implemented code review changes and refactored the code deeper

Hubtrick-Git · Hubtrick-Git · commit f6a33a49ec0a · 2026-05-19T15:24:15.000+02:00
diff --git a/database/migrations/20260518100544_remove_obsolete_indexes_and_columns_from_component_dependencies.up.sql b/database/migrations/20260518100544_remove_obsolete_indexes_and_columns_from_component_dependencies.up.sql
@@ -16,7 +16,9 @@ DROP INDEX IF EXISTS dependency_purl_idx;
 -- remove the current id column and replace it with a composite key on all columns to make enforce deduplication on a data level and reduce complexity (also on indexes)
 
 -- currently component_id can be NULL if its a root node; but primary keys cannot contain NULL values, so we replace it with a ROOT constant
-INSERT INTO public.components VALUES('ROOT','',NULL,NULL,NULL); -- add a ROOT component to the components table to be referenced
+INSERT INTO public.components (id, name, version, purl, cpe) 
+VALUES('ROOT','',NULL,NULL,NULL) ON CONFLICT (id) DO NOTHING; -- add a ROOT component to the components table to be referenced
+
 UPDATE public.component_dependencies SET component_id = 'ROOT' WHERE component_id IS NULL; -- use an explicit value for ROOT component dependencies instead of NULL
 
 ALTER TABLE public.component_dependencies DROP CONSTRAINT component_dependencies_pkey, DROP COLUMN id; -- drop primary key constraint and the primary key column
diff --git a/database/models/component_model.go b/database/models/component_model.go
@@ -69,7 +69,7 @@ type ComponentDependency struct {
 	// this means, that the dependency graph between people using the same library might differ, since they use it differently
 	// we use edges, which provide the information, that a component is used by another component in one asset
 	Component    Component `json:"component" gorm:"foreignKey:ComponentID;references:ID;constraint:OnDelete:CASCADE;"`
-	ComponentID  *string   `json:"componentPurl" gorm:"column:component_id;index:component_purl_idx"` // will be ROOT, for direct dependencies
+	ComponentID  string    `json:"componentPurl" gorm:"column:component_id;index:component_purl_idx"` // will be ROOT for direct dependencies
 	Dependency   Component `json:"dependency" gorm:"foreignKey:DependencyID;references:ID;constraint:OnDelete:CASCADE;"`
 	DependencyID string    `json:"dependencyPurl" gorm:"column:dependency_id;index:dependency_purl_idx"`
 
@@ -92,7 +92,7 @@ func (c ComponentDependencyNode) GetID() string {
 func (c ComponentDependency) ToNodes() []ComponentDependencyNode {
 	// a component dependency represents an edge in the dependency tree
 	// thus we can represent it as two nodes
-	return []ComponentDependencyNode{{ID: utils.SafeDereference(c.ComponentID)}, {ID: c.DependencyID}}
+	return []ComponentDependencyNode{{ID: c.ComponentID}, {ID: c.DependencyID}}
 }
 
 func resolveLicense(component ComponentDependency, componentLicenseOverwrites map[string]string) cyclonedx.Licenses {
@@ -241,7 +241,7 @@ func (c ComponentDependency) GetID() string {
 	return c.DependencyID
 }
 
-func (c ComponentDependency) GetDependentID() *string {
+func (c ComponentDependency) GetDependentID() string {
 	return c.ComponentID
 }
 
