Merge pull request #956 from l3montree-dev/migrations

Migrations

Author: timbastin

README.md

@@ -98,6 +98,127 @@ DevGuard is divided into two projects: A frontend (DevGuard Web) and a backend (
 
 <p align="right">(<a href="#readme-top">back to top</a>)</p>
 
+## Database Migrations
+
+DevGuard uses [golang-migrate](https://github.com/golang-migrate/migrate) for database schema management. All migrations are embedded in the binary and run automatically on startup.
+
+### How Database Migrations Work
+
+1. **Automatic Migration**: By default, migrations run automatically when the application starts
+2. **Environment Control**: Set `AUTO_MIGRATE=false` to disable automatic migrations
+3. **Embedded Migrations**: Migration files are embedded in the binary for easy deployment
+4. **Idempotent**: Migrations can be run multiple times safely
+
+### Creating New Migrations
+
+#### 1. Install the Migration Tool
+
+The project includes golang-migrate as a tool dependency. Install it using:
+
+```bash
+go get -tool github.com/golang-migrate/migrate/v4/cmd/migrate
+```
+
+#### 2. Create a New Migration
+
+```bash
+# Create a new migration file pair (.up.sql and .down.sql)
+go tool migrate create -ext sql -dir internal/database/migrations your_migration_name
+
+# Example: Adding a new table
+go tool migrate create -ext sql -dir internal/database/migrations add_user_preferences_table
+```
+
+This creates two files:
+- `internal/database/migrations/YYYYMMDDHHMMSS_your_migration_name.up.sql` - Forward migration
+- `internal/database/migrations/YYYYMMDDHHMMSS_your_migration_name.down.sql` - Rollback migration
+
+#### 3. Write Your Migration
+
+**Example: Adding a new table**
+
+`20250801120000_add_user_preferences_table.up.sql`:
+```sql
+-- Create user preferences table
+CREATE TABLE IF NOT EXISTS user_preferences (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    user_id TEXT NOT NULL,
+    theme TEXT DEFAULT 'light',
+    notifications_enabled BOOLEAN DEFAULT true,
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
+);
+
+-- Add index for faster lookups
+CREATE INDEX IF NOT EXISTS idx_user_preferences_user_id ON user_preferences(user_id);
+```
+
+`20250801120000_add_user_preferences_table.down.sql`:
+```sql
+-- Remove the user preferences table
+DROP TABLE IF EXISTS user_preferences CASCADE;
+```
+
+**Example: Adding a column**
+
+`20250801130000_add_email_to_users.up.sql`:
+```sql
+-- Add email column to existing users table
+ALTER TABLE users ADD COLUMN IF NOT EXISTS email TEXT;
+
+-- Add index for email lookups
+CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
+```
+
+`20250801130000_add_email_to_users.down.sql`:
+```sql
+-- Remove email column from users table
+ALTER TABLE users DROP COLUMN IF EXISTS email CASCADE;
+```
+
+**Example: Adding foreign key constraints**
+
+`20250801140000_add_user_organization_fk.up.sql`:
+```sql
+-- Add foreign key constraint
+ALTER TABLE users 
+ADD CONSTRAINT IF NOT EXISTS fk_users_organization 
+FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE CASCADE;
+```
+
+`20250801140000_add_user_organization_fk.down.sql`:
+```sql
+-- Remove foreign key constraint
+ALTER TABLE users DROP CONSTRAINT IF EXISTS fk_users_organization;
+```
+
+#### 4. Best Practices
+
+- **Always use IF NOT EXISTS/IF EXISTS**: Makes migrations idempotent
+- **Include rollback logic**: Always write the down migration
+- **Test migrations**: Test both up and down migrations on a copy of production data
+- **Small incremental changes**: Keep migrations focused and atomic
+- **Use transactions implicitly**: PostgreSQL wraps DDL in transactions automatically
+- **Descriptive names**: Use clear, descriptive migration names
+
+#### 5. Manual Migration Commands
+
+```bash
+# Check migration status
+go tool migrate -database "postgres://user:pass@localhost:5432/devguard?sslmode=disable" -path internal/database/migrations version
+
+# Run migrations manually
+go tool migrate -database "postgres://user:pass@localhost:5432/devguard?sslmode=disable" -path internal/database/migrations up
+
+# Rollback one migration
+go tool migrate -database "postgres://user:pass@localhost:5432/devguard?sslmode=disable" -path internal/database/migrations down 1
+
+# Rollback to specific version
+go tool migrate -database "postgres://user:pass@localhost:5432/devguard?sslmode=disable" -path internal/database/migrations goto 20250801120000
+```
+
+<p align="right">(<a href="#readme-top">back to top</a>)</p>
+
 <!-- LICENSE -->
 ## License
 

cmd/devguard-cli/commands/migrate.go

@@ -53,7 +53,6 @@ func Execute() {
 
 func init() {
 	rootCmd.AddCommand(commands.NewVulndbCommand())
-	rootCmd.AddCommand(commands.NewMigrateCommand())
 	rootCmd.AddCommand(commands.NewComponentsCommand())
 	rootCmd.AddCommand(commands.NewDaemonCommand())
 }

cmd/devguard-cli/main.go

@@ -26,6 +26,7 @@ import (
 	"net/http"
 	"os"
 	"regexp"
+	"strconv"
 	"strings"
 	"time"
 
