fixes import retry would rollback whole transaction - now only the staging tables get truncated for the retry

Author: timbastin

vulndb/cisa_kev_service.go

@@ -169,7 +169,7 @@ func insertCISAKEVBulk(ctx context.Context, tx pgx.Tx, entries []CISAKEVEntry) e
 		return nil
 	}
 	if _, err := tx.Exec(ctx, `
-		CREATE TEMP TABLE kev_stage (
+		CREATE TEMP TABLE IF NOT EXISTS kev_stage (
 			cve                     text,
 			cisa_exploit_add        date,
 			cisa_action_due         date,

vulndb/epss_service.go

@@ -92,7 +92,7 @@ func insertEPSSBulk(ctx context.Context, tx pgx.Tx, epssData map[string]dtos.EPS
 		return nil
 	}
 	if _, err := tx.Exec(ctx, `
-		CREATE TEMP TABLE epss_stage (
+		CREATE TEMP TABLE IF NOT EXISTS epss_stage (
 			cve_id     text,
 			epss       numeric(6,5),
 			percentile numeric(6,5)

vulndb/import_debug.go

@@ -0,0 +1,144 @@
+// Copyright (C) 2026 l3montree GmbH
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as
+// published by the Free Software Foundation, either version 3 of the
+// License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+package vulndb
+
+import (
+	"bytes"
+	"encoding/json"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/l3montree-dev/devguard/dtos"
+	"github.com/l3montree-dev/devguard/transformer"
+)
+
+/*
+5:47AM ERR vulndb/integrity.go:116 invalid checksum when importing table=exploits expectedCount=8523 actualCount=8531 expectedChecksum=6232333932343434376236666336666535663665393965313334633335303563 actualChecksum=3335373562623638303565326630343838356534663462636435656662633461
+5:47AM ERR vulndb/integrity.go:116 invalid checksum when importing table=cve_relationships expectedCount=215759 actualCount=215788 expectedChecksum=6439313364643532363862326331373839346234343838356536316238643034 actualChecksum=3766303064303736356131643233663934343961316231366364373664376337
+5:47AM ERR vulndb/integrity.go:116 invalid checksum when importing table=affected_components expectedCount=2161081 actualCount=2161314 expectedChecksum=3730363337353037646331346366346436376539383930636664643338393630 actualChecksum=3931396231656432336331393661663066343634613062343638633038376663
+5:47AM ERR vulndb/integrity.go:116 invalid checksum when importing table=cves expectedCount=177924 actualCount=177937 expectedChecksum=3763393961343964323137366431336632653134373566363138373365313061 actualChecksum=3639396336643561346561343866313334656338393461323435343439316636
+5:47AM ERR vulndb/integrity.go:116 invalid checksum when importing table=cve_affected_component expectedCount=9495979 actualCount=9496443 expectedChecksum=3330326465346438323864633837303139656665633963366138316538343535 actualChecksum=6564616333633034393337363539613938633833333666313933303361663438
+
+There are MORE cves in the database after the import than expected expectedCount=177924 actualCount=177937
+*/
+func TestImportRC(t *testing.T) {
+	// extract the vulndb.tar.zst fixture to a temp dir
+	if _, err := os.Stat("vulndb-testdata-new"); os.IsNotExist(err) {
+		if err := untarZstd("vulndb-new.tar.zst", "vulndb-testdata-new"); err != nil {
+			t.Fatalf("could not extract vulndb testdata: %v", err)
+		}
+	}
+	/*lastImportTime, err := time.Parse(time.RFC3339Nano, "2026-05-10T05:10:29.831137845Z")
+	if err != nil {
+		t.Fatalf("could not parse last import time: %v", err)
+	}*/
+	/*
+
+		Okay ich habe keine Ahnung was ich hier tppe
+	*/
+
+	currentStateFile, err := os.ReadFile("prod-db-cves-full.csv")
+	if err != nil {
+		t.Fatalf("could not read current state file: %v", err)
+	}
+	// split into lines
+	lines := bytes.Split(currentStateFile, []byte{'\n'})
+	// remove the first line (header)
+	lines = lines[1:]
+
+	// read the whole osv.go file and check what cves we would insert right now
+	osvEntries, err := readAllGobItems[OSVEntry]("vulndb-testdata-new/osv.gob")
+	if err != nil {
+		t.Fatalf("could not read osv gob file: %v", err)
+	}
+
+	// remove all malicious packages and components from the osvEntries, as they are not part of the RC import
