Merge pull request #1992 from l3montree-dev/overhaul-component-dependencies-table

Overhaul component dependencies table

Author: timbastin

.gitignore

@@ -32,4 +32,5 @@ key.pem
 cache
 CLAUDE.md
 .claudeignore
-result
+result
+instance_admin_pub_key_new.pem

database/migrations/20260518100544_remove_obsolete_indexes_and_columns_from_component_dependencies.up.sql

@@ -0,0 +1,35 @@
+ALTER TABLE public.component_dependencies
+DROP COLUMN IF EXISTS semver_start,
+DROP COLUMN IF EXISTS semver_end;
+
+DROP INDEX IF EXISTS idx_component_dependencies_component_purl; 
+DROP INDEX IF EXISTS component_purl_idx;
+DROP INDEX IF EXISTS asset_version_name_idx; 
+DROP INDEX IF EXISTS idx_component_dependencies_dependency_purl;
+DROP INDEX IF EXISTS idx_component_dependencies_null_roots;
+DROP INDEX IF EXISTS asset_id_idx;
+DROP INDEX IF EXISTS idx_component_dependencies_component_id;
+DROP INDEX IF EXISTS idx_component_dependencies_dependency_id;
+DROP INDEX IF EXISTS idx_component_dependencies_recursive_lookup;
+DROP INDEX IF EXISTS dependency_purl_idx;
+
+-- remove the current id column and replace it with a composite key on all columns to make enforce deduplication on a data level and reduce complexity (also on indexes)
+
+-- currently component_id can be NULL if its a root node; but primary keys cannot contain NULL values, so we replace it with a ROOT constant
+INSERT INTO public.components (id, component_type, license, published, project_key) 
+VALUES('ROOT','',NULL,NULL,NULL) ON CONFLICT (id) DO NOTHING; -- add a ROOT component to the components table to be referenced
+
+UPDATE public.component_dependencies SET component_id = 'ROOT' WHERE component_id IS NULL; -- use an explicit value for ROOT component dependencies instead of NULL
+
+ALTER TABLE public.component_dependencies DROP CONSTRAINT component_dependencies_pkey, DROP COLUMN id; -- drop primary key constraint and the primary key column
+
+ -- remove all duplicate entries from the table so that the new primary key does not fail on creation
+DELETE FROM public.component_dependencies a
+USING public.component_dependencies b
+WHERE a.ctid < b.ctid -- use the internal column id to choose only 1 candidate per duplicate row
+AND a.asset_id = b.asset_id
+AND a.asset_version_name = b.asset_version_name
+AND a.dependency_id = b.dependency_id
+AND a.component_id = b.component_id;       
+
+ALTER TABLE public.component_dependencies ADD PRIMARY KEY (asset_id, asset_version_name, dependency_id, component_id); -- add the new primary key consisting of all 4 attributes

database/models/component_model.go

@@ -65,12 +65,11 @@ func (c Component) GetID() (packageurl.PackageURL, error) {
 }
 
 type ComponentDependency struct {
-	ID uuid.UUID `gorm:"primarykey;type:uuid;default:gen_random_uuid()" json:"id"`
 	// the provided sbom from cyclondx only contains the transitive dependencies, which do really get used
 	// this means, that the dependency graph between people using the same library might differ, since they use it differently
 	// we use edges, which provide the information, that a component is used by another component in one asset
 	Component    Component `json:"component" gorm:"foreignKey:ComponentID;references:ID;constraint:OnDelete:CASCADE;"`
-	ComponentID  *string   `json:"componentPurl" gorm:"column:component_id;index:component_purl_idx"` // will be nil, for direct dependencies
+	ComponentID  string    `json:"componentPurl" gorm:"column:component_id;index:component_purl_idx"` // will be ROOT for direct dependencies
 	Dependency   Component `json:"dependency" gorm:"foreignKey:DependencyID;references:ID;constraint:OnDelete:CASCADE;"`
 	DependencyID string    `json:"dependencyPurl" gorm:"column:dependency_id;index:dependency_purl_idx"`
 