@@ -238,10 +239,11 @@ func obfuscateString(str string) string {
 }
 
 // add obfuscation function for snippet
-func obfuscateSecret(sarifScan *common.SarifResult) {
+func obfuscateSecretAndAddFingerprint(sarifScan *common.SarifResult) {
 	// obfuscate the snippet
 	for ru, run := range sarifScan.Runs {
 		for re, result := range run.Results {
+			// obfuscate the snippet
 			for lo, location := range result.Locations {
 				snippet := location.PhysicalLocation.Region.Snippet.Text
 				snippetMax := 20
@@ -252,6 +254,10 @@ func obfuscateSecret(sarifScan *common.SarifResult) {
 				// set the snippet
 				sarifScan.Runs[ru].Results[re].Locations[lo].PhysicalLocation.Region.Snippet.Text = snippet
 			}
+
+			//set the fingerprint to the calculated fingerprint if it exists
+			result.Fingerprints.CalculatedFingerprint = result.PartialFingerprints.CommitSha + ":" + result.Locations[0].PhysicalLocation.ArtifactLocation.URI + ":" + result.RuleID + ":" + strconv.Itoa(result.Locations[0].PhysicalLocation.Region.StartLine)
+
 		}
 	}
 }

cmd/devguard-scanner/commands/sarif.go

@@ -8,7 +8,6 @@ import (
 	"os"
 	"os/exec"
 	"path"
-	"strconv"
 
 	"github.com/jedib0t/go-pretty/v6/table"
 	"github.com/jedib0t/go-pretty/v6/text"
@@ -26,13 +25,13 @@ func printSastScanResults(firstPartyVulns []vuln.FirstPartyVulnDTO, webUI, asset
 	green := text.FgGreen
 	for _, vuln := range firstPartyVulns {
 		tw.AppendRow(table.Row{"RuleID", vuln.RuleID})
-		if vuln.Snippet != "" {
-			tw.AppendRow(table.Row{"Snippet", vuln.Snippet})
+		for _, snippet := range vuln.SnippetContents {
+			tw.AppendRow(table.Row{"Snippet", snippet.Snippet})
 		}
 		tw.AppendRow(table.Row{"Message", text.WrapText(*vuln.Message, 80)})
 		if vuln.URI != "" {
-			tw.AppendRow(table.Row{"File", green.Sprint(vuln.URI + ":" + strconv.Itoa(vuln.StartLine))})
-			tw.AppendRow(table.Row{"Line", vuln.StartLine})
+			tw.AppendRow(table.Row{"File", green.Sprint(vuln.URI)})
+
 		}
 		tw.AppendSeparator()
 	}

cmd/devguard-scanner/commands/sast.go

@@ -115,10 +115,15 @@ func generateSBOM(path string) (*os.File, error) {
 
 // Function to dynamically change the format of the table row depending on the input parameters
 func dependencyVulnToTableRow(pURL packageurl.PackageURL, v vuln.DependencyVulnDTO) table.Row {
+	var cvss float32 = 0.0
+	if v.CVE != nil {
+		cvss = v.CVE.CVSS
+	}
+
 	if pURL.Namespace == "" { //Remove the second slash if the second parameter is empty to avoid double slashes
-		return table.Row{fmt.Sprintf("pkg:%s/%s", pURL.Type, pURL.Name), utils.SafeDereference(v.CVEID), utils.OrDefault(v.RawRiskAssessment, 0), v.CVE.CVSS, strings.TrimPrefix(pURL.Version, "v"), utils.SafeDereference(v.ComponentFixedVersion), v.State}
+		return table.Row{fmt.Sprintf("pkg:%s/%s", pURL.Type, pURL.Name), utils.SafeDereference(v.CVEID), utils.OrDefault(v.RawRiskAssessment, 0), cvss, strings.TrimPrefix(pURL.Version, "v"), utils.SafeDereference(v.ComponentFixedVersion), v.State}
 	} else {
-		return table.Row{fmt.Sprintf("pkg:%s/%s/%s", pURL.Type, pURL.Namespace, pURL.Name), utils.SafeDereference(v.CVEID), utils.OrDefault(v.RawRiskAssessment, 0), v.CVE.CVSS, strings.TrimPrefix(pURL.Version, "v"), utils.SafeDereference(v.ComponentFixedVersion), v.State}
+		return table.Row{fmt.Sprintf("pkg:%s/%s/%s", pURL.Type, pURL.Namespace, pURL.Name), utils.SafeDereference(v.CVEID), utils.OrDefault(v.RawRiskAssessment, 0), cvss, strings.TrimPrefix(pURL.Version, "v"), utils.SafeDereference(v.ComponentFixedVersion), v.State}
 	}
 }
 
@@ -171,6 +176,12 @@ func printScaResults(scanResponse scan.ScanResponse, failOnRisk, failOnCVSS, ass
 		return utils.OrDefault(f.RawRiskAssessment, 0)
 	})
 
+	openCVSS := utils.Map(utils.Filter(scanResponse.DependencyVulns, func(f vuln.DependencyVulnDTO) bool {
+		return f.State == "open" && f.CVE != nil
+	}), func(f vuln.DependencyVulnDTO) float32 {
+		return f.CVE.CVSS
+	})
+
 	maxRisk := 0.
 	for _, risk := range openRisks {
 		if risk > maxRisk {
@@ -179,9 +190,9 @@ func printScaResults(scanResponse scan.ScanResponse, failOnRisk, failOnCVSS, ass
 	}
 
 	var maxCVSS float32
-	for _, v := range scanResponse.DependencyVulns {
-		if v.CVE != nil && v.CVE.CVSS > maxCVSS {
-			maxCVSS = v.CVE.CVSS
+	for _, v := range openCVSS {
+		if v > maxCVSS {
+			maxCVSS = v
 		}
 	}