,
 			Message:               dependencyVuln.Message,
 			AssetVersionName:      dependencyVuln.AssetVersionName,
 			AssetID:               dependencyVuln.AssetID.String(),
@@ -296,7 +296,7 @@ func convertToDetailedDTO(dependencyVuln models.DependencyVuln) detailedDependen
 			Priority:              dependencyVuln.Priority,
 			LastDetected:          dependencyVuln.LastDetected,
 			CreatedAt:             dependencyVuln.CreatedAt,
-			ScannerID:             dependencyVuln.ScannerIDs,
+			ScannerIDs:            dependencyVuln.ScannerIDs,
 			TicketID:              dependencyVuln.TicketID,
 			TicketURL:             dependencyVuln.TicketURL,
 			RiskRecalculatedAt:    dependencyVuln.RiskRecalculatedAt,
diff --git a/internal/core/dependency_vuln/dependency_vuln_dto.go b/internal/core/dependency_vuln/dependency_vuln_dto.go
@@ -24,7 +24,7 @@ import (
 
 type DependencyVulnDTO struct {
 	ID                    string           `json:"id"`
-	ScannerID             string           `json:"scanner"`
+	ScannerIDs            string           `json:"scanner"`
 	Message               *string          `json:"message"`
 	AssetVersionName      string           `json:"assetVersionId"`
 	AssetID               string           `json:"assetId"`
@@ -55,7 +55,7 @@ func DependencyVulnToDto(f models.DependencyVuln) DependencyVulnDTO {
 
 	return DependencyVulnDTO{
 		ID:                    f.ID,
-		ScannerID:             f.ScannerIDs,
+		ScannerIDs:            f.ScannerIDs,
 		Message:               f.Message,
 		AssetVersionName:      f.AssetVersionName,
 		AssetID:               f.AssetID.String(),
diff --git a/internal/core/vulndb/scan/scan_controller.go b/internal/core/vulndb/scan/scan_controller.go
@@ -94,8 +94,8 @@ func DependencyVulnScan(c core.Context, bom normalize.SBOM, s *httpController) (
 		return scanResults, err
 	}
 
-	scanner := c.Request().Header.Get("X-Scanner")
-	if scanner == "" {
+	scannerID := c.Request().Header.Get("X-Scanner")
+	if scannerID == "" {
 		slog.Error("no X-Scanner header found")
 		return scanResults, err
 	}
@@ -106,7 +106,7 @@ func DependencyVulnScan(c core.Context, bom normalize.SBOM, s *httpController) (
 
 	if doRiskManagement {
 		// update the sbom in the database in parallel
-		if err := s.assetVersionService.UpdateSBOM(assetVersion, scanner, normalizedBom); err != nil {
+		if err := s.assetVersionService.UpdateSBOM(assetVersion, scannerID, normalizedBom); err != nil {
 			slog.Error("could not update sbom", "err", err)
 			return scanResults, err
 		}
@@ -120,12 +120,6 @@ func DependencyVulnScan(c core.Context, bom normalize.SBOM, s *httpController) (
 		return scanResults, err
 	}
 
-	scannerID := c.Request().Header.Get("X-Scanner")
-	if scannerID == "" {
-		slog.Error("no scanner id provided")
-		return scanResults, err
-	}
-
 	// handle the scan result
 	amountOpened, amountClose, newState, err := s.assetVersionService.HandleScanResult(asset, &assetVersion, vulns, scannerID, userID, doRiskManagement)
 	if err != nil {
diff --git a/internal/database/models/component_model.go b/internal/database/models/component_model.go
@@ -84,7 +84,7 @@ type ComponentDependency struct {
 	AssetVersionName string       `json:"assetVersionName"`
 	AssetVersion     AssetVersion `json:"assetVersion" gorm:"foreignKey:AssetID,AssetVersionName;references:AssetID,Name;constraint:OnDelete:CASCADE;"`
 
-	ScannerID string `json:"scannerId" gorm:"column:scanner_id"` // the id of the scanner
+	ScannerIDs string `json:"scannerId" gorm:"column:scanner_ids"` // the ids of scanner which found this component separated by white spaces
 
 	Depth int `json:"depth" gorm:"column:depth"`
 }
diff --git a/internal/database/models/vulnerability_model.go b/internal/database/models/vulnerability_model.go
@@ -17,7 +17,7 @@ type Vulnerability struct {
 	Message *string `json:"message"`
 