diff --git a/database/repositories/component_repository.go b/database/repositories/component_repository.go
@@ -148,8 +148,8 @@ func (c *componentRepository) LoadComponentsWithProject(ctx context.Context, tx
 			componentDependencies[i].Dependency.License = &license
 			componentDependencies[i].Dependency.IsLicenseOverwritten = true
 		}
-		if component.ComponentID != nil && *component.ComponentID != "ROOT" {
-			if license, ok := isPurlOverwrittenMap[*component.ComponentID]; ok {
+		if component.ComponentID != "ROOT" {
+			if license, ok := isPurlOverwrittenMap[component.ComponentID]; ok {
 				componentDependencies[i].Component.License = &license
 				componentDependencies[i].Component.IsLicenseOverwritten = true
 			}
@@ -197,15 +197,9 @@ func (c *componentRepository) HandleStateDiff(ctx context.Context, tx *gorm.DB,
 	if len(diff.RemovedEdges) > 0 {
 		var valueClauses []string
 		for _, edge := range diff.RemovedEdges {
-			var componentID string
-			if edge[0] == normalize.GraphRootNodeID {
-				componentID = "NULL"
-			} else {
-				componentID = fmt.Sprintf("'%s'", strings.ReplaceAll(edge[0], "'", "''"))
-			}
-
+			escapedComp := strings.ReplaceAll(edge[0], "'", "''")
 			escapedDep := strings.ReplaceAll(edge[1], "'", "''")
-			valueClauses = append(valueClauses, fmt.Sprintf("(%s, '%s')", componentID, escapedDep))
+			valueClauses = append(valueClauses, fmt.Sprintf("('%s', '%s')", escapedComp, escapedDep))
 		}
 		// Join the value clauses with commas
 		values := strings.Join(valueClauses, ",")
@@ -244,7 +238,7 @@ func (c *componentRepository) HandleStateDiff(ctx context.Context, tx *gorm.DB,
 		componentDependency := models.ComponentDependency{
 			AssetID:          assetVersion.AssetID,
 			AssetVersionName: assetVersion.Name,
-			ComponentID:      utils.Ptr(componentID),
+			ComponentID:      componentID,
 			DependencyID:     c2.Component.PackageURL,
 		}
 