@@ -93,7 +92,7 @@ func (c ComponentDependencyNode) GetID() string {
 func (c ComponentDependency) ToNodes() []ComponentDependencyNode {
 	// a component dependency represents an edge in the dependency tree
 	// thus we can represent it as two nodes
-	return []ComponentDependencyNode{{ID: utils.SafeDereference(c.ComponentID)}, {ID: c.DependencyID}}
+	return []ComponentDependencyNode{{ID: c.ComponentID}, {ID: c.DependencyID}}
 }
 
 func resolveLicense(component ComponentDependency, componentLicenseOverwrites map[string]string) cyclonedx.Licenses {
@@ -242,7 +241,7 @@ func (c ComponentDependency) GetID() string {
 	return c.DependencyID
 }
 
-func (c ComponentDependency) GetDependentID() *string {
+func (c ComponentDependency) GetDependentID() string {
 	return c.ComponentID
 }
 

database/repositories/component_repository.go

@@ -28,6 +28,7 @@ import (
 	"github.com/l3montree-dev/devguard/utils"
 	"github.com/pkg/errors"
 	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
 )
 
 type componentRepository struct {
@@ -55,7 +56,7 @@ func (c *componentRepository) CreateComponents(ctx context.Context, tx *gorm.DB,
 		return nil
 	}
 
-	return c.GetDB(ctx, tx).Create(&components).Error
+	return c.GetDB(ctx, tx).Clauses(clause.OnConflict{DoNothing: true}).Create(&components).Error
 }
 
 // LoadComponents loads all component dependencies for an asset version.
@@ -147,8 +148,8 @@ func (c *componentRepository) LoadComponentsWithProject(ctx context.Context, tx
 			componentDependencies[i].Dependency.License = &license
 			componentDependencies[i].Dependency.IsLicenseOverwritten = true
 		}
-		if component.ComponentID != nil {
-			if license, ok := isPurlOverwrittenMap[*component.ComponentID]; ok {
+		if component.ComponentID != "ROOT" {
+			if license, ok := isPurlOverwrittenMap[component.ComponentID]; ok {
 				componentDependencies[i].Component.License = &license
 				componentDependencies[i].Component.IsLicenseOverwritten = true
 			}
@@ -196,15 +197,9 @@ func (c *componentRepository) HandleStateDiff(ctx context.Context, tx *gorm.DB,
 	if len(diff.RemovedEdges) > 0 {
 		var valueClauses []string
 		for _, edge := range diff.RemovedEdges {
-			var componentID string
-			if edge[0] == normalize.GraphRootNodeID {
-				componentID = "NULL"
-			} else {
-				componentID = fmt.Sprintf("'%s'", strings.ReplaceAll(edge[0], "'", "''"))
-			}
-
+			escapedComp := strings.ReplaceAll(edge[0], "'", "''")
 			escapedDep := strings.ReplaceAll(edge[1], "'", "''")
-			valueClauses = append(valueClauses, fmt.Sprintf("(%s, '%s')", componentID, escapedDep))
+			valueClauses = append(valueClauses, fmt.Sprintf("('%s', '%s')", escapedComp, escapedDep))
 		}
 		// Join the value clauses with commas
 		values := strings.Join(valueClauses, ",")
@@ -232,12 +227,12 @@ func (c *componentRepository) HandleStateDiff(ctx context.Context, tx *gorm.DB,
 	for _, edge := range diff.AddedEdges {
 		c1 := wholeAssetGraph.Node(edge[0])
 		c2 := wholeAssetGraph.Node(edge[1])
-		var componentID *string
+		var componentID string
 		if c1.Type == normalize.GraphNodeTypeRoot {
-			// set to nil for root nodes
-			componentID = nil
+			// set to ROOT for root nodes
+			componentID = "ROOT"
 		} else {
-			componentID = utils.Ptr(c1.Component.PackageURL)
+			componentID = c1.Component.PackageURL
 		}
 
 		componentDependency := models.ComponentDependency{

database/repositories/gorm_repository.go

@@ -234,10 +234,10 @@ WHERE NOT EXISTS (SELECT artifact_dependency_vulns.dependency_vuln_id FROM artif
 DELETE FROM license_risks lr
 WHERE NOT EXISTS (SELECT artifact_license_risks.license_risk_id FROM artifact_license_risks WHERE artifact_license_risks.license_risk_id = lr.id);
 