 	// the scanner which was used to detect this dependencyVuln
-	ScannerIDs string `json:"scanner" gorm:"not null;"` //List of scanner ids separated by a white space
+	ScannerIDs string `json:"scanner" gorm:"not null;column:scanner_ids"` //List of scanner ids separated by a white space
 
 	Events []VulnEvent `gorm:"foreignKey:VulnID;constraint:OnDelete:CASCADE,OnUpdate:CASCADE;" json:"events"`
 
diff --git a/internal/database/repositories/component_repository.go b/internal/database/repositories/component_repository.go
@@ -63,7 +63,8 @@ func (c *componentRepository) LoadComponents(tx core.DB, assetVersionName string
 	query := c.GetDB(tx).Preload("Component").Preload("Dependency").Where("asset_version_name = ? AND asset_id = ?", assetVersionName, assetID)
 
 	if scannerID != "" {
-		query = query.Where("scanner_id LIKE %?%", scannerID)
+		scannerID = "%" + scannerID + "%"
+		query = query.Where("scanner_ids LIKE ?", scannerID)
 	}
 
 	err = query.Find(&components).Error
@@ -82,15 +83,16 @@ func (c *componentRepository) LoadPathToComponent(tx core.DB, assetVersionName s
 
 	//Find all needed components  recursively until we hit the root component
 
+	scannerID = "%" + scannerID + "%"
 	query := c.GetDB(tx).Raw(`WITH RECURSIVE components_cte AS (
-			SELECT component_purl,dependency_purl,asset_id,scanner_id,depth,semver_start,semver_end
+			SELECT component_purl,dependency_purl,asset_id,scanner_ids,depth,semver_start,semver_end
 			FROM component_dependencies
-			WHERE dependency_purl like ? AND asset_id = ? AND asset_version_name = ? AND scanner_id LIKE %?%
+			WHERE dependency_purl like ? AND asset_id = ? AND asset_version_name = ? AND scanner_ids LIKE ?
 			UNION ALL
-			SELECT co.component_purl,co.dependency_purl,co.asset_id,co.scanner_id,co.depth,co.semver_start,co.semver_end
+			SELECT co.component_purl,co.dependency_purl,co.asset_id,co.scanner_ids,co.depth,co.semver_start,co.semver_end
 			FROM component_dependencies AS co
 			INNER JOIN components_cte AS cte ON co.dependency_purl = cte.component_purl 
- 			WHERE co.asset_id = ? AND co.asset_version_name = ? AND co.scanner_id LIKE %?%
+ 			WHERE co.asset_id = ? AND co.asset_version_name = ? AND co.scanner_ids LIKE ?
 		)
 		SELECT DISTINCT * FROM components_cte`, pURL, assetID, assetVersionName, scannerID, assetID, assetVersionName, scannerID)
 
@@ -114,7 +116,8 @@ func (c *componentRepository) GetLicenseDistribution(tx core.DB, assetVersionNam
 	query := c.GetDB(tx).Table("components").Select("components.license as license, COUNT(components.license) as count").Joins("RIGHT JOIN component_dependencies ON components.purl = component_dependencies.dependency_purl").Where("asset_version_name = ? AND asset_id = ?", assetVersionName, assetID).Group("components.license")
 
 	if scannerID != "" {
-		query = query.Where("scanner_id LIKE %?%", scannerID)
+		scannerID = "%" + scannerID + "%"
+		query = query.Where("scanner_ids LIKE ?", scannerID)
 	}
 
 	err = query.Scan(&licenses).Error
@@ -146,7 +149,8 @@ func (c *componentRepository) LoadComponentsWithProject(tx core.DB, assetVersion
 	query := c.GetDB(tx).Model(&models.ComponentDependency{}).Joins("Dependency").Joins("Dependency.ComponentProject").Where("asset_version_name = ? AND asset_id = ?", assetVersionName, assetID)
 
 	if scannerID != "" {
-		query = query.Where("scanner_id LIKE %?%", scannerID)
+		scannerID = "%" + scannerID + "%"
+		query = query.Where("scanner_ids LIKE ?", scannerID)
 	}
 
 	for _, f := range filter {
@@ -180,29 +184,41 @@ func (c *componentRepository) LoadComponentsWithProject(tx core.DB, assetVersion
 	return core.NewPaged(pageInfo, total, components), err
 }
 