diff --git a/integrations/commonint/integration_helper_test.go b/integrations/commonint/integration_helper_test.go
@@ -398,10 +398,10 @@ func TestRenderPathToComponent(t *testing.T) {
 	t.Run("Everything works as expeted with a non empty component list", func(t *testing.T) {
 		// Create a chain of actual components (all with pkg: prefix) to have a path with edges
 		components := []models.ComponentDependency{
-			{ComponentID: utils.Ptr("ROOT"), DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},                           // root --> artifact
-			{ComponentID: utils.Ptr("artifact:test-artifact"), DependencyID: "sbom:test@test-artifact", Dependency: models.Component{ID: "sbom:test@test-artifact"}},       // artifact -> sbom
-			{ComponentID: utils.Ptr("sbom:test@test-artifact"), DependencyID: "pkg:npm/root-dep@1.0.0", Dependency: models.Component{ID: "pkg:npm/root-dep@1.0.0"}},        // sbom -> root-dep (component)
-			{ComponentID: utils.Ptr("pkg:npm/root-dep@1.0.0"), DependencyID: "pkg:npm/test-package@1.0.0", Dependency: models.Component{ID: "pkg:npm/test-package@1.0.0"}}, // root-dep -> test-package (component)
+			{ComponentID: "ROOT", DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},                           // root --> artifact
+			{ComponentID: "artifact:test-artifact", DependencyID: "sbom:test@test-artifact", Dependency: models.Component{ID: "sbom:test@test-artifact"}},       // artifact -> sbom
+			{ComponentID: "sbom:test@test-artifact", DependencyID: "pkg:npm/root-dep@1.0.0", Dependency: models.Component{ID: "pkg:npm/root-dep@1.0.0"}},        // sbom -> root-dep (component)
+			{ComponentID: "pkg:npm/root-dep@1.0.0", DependencyID: "pkg:npm/test-package@1.0.0", Dependency: models.Component{ID: "pkg:npm/test-package@1.0.0"}}, // root-dep -> test-package (component)
 		}
 		componentRepository := mocks.NewComponentRepository(t)
 		componentRepository.On("LoadComponents", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(components, nil)
@@ -423,10 +423,10 @@ func TestRenderPathToComponent(t *testing.T) {
 	t.Run("should escape @ symbols", func(t *testing.T) {
 		// Create a chain of actual components to verify @ escaping in mermaid output
 		components := []models.ComponentDependency{
-			{ComponentID: utils.Ptr("ROOT"), DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},                           // root --> artifact
-			{ComponentID: utils.Ptr("artifact:test-artifact"), DependencyID: "sbom:test@test-artifact", Dependency: models.Component{ID: "sbom:test@test-artifact"}},       // artifact -> sbom
-			{ComponentID: utils.Ptr("sbom:test@test-artifact"), DependencyID: "pkg:npm/root-dep@1.0.0", Dependency: models.Component{ID: "pkg:npm/root-dep@1.0.0"}},        // sbom -> root-dep (component)
-			{ComponentID: utils.Ptr("pkg:npm/root-dep@1.0.0"), DependencyID: "pkg:npm/test-package@1.0.0", Dependency: models.Component{ID: "pkg:npm/test-package@1.0.0"}}, // root-dep -> test-package (component)
+			{ComponentID: "ROOT", DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},                           // root --> artifact
+			{ComponentID: "artifact:test-artifact", DependencyID: "sbom:test@test-artifact", Dependency: models.Component{ID: "sbom:test@test-artifact"}},       // artifact -> sbom
+			{ComponentID: "sbom:test@test-artifact", DependencyID: "pkg:npm/root-dep@1.0.0", Dependency: models.Component{ID: "pkg:npm/root-dep@1.0.0"}},        // sbom -> root-dep (component)