--- Clean up artifact root nodes (component_id IS NULL, dependency_id LIKE 'artifact:%')
+-- Clean up artifact root nodes (component_id = 'ROOT', dependency_id LIKE 'artifact:%')
 -- where the artifact no longer exists
 DELETE FROM component_dependencies cd
-WHERE cd.component_id IS NULL
+WHERE cd.component_id = 'ROOT'
 AND cd.dependency_id LIKE 'artifact:%'
 AND NOT EXISTS (
     SELECT 1 FROM artifacts a

integrations/commonint/integration_helper_test.go

@@ -395,13 +395,13 @@ func TestRenderPathToComponent(t *testing.T) {
 		}
 
 	})
-	t.Run("Everything works as expeted with a non empty component list", func(t *testing.T) {
+	t.Run("Everything works as expected with a non empty component list", func(t *testing.T) {
 		// Create a chain of actual components (all with pkg: prefix) to have a path with edges
 		components := []models.ComponentDependency{
-			{ComponentID: nil, DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},                                         // root --> artifact
-			{ComponentID: utils.Ptr("artifact:test-artifact"), DependencyID: "sbom:test@test-artifact", Dependency: models.Component{ID: "sbom:test@test-artifact"}},       // artifact -> sbom
-			{ComponentID: utils.Ptr("sbom:test@test-artifact"), DependencyID: "pkg:npm/root-dep@1.0.0", Dependency: models.Component{ID: "pkg:npm/root-dep@1.0.0"}},        // sbom -> root-dep (component)
-			{ComponentID: utils.Ptr("pkg:npm/root-dep@1.0.0"), DependencyID: "pkg:npm/test-package@1.0.0", Dependency: models.Component{ID: "pkg:npm/test-package@1.0.0"}}, // root-dep -> test-package (component)
+			{ComponentID: "ROOT", DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},                           // root --> artifact
+			{ComponentID: "artifact:test-artifact", DependencyID: "sbom:test@test-artifact", Dependency: models.Component{ID: "sbom:test@test-artifact"}},       // artifact -> sbom
+			{ComponentID: "sbom:test@test-artifact", DependencyID: "pkg:npm/root-dep@1.0.0", Dependency: models.Component{ID: "pkg:npm/root-dep@1.0.0"}},        // sbom -> root-dep (component)
+			{ComponentID: "pkg:npm/root-dep@1.0.0", DependencyID: "pkg:npm/test-package@1.0.0", Dependency: models.Component{ID: "pkg:npm/test-package@1.0.0"}}, // root-dep -> test-package (component)
 		}
 		componentRepository := mocks.NewComponentRepository(t)
 		componentRepository.On("LoadComponents", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(components, nil)
@@ -423,10 +423,10 @@ func TestRenderPathToComponent(t *testing.T) {
 	t.Run("should escape @ symbols", func(t *testing.T) {
 		// Create a chain of actual components to verify @ escaping in mermaid output
 		components := []models.ComponentDependency{
-			{ComponentID: nil, DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},                                         // root --> artifact
-			{ComponentID: utils.Ptr("artifact:test-artifact"), DependencyID: "sbom:test@test-artifact", Dependency: models.Component{ID: "sbom:test@test-artifact"}},       // artifact -> sbom
-			{ComponentID: utils.Ptr("sbom:test@test-artifact"), DependencyID: "pkg:npm/root-dep@1.0.0", Dependency: models.Component{ID: "pkg:npm/root-dep@1.0.0"}},        // sbom -> root-dep (component)
-			{ComponentID: utils.Ptr("pkg:npm/root-dep@1.0.0"), DependencyID: "pkg:npm/test-package@1.0.0", Dependency: models.Component{ID: "pkg:npm/test-package@1.0.0"}}, // root-dep -> test-package (component)
+			{ComponentID: "ROOT", DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},                           // root --> artifact
+			{ComponentID: "artifact:test-artifact", DependencyID: "sbom:test@test-artifact", Dependency: models.Component{ID: "sbom:test@test-artifact"}},       // artifact -> sbom