-func (c *componentRepository) LoadAllLatestComponentFromAssetVersion(tx core.DB, assetVersion models.AssetVersion, scannerID string) ([]models.ComponentDependency, error) {
-	var component []models.ComponentDependency
-	err := c.GetDB(tx).Preload("Component").Preload("Dependency").Where("asset_version_name = ? AND asset_id AND scanner_id LIKE %?%", assetVersion.Name, assetVersion.AssetID).Find(&component).Error
-	return component, err
-}
-
 func (c *componentRepository) FindByPurl(tx core.DB, purl string) (models.Component, error) {
 	var component models.Component
 	err := c.GetDB(tx).Where("purl = ?", purl).First(&component).Error
 	return component, err
 }
 
-func (c *componentRepository) HandleStateDiff(tx core.DB, assetVersionName string, assetID uuid.UUID, oldState []models.ComponentDependency, newState []models.ComponentDependency) error {
+func (c *componentRepository) HandleStateDiff(tx core.DB, assetVersionName string, assetID uuid.UUID, oldState []models.ComponentDependency, newState []models.ComponentDependency, scannerID string) error {
 	comparison := utils.CompareSlices(oldState, newState, func(dep models.ComponentDependency) string {
 		return utils.SafeDereference(dep.ComponentPurl) + "->" + dep.DependencyPurl
 	})
 
 	removed := comparison.OnlyInA
 	added := comparison.OnlyInB
+	needToBeChanged := comparison.InBoth
 
 	return c.GetDB(tx).Transaction(func(tx *gorm.DB) error {
-		if len(removed) != 0 {
-			if err := c.GetDB(tx).Delete(&removed).Error; err != nil {
+		dependenciesToUpdate, err := removeScannerIDFromComponents(tx, c, removed, scannerID)
+		if err != nil {
+			return err
+		}
+		if len(dependenciesToUpdate) > 0 {
+			err := c.db.Save(dependenciesToUpdate).Error
+			if err != nil {
+				return err
+			}
+		}
+
+		for i := range needToBeChanged {
+			if !strings.Contains(needToBeChanged[i].ScannerIDs, scannerID) {
+				needToBeChanged[i].ScannerIDs = needToBeChanged[i].ScannerIDs + scannerID + " "
+			}
+		}
+		if len(needToBeChanged) > 0 {
+			err := c.db.Save(needToBeChanged).Error
+			if err != nil {
 				return err
 			}
 		}
@@ -219,12 +235,12 @@ func (c *componentRepository) HandleStateDiff(tx core.DB, assetVersionName strin
 
 func (c *componentRepository) GetDependencyCountPerScanner(assetVersionName string, assetID uuid.UUID) (map[string]int, error) {
 	var results []struct {
-		ScannerID string `gorm:"column:scanner_id"`
+		ScannerID string `gorm:"column:scanner_ids"`
 		Count     int    `gorm:"column:count"`
 	}
 	err := c.db.Model(&models.Component{}).
-		Select("scanner_id , COUNT(*) as count").
-		Group("scanner_id").
+		Select("scanner_ids , COUNT(*) as count").
+		Group("scanner_ids").
 		Where("asset_version_name = ?", assetVersionName).
 		Where("asset_id = ?", assetID).
 		Find(&results).Error
@@ -241,3 +257,21 @@ func (c *componentRepository) GetDependencyCountPerScanner(assetVersionName stri
 
 	return counts, nil
 }
+
+func removeScannerIDFromComponents(tx core.DB, c *componentRepository, components []models.ComponentDependency, scannerID string) ([]models.ComponentDependency, error) {
+	var componentDependeciesToChange []models.ComponentDependency
+	scannerID += " "
+	for i := range components {
+
+		if components[i].ScannerIDs == scannerID {
+			if err := c.GetDB(tx).Delete(&components[i]).Error; err != nil {
+				return componentDependeciesToChange, err
+			}
+		} else {
+			components[i].ScannerIDs = strings.Replace(components[i].ScannerIDs, scannerID, "", 1)
+			componentDependeciesToChange = append(componentDependeciesToChange, components[i])
+		}
+	}
+
+	return componentDependeciesToChange, nil
+}
diff --git a/internal/database/repositories/dependency_vuln_repository.go b/internal/database/repositories/dependency_vuln_repository.go
@@ -65,14 +65,6 @@ func (r *dependencyVulnRepository) GetDependencyVulnsByAssetVersion(tx *gorm.DB,
 	return dependencyVulns, nil
 }
 