+			{ComponentID: "pkg:npm/root-dep@1.0.0", DependencyID: "pkg:npm/test-package@1.0.0", Dependency: models.Component{ID: "pkg:npm/test-package@1.0.0"}}, // root-dep -> test-package (component)
 		}
 		componentRepository := mocks.NewComponentRepository(t)
 		componentRepository.On("LoadComponents", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(components, nil)
@@ -452,9 +452,9 @@ func TestRenderPathToComponent(t *testing.T) {
 		// The graph requires an artifact and sbom info-source node above the component
 		// so that FindAllComponentOnlyPathsToPURL can terminate the BFS correctly.
 		components := []models.ComponentDependency{
-			{ComponentID: utils.Ptr("ROOT"), DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},
-			{ComponentID: utils.Ptr("artifact:test-artifact"), DependencyID: "sbom:test@test-artifact", Dependency: models.Component{ID: "sbom:test@test-artifact"}},
-			{ComponentID: utils.Ptr("sbom:test@test-artifact"), DependencyID: "pkg:npm/single@1.0.0", Dependency: models.Component{ID: "pkg:npm/single@1.0.0"}},
+			{ComponentID: "ROOT", DependencyID: "artifact:test-artifact", Dependency: models.Component{ID: "artifact:test-artifact"}},
+			{ComponentID: "artifact:test-artifact", DependencyID: "sbom:test@test-artifact", Dependency: models.Component{ID: "sbom:test@test-artifact"}},
+			{ComponentID: "sbom:test@test-artifact", DependencyID: "pkg:npm/single@1.0.0", Dependency: models.Component{ID: "pkg:npm/single@1.0.0"}},
 		}
 		componentRepository := mocks.NewComponentRepository(t)
 		componentRepository.On("LoadComponents", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(components, nil)
@@ -711,12 +711,12 @@ func TestTicketContentBitwiseReproducibility(t *testing.T) {
 		// Previously, map iteration randomness caused the two path edges to appear
 		// in non-deterministic order in the Mermaid output.
 		components := []models.ComponentDependency{
-			{ComponentID: utils.Ptr("ROOT"), DependencyID: "artifact:art", Dependency: models.Component{ID: "artifact:art"}},
-			{ComponentID: utils.Ptr("artifact:art"), DependencyID: "sbom:s@art", Dependency: models.Component{ID: "sbom:s@art"}},
-			{ComponentID: utils.Ptr("sbom:s@art"), DependencyID: "pkg:npm/route-b@1.0", Dependency: models.Component{ID: "pkg:npm/route-b@1.0"}},
-			{ComponentID: utils.Ptr("sbom:s@art"), DependencyID: "pkg:npm/route-a@1.0", Dependency: models.Component{ID: "pkg:npm/route-a@1.0"}},
-			{ComponentID: utils.Ptr("pkg:npm/route-a@1.0"), DependencyID: "pkg:npm/target@1.0", Dependency: models.Component{ID: "pkg:npm/target@1.0"}},
-			{ComponentID: utils.Ptr("pkg:npm/route-b@1.0"), DependencyID: "pkg:npm/target@1.0", Dependency: models.Component{ID: "pkg:npm/target@1.0"}},
+			{ComponentID: "ROOT", DependencyID: "artifact:art", Dependency: models.Component{ID: "artifact:art"}},
+			{ComponentID: "artifact:art", DependencyID: "sbom:s@art", Dependency: models.Component{ID: "sbom:s@art"}},
+			{ComponentID: "sbom:s@art", DependencyID: "pkg:npm/route-b@1.0", Dependency: models.Component{ID: "pkg:npm/route-b@1.0"}},
+			{ComponentID: "sbom:s@art", DependencyID: "pkg:npm/route-a@1.0", Dependency: models.Component{ID: "pkg:npm/route-a@1.0"}},
+			{ComponentID: "pkg:npm/route-a@1.0", DependencyID: "pkg:npm/target@1.0", Dependency: models.Component{ID: "pkg:npm/target@1.0"}},
+			{ComponentID: "pkg:npm/route-b@1.0", DependencyID: "pkg:npm/target@1.0", Dependency: models.Component{ID: "pkg:npm/target@1.0"}},
 		}
 