+			{ComponentID: "sbom:test@test-artifact", DependencyID: "pkg:npm/root-dep@1.0.0", Dependency: models.Component{ID: "pkg:npm/root-dep@1.0.0"}},        // sbom -> root-dep (component)
+			{ComponentID: "pkg:npm/root-dep@1.0.0", DependencyID: "pkg:npm/test-package@1.0.0", Dependency: models.Component{ID: "pkg:npm/test-package@1.0.0"}}, // root-dep -> test-package (component)
 		}
 		componentRepository := mocks.NewComponentRepository(t)
 		componentRepository.On("LoadComponents", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(components, nil)
@@ -452,9 +452,9 @@ func TestRenderPathToComponent(t *testing.T) {
 		// The graph requires an artifact and sbom info-source node above the component
 		// so that FindAllComponentOnlyPathsToPURL can terminate the BFS correctly.
 		components := []models.ComponentDependency{
-			{ComponentID: nil, DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},
-			{ComponentID: utils.Ptr("artifact:test-artifact"), DependencyID: "sbom:test@test-artifact", Dependency: models.Component{ID: "sbom:test@test-artifact"}},
-			{ComponentID: utils.Ptr("sbom:test@test-artifact"), DependencyID: "pkg:npm/single@1.0.0", Dependency: models.Component{ID: "pkg:npm/single@1.0.0"}},
+			{ComponentID: "ROOT", DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},
+			{ComponentID: "artifact:test-artifact", DependencyID: "sbom:test@test-artifact", Dependency: models.Component{ID: "sbom:test@test-artifact"}},
+			{ComponentID: "sbom:test@test-artifact", DependencyID: "pkg:npm/single@1.0.0", Dependency: models.Component{ID: "pkg:npm/single@1.0.0"}},
 		}
 		componentRepository := mocks.NewComponentRepository(t)
 		componentRepository.On("LoadComponents", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(components, nil)
@@ -711,12 +711,12 @@ func TestTicketContentBitwiseReproducibility(t *testing.T) {
 		// Previously, map iteration randomness caused the two path edges to appear
 		// in non-deterministic order in the Mermaid output.
 		components := []models.ComponentDependency{
-			{ComponentID: nil, DependencyID: "artifact:art", Dependency: models.Component{ID: "artifact:art"}},
-			{ComponentID: utils.Ptr("artifact:art"), DependencyID: "sbom:s@art", Dependency: models.Component{ID: "sbom:s@art"}},
-			{ComponentID: utils.Ptr("sbom:s@art"), DependencyID: "pkg:npm/route-b@1.0", Dependency: models.Component{ID: "pkg:npm/route-b@1.0"}},
-			{ComponentID: utils.Ptr("sbom:s@art"), DependencyID: "pkg:npm/route-a@1.0", Dependency: models.Component{ID: "pkg:npm/route-a@1.0"}},
-			{ComponentID: utils.Ptr("pkg:npm/route-a@1.0"), DependencyID: "pkg:npm/target@1.0", Dependency: models.Component{ID: "pkg:npm/target@1.0"}},
-			{ComponentID: utils.Ptr("pkg:npm/route-b@1.0"), DependencyID: "pkg:npm/target@1.0", Dependency: models.Component{ID: "pkg:npm/target@1.0"}},
+			{ComponentID: "ROOT", DependencyID: "artifact:art", Dependency: models.Component{ID: "artifact:art"}},
+			{ComponentID: "artifact:art", DependencyID: "sbom:s@art", Dependency: models.Component{ID: "sbom:s@art"}},
+			{ComponentID: "sbom:s@art", DependencyID: "pkg:npm/route-b@1.0", Dependency: models.Component{ID: "pkg:npm/route-b@1.0"}},
+			{ComponentID: "sbom:s@art", DependencyID: "pkg:npm/route-a@1.0", Dependency: models.Component{ID: "pkg:npm/route-a@1.0"}},
+			{ComponentID: "pkg:npm/route-a@1.0", DependencyID: "pkg:npm/target@1.0", Dependency: models.Component{ID: "pkg:npm/target@1.0"}},
+			{ComponentID: "pkg:npm/route-b@1.0", DependencyID: "pkg:npm/target@1.0", Dependency: models.Component{ID: "pkg:npm/target@1.0"}},
 		}
 