-func (r *dependencyVulnRepository) ListByScanner(assetVersionName string, assetID uuid.UUID, scannerID string) ([]models.DependencyVuln, error) {
-	var dependencyVulns []models.DependencyVuln = []models.DependencyVuln{}
-	if err := r.Repository.GetDB(r.db).Preload("CVE").Where("asset_version_name = ? AND asset_id = ? AND scanner_id LIKE %?%", assetVersionName, assetID, scannerID).Find(&dependencyVulns).Error; err != nil {
-		return nil, err
-	}
-	return dependencyVulns, nil
-}
-
 func (r *dependencyVulnRepository) ListByAssetAndAssetVersion(assetVersionName string, assetID uuid.UUID) ([]models.DependencyVuln, error) {
 	var dependencyVulns []models.DependencyVuln = []models.DependencyVuln{}
 	if err := r.Repository.GetDB(r.db).Preload("CVE").Where("asset_version_name = ? AND asset_id = ?", assetVersionName, assetID).Find(&dependencyVulns).Error; err != nil {
diff --git a/internal/database/repositories/first_party_vuln_repository.go b/internal/database/repositories/first_party_vuln_repository.go
@@ -23,7 +23,8 @@ func NewFirstPartyVulnerabilityRepository(db core.DB) *firstPartyVulnerabilityRe
 
 func (r *firstPartyVulnerabilityRepository) ListByScanner(assetVersionName string, assetID uuid.UUID, scannerID string) ([]models.FirstPartyVulnerability, error) {
 	var vulns []models.FirstPartyVulnerability = []models.FirstPartyVulnerability{}
-	if err := r.Repository.GetDB(r.db).Where("asset_version_name = ? AND asset_id = ? AND scanner_id LIKE %?%", assetVersionName, assetID, scannerID).Find(&vulns).Error; err != nil {
+	scannerID = "%" + scannerID + "%"
+	if err := r.Repository.GetDB(r.db).Where("asset_version_name = ? AND asset_id = ? AND scanner_ids LIKE ?", assetVersionName, assetID, scannerID).Find(&vulns).Error; err != nil {
 		return nil, err
 	}
 	return vulns, nil
diff --git a/internal/database/repositories/statistics_repository.go b/internal/database/repositories/statistics_repository.go
@@ -49,13 +49,13 @@ func (r *statisticsRepository) TimeTravelDependencyVulnState(assetVersionName st
 
 func (r *statisticsRepository) GetDependencyVulnCountByScannerId(assetVersionName string, assetID uuid.UUID) (map[string]int, error) {
 	var results []struct {
-		ScannerID string `gorm:"column:scanner_id"`
+		ScannerID string `gorm:"column:scanner_ids"`
 		Count     int    `gorm:"column:count"`
 	}
 
 	err := r.db.Model(&models.DependencyVuln{}).
-		Select("scanner_id , COUNT(*) as count").
-		Group("scanner_id").
+		Select("scanner_ids , COUNT(*) as count").
+		Group("scanner_ids").
 		Where("asset_version_name = ?", assetVersionName).
 		Where("asset_id = ?", assetID).
 		Find(&results).Error

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ type componentDTO struct {`
`14`	`14`	Dependency models.Component `json:"dependency"`
`15`	`15`	DependencyPurl string `json:"dependencyPurl"` // will be nil, for direct dependencies
`16`	`16`	AssetID uuid.UUID `json:"assetVersionId"`
`17`		- ScannerID string `json:"scannerId"` // the id of the scanner
	`17`	+ ScannerIDs string `json:"scanner"` // the id of the scanner
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`func toDTO(m models.ComponentDependency) componentDTO {`
`@@ -23,6 +23,6 @@ func toDTO(m models.ComponentDependency) componentDTO {`
`23`	`23`	`Dependency: m.Dependency,`
`24`	`24`	`DependencyPurl: m.DependencyPurl,`
`25`	`25`	`AssetID: m.AssetID,`
`26`		`- ScannerID: m.ScannerID,`
	`26`	`+ ScannerIDs: m.ScannerIDs,`
`27`	`27`	`}`
`28`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ type ComponentDependency struct {`
`84`	`84`	AssetVersionName string `json:"assetVersionName"`
`85`	`85`	AssetVersion AssetVersion `json:"assetVersion" gorm:"foreignKey:AssetID,AssetVersionName;references:AssetID,Name;constraint:OnDelete:CASCADE;"`
`86`	`86`
`87`		- ScannerID string `json:"scannerId" gorm:"column:scanner_id"` // the id of the scanner
	`87`	+ ScannerIDs string `json:"scannerId" gorm:"column:scanner_ids"` // the ids of scanner which found this component separated by white spaces
`88`	`88`
`89`	`89`	Depth int `json:"depth" gorm:"column:depth"`
`90`	`90`	`}`