+	filteredOSVEntries := make([]OSVEntry, 0, len(osvEntries))
+	for _, entry := range osvEntries {
+		if !bytes.HasPrefix([]byte(entry.OSV.ID), []byte("MAL-")) {
+			filteredOSVEntries = append(filteredOSVEntries, entry)
+		}
+	}
+	// check what cves we would insert right now
+	cves := gobOSVToVulnFilterTransformer(time.Time{}, nil)(filteredOSVEntries)
+
+	// check which cves we would insert right now are not in the current state file
+	currentStateMap := make(map[string]struct{})
+	for _, line := range lines {
+		// split by comma and get the first column (cve id)
+		columns := bytes.Split(line, []byte{','})
+		if len(columns) > 0 {
+			currentStateMap[string(columns[0])] = struct{}{}
+		}
+	}
+
+	newStateMap := make(map[string]struct{})
+	for _, cve := range cves.CVEs {
+		newStateMap[cve.CVE] = struct{}{}
+	}
+
+	// check which cves are in the currentStateMap but not in the newStateMap
+	for cve := range currentStateMap {
+		if _, exist := newStateMap[cve]; !exist {
+			t.Logf("CVE in current state but not in new state: %s", cve)
+		}
+	}
+	t.Fail()
+}
+
+/*
+--- FAIL: TestImportRC (3.85s)
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state: ECHO-579f-8639-173e
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state: ECHO-e780-297e-3c37
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state: ECHO-01ac-8821-274a
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state: ECHO-f04c-582a-df62
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state: ECHO-1dc5-af13-00c1
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state: ECHO-7627-a361-b4d3
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state: ECHO-5818-1fba-950a
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state: ECHO-de02-7575-4370
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state: ECHO-37cc-2ae7-e3c8
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state: ECHO-34c7-ca18-1a8c
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state: ECHO-435f-9eb9-99cb
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state: ECHO-f4ca-f938-4210
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state: ECHO-7f2f-e83a-5508
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state: ECHO-879a-fe35-cf61
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state: ECHO-c9a3-95ec-f0d8
+    /Users/timbastin/Desktop/l3montree/devguard/vulndb/import_test.go:88: CVE in current state but not in new state:
+*/
+
+func TestWouldBeDeleted(t *testing.T) {
+	b, err := os.ReadFile("test.osv.json")
+	if err != nil {
+		t.Fatalf("could not read test osv file: %v", err)
+	}
+
+	// parse as osv entry
+	var entry dtos.OSV
+	if err := json.Unmarshal(b, &entry); err != nil {
+		t.Fatalf("could not parse test osv file: %v", err)
+	}
+
+	relationships := transformer.OSVToCVERelationships(&entry)
+	affectedComponentsForCVE := transformer.AffectedComponentsFromOSV(&entry)
+	if len(affectedComponentsForCVE) == 0 && len(relationships) == 0 {
+		t.Logf("no relationships or affected components for CVE %s", entry.ID)
+	}
+
+	cve := transformer.OSVToCVE(&entry)
+	if cve.CVE == "" {
+		t.Logf("could not transform OSV to CVE: %s", entry.ID)
+	}
+}

vulndb/osv_service.go

@@ -233,7 +233,7 @@ func (s osvService) fetchAndImportOSV(ctx context.Context, tx pgx.Tx, importStar
 			kept = append(kept, e)
 		}
 	}
-	slog.Info("filtered OSV entries after cleanup", "before", len(vulnRows.CVEs), "after", len(kept))
+	slog.Info("filtered OSV entries after cleanup", "before", len(vulnRows.CVEs), "after", len(surviving))
 	return kept, surviving, nil
 }
 
@@ -343,6 +343,9 @@ func (s osvService) zipWorkerFunction(zipWorkWaitGroup *sync.WaitGroup, zipJobs
 			continue
 		}
 		readCloser.Close()
+		if osvEntry.ID == "ECHO-7f2f-e83a-5508" {
+			slog.Info("found test entry, skipping", "id", osvEntry.ID)
+		}
 
 		if shouldIgnoreVulnerabilityID(osvEntry.ID) {
 			continue
@@ -653,6 +656,24 @@ func createStagingTables(ctx context.Context, tx pgx.Tx) error {
 	return nil
 }
 