 		assetID := uuid.New()

mocks/mock_GraphComponent.go

@@ -1831,7 +1831,7 @@ func ParseGraphNodeID(id string) (prefix, name string) {
 // GraphComponent represents a component that can be loaded from the database.
 type GraphComponent interface {
 	GetID() string
-	GetDependentID() *string
+	GetDependentID() string
 	ToCdxComponent(componentLicenseOverwrites map[string]string) (cdx.Component, error)
 }
 
@@ -1845,10 +1845,8 @@ func SBOMGraphFromComponents[T GraphComponent](components []T, licenseOverwrites
 	// Build dependency map: parent -> children
 	dependencyMap := make(map[string][]string, len(components))
 	for _, c := range components {
-		var parentID string
-		if c.GetDependentID() != nil {
-			parentID = *c.GetDependentID()
-		} else {
+		parentID := c.GetDependentID()
+		if parentID == "ROOT" {
 			parentID = GraphRootNodeID
 		}
 		dependencyMap[parentID] = append(dependencyMap[parentID], c.GetID())

normalize/sbom_graph.go

@@ -97,7 +97,7 @@ func TestGetAndSaveLicenseInformation(t *testing.T) {
 			err = f.DB.Create(&models.ComponentDependency{
 				AssetVersionName: assetVersion.Name,
 				AssetID:          assetVersion.AssetID,
-				ComponentID:      nil,
+				ComponentID:      "ROOT",
 				DependencyID:     artifactRoot,
 			}).Error
 			assert.NoError(t, err)
@@ -107,21 +107,21 @@ func TestGetAndSaveLicenseInformation(t *testing.T) {
 				{
 					AssetVersionName: assetVersion.Name,
 					AssetID:          assetVersion.AssetID,
-					ComponentID:      &artifactRoot,
+					ComponentID:      artifactRoot,
 					DependencyID:     componentWithInvalidLicense.ID,
 					Dependency:       componentWithInvalidLicense,
 				},
 				{
 					AssetVersionName: assetVersion.Name,
 					AssetID:          assetVersion.AssetID,
-					ComponentID:      &artifactRoot,
+					ComponentID:      artifactRoot,
 					DependencyID:     componentWithValidLicense.ID,
 					Dependency:       componentWithValidLicense,
 				},
 				{
 					AssetVersionName: assetVersion.Name,
 					AssetID:          assetVersion.AssetID,
-					ComponentID:      &artifactRoot,
+					ComponentID:      artifactRoot,
 					DependencyID:     componentWithoutLicense.ID,
 					Dependency:       componentWithoutLicense,
 				},
@@ -219,7 +219,7 @@ func TestGetAndSaveLicenseInformation(t *testing.T) {
 			err = f.DB.Create(&models.ComponentDependency{
 				AssetVersionName: assetVersion.Name,
 				AssetID:          assetVersion.AssetID,
-				ComponentID:      nil,
+				ComponentID:      "ROOT",
 				DependencyID:     artifactRoot,
 			}).Error
 			assert.NoError(t, err)
@@ -228,7 +228,7 @@ func TestGetAndSaveLicenseInformation(t *testing.T) {
 			componentDep := models.ComponentDependency{
 				AssetVersionName: assetVersion.Name,
 				AssetID:          assetVersion.AssetID,
-				ComponentID:      &artifactRoot,
+				ComponentID:      artifactRoot,
 				DependencyID:     componentWithInvalidLicense.ID,
 				Dependency:       componentWithInvalidLicense,
 			}