+func clearStagingTables(ctx context.Context, tx pgx.Tx) error {
+	_, err := tx.Exec(ctx, `
+		TRUNCATE TABLE cves_stage;
+		TRUNCATE TABLE cve_relationships_stage;
+		TRUNCATE TABLE affected_components_stage;
+		TRUNCATE TABLE cve_affected_component_stage;
+		TRUNCATE TABLE exploits_stage;
+		TRUNCATE TABLE mal_pkgs_stage;
+		TRUNCATE TABLE mal_comps_stage;
+		TRUNCATE TABLE epss_stage;
+		TRUNCATE TABLE kev_stage;
+		`)
+	if err != nil {
+		return fmt.Errorf("could not clear staging tables: %w", err)
+	}
+	return nil
+}
+
 // if we insert a lot of entries its faster to drop indexes and constrains and then rebuilding them afterwards instead of maintaining them on each insert
 // also set some session parameters optimized for bulk inserts
 func PrepareBulkInsert(ctx context.Context, tx pgx.Tx) error {

vulndb/vulndb_service.go

@@ -369,17 +369,15 @@ func (s *VulnDBService) ImportRC(ctx context.Context, opts shared.ImportOptions)
 	if err != nil {
 		slog.Error("integrity validation failed, attempting fallback retry", "failingTables", failingTables, "error", err)
 		monitoring.Alert("vulndb integrity check failed, retrying with limited table set", err)
-		// we need to create a new transaction for the retry, so we rollback the previous one and start a new one
-		if rbErr := tx.Rollback(ctx); rbErr != nil && rbErr != pgx.ErrTxClosed {
-			return fmt.Errorf("could not rollback transaction after failed import: %w (rollback error: %v)", err, rbErr)
-		}
 
-		tx, err = conn.Begin(ctx) //nolint:errcheck
-		if err != nil {
-			return fmt.Errorf("could not begin transaction for full import retry: %w", err)
+		slog.Info("retrying with full import for limited tables", "tables", failingTables)
+
+		// since we did not commit anything until now, the staging tables still contain some data
+		// for the import, we just need to make sure to clean them up before re-applying the data from the working directory
+		if err := clearStagingTables(ctx, tx); err != nil {
+			return fmt.Errorf("could not clear staging tables for retry: %w", err)
 		}
 
-		slog.Info("retrying with full import for limited tables", "tables", failingTables)
 		_, err = s.applyFromWorkingDir(ctx, tx, workingDir, time.Time{}, integrity, opts.Bulk, failingTables)
 		if err != nil {
 			if rbErr := tx.Rollback(ctx); rbErr != nil && rbErr != pgx.ErrTxClosed {
@@ -872,7 +870,7 @@ func streamToDatabase(ctx context.Context, tx pgx.Tx, vulnRowsIn <-chan vulndbRo
 		return fmt.Errorf("could not create staging tables: %w", err)
 	}
 
-	var cveCount, relationshipCount, affectedComponentCount, cveAffectedComponentCount, exploitCount, malPkgCount int
+	var cveCount, relationshipCount, affectedComponentCount, cveAffectedComponentCount, exploitCount, malPkgCount, malAffectedComponentCount int
 	var cvesTime, relationshipsTime, affectedComponentsTime, cveAffectedComponentsTime, exploitsTime, malPkgTime time.Duration
 	ticker := time.NewTicker(4 * time.Second)
 	defer ticker.Stop()
@@ -962,6 +960,7 @@ func streamToDatabase(ctx context.Context, tx pgx.Tx, vulnRowsIn <-chan vulndbRo
 			}
 			malPkgTime += time.Since(t)
 			malPkgCount += len(malPkg.pkgs)
+			malAffectedComponentCount += len(malPkg.comps)
 		}
 	}
 
@@ -982,6 +981,7 @@ func streamToDatabase(ctx context.Context, tx pgx.Tx, vulnRowsIn <-chan vulndbRo
 		"cve_affected_component", cveAffectedComponentCount,
 		"exploits", exploitCount,
 		"malicious_packages", malPkgCount,
+		"malicious_affected_components", malAffectedComponentCount,
 		"took", time.Since(start),
 	)
 	return nil