 		assetID := uuid.New()
diff --git a/mocks/mock_GraphComponent.go b/mocks/mock_GraphComponent.go
diff --git a/normalize/sbom_graph.go b/normalize/sbom_graph.go
@@ -1831,7 +1831,7 @@ func ParseGraphNodeID(id string) (prefix, name string) {
 // GraphComponent represents a component that can be loaded from the database.
 type GraphComponent interface {
 	GetID() string
-	GetDependentID() *string
+	GetDependentID() string
 	ToCdxComponent(componentLicenseOverwrites map[string]string) (cdx.Component, error)
 }
 
@@ -1845,10 +1845,8 @@ func SBOMGraphFromComponents[T GraphComponent](components []T, licenseOverwrites
 	// Build dependency map: parent -> children
 	dependencyMap := make(map[string][]string, len(components))
 	for _, c := range components {
-		var parentID string
-		if c.GetDependentID() != nil {
-			parentID = *c.GetDependentID()
-		} else {
+		parentID := c.GetDependentID()
+		if parentID == "" {
 			parentID = GraphRootNodeID
 		}
 		dependencyMap[parentID] = append(dependencyMap[parentID], c.GetID())
diff --git a/tests/component_service_integration_test.go b/tests/component_service_integration_test.go
@@ -97,7 +97,7 @@ func TestGetAndSaveLicenseInformation(t *testing.T) {
 			err = f.DB.Create(&models.ComponentDependency{
 				AssetVersionName: assetVersion.Name,
 				AssetID:          assetVersion.AssetID,
-				ComponentID:      utils.Ptr("ROOT"),
+				ComponentID:      "ROOT",
 				DependencyID:     artifactRoot,
 			}).Error
 			assert.NoError(t, err)
@@ -107,21 +107,21 @@ func TestGetAndSaveLicenseInformation(t *testing.T) {
 				{
 					AssetVersionName: assetVersion.Name,
 					AssetID:          assetVersion.AssetID,
-					ComponentID:      &artifactRoot,
+					ComponentID:      artifactRoot,
 					DependencyID:     componentWithInvalidLicense.ID,
 					Dependency:       componentWithInvalidLicense,
 				},
 				{
 					AssetVersionName: assetVersion.Name,
 					AssetID:          assetVersion.AssetID,
-					ComponentID:      &artifactRoot,
+					ComponentID:      artifactRoot,
 					DependencyID:     componentWithValidLicense.ID,
 					Dependency:       componentWithValidLicense,
 				},
 				{
 					AssetVersionName: assetVersion.Name,
 					AssetID:          assetVersion.AssetID,
-					ComponentID:      &artifactRoot,
+					ComponentID:      artifactRoot,
 					DependencyID:     componentWithoutLicense.ID,
 					Dependency:       componentWithoutLicense,
 				},
@@ -219,7 +219,7 @@ func TestGetAndSaveLicenseInformation(t *testing.T) {
 			err = f.DB.Create(&models.ComponentDependency{
 				AssetVersionName: assetVersion.Name,
 				AssetID:          assetVersion.AssetID,
-				ComponentID:      utils.Ptr("ROOT"),
+				ComponentID:      "ROOT",
 				DependencyID:     artifactRoot,
 			}).Error
 			assert.NoError(t, err)
@@ -228,7 +228,7 @@ func TestGetAndSaveLicenseInformation(t *testing.T) {
 			componentDep := models.ComponentDependency{
 				AssetVersionName: assetVersion.Name,
 				AssetID:          assetVersion.AssetID,
-				ComponentID:      &artifactRoot,
+				ComponentID:      artifactRoot,
 				DependencyID:     componentWithInvalidLicense.ID,
 				Dependency:       componentWithInvalidLicense,
 			}
diff --git a/tests/daemon_pipeline_test.go b/tests/daemon_pipeline_test.go
@@ -51,7 +51,7 @@ func createSBOMStructure(f *TestFixture, asset models.Asset, assetVersion models
 	artifactRootDep := models.ComponentDependency{
 		AssetID:          asset.ID,
 		AssetVersionName: assetVersion.Name,
-		ComponentID:      utils.Ptr("ROOT"),
+		ComponentID:      "ROOT",
 		DependencyID:     artifactRoot,
 	}
 	if err := f.DB.Create(&artifactRootDep).Error; err != nil {
@@ -62,7 +62,7 @@ func createSBOMStructure(f *TestFixture, asset models.Asset, assetVersion models
 	infoSourceDep := models.ComponentDependency{
 		AssetID:          asset.ID,
 		AssetVersionName: assetVersion.Name,
-		ComponentID:      &artifactRoot,
+		ComponentID:      artifactRoot,
 		DependencyID:     infoSourceID,
 	}
 	if err := f.DB.Create(&infoSourceDep).Error; err != nil {
@@ -74,7 +74,7 @@ func createSBOMStructure(f *TestFixture, asset models.Asset, assetVersion models
 		componentDependency := models.ComponentDependency{
 			AssetID:          asset.ID,
 			AssetVersionName: assetVersion.Name,
-			ComponentID:      &infoSourceID,
+			ComponentID:      infoSourceID,
 			DependencyID:     purl,
 		}
 		if err := f.DB.Create(&componentDependency).Error; err != nil {
@@ -101,7 +101,7 @@ func createVEXStructure(f *TestFixture, asset models.Asset, assetVersion models.
 	vexInfoSourceDep := models.ComponentDependency{
 		AssetID:          asset.ID,
 		AssetVersionName: assetVersion.Name,
-		ComponentID:      &artifactRoot,
+		ComponentID:      artifactRoot,
 		DependencyID:     vexInfoSourceID,
 	}
 	if err := f.DB.Create(&vexInfoSourceDep).Error; err != nil {
@@ -114,7 +114,7 @@ func createVEXStructure(f *TestFixture, asset models.Asset, assetVersion models.
 		componentDependency := models.ComponentDependency{
 			AssetID:          asset.ID,
 			AssetVersionName: assetVersion.Name,
-			ComponentID:      &vexInfoSourceID,
+			ComponentID:      vexInfoSourceID,
 			DependencyID:     purl,
 		}
 		if err := f.DB.Create(&componentDependency).Error; err != nil {
@@ -179,7 +179,7 @@ func TestDaemonPipelineEndToEnd(t *testing.T) {
 			artifactRootDep := models.ComponentDependency{
 				AssetID:          asset.ID,
 				AssetVersionName: assetVersion.Name,
-				ComponentID:      utils.Ptr("ROOT"),
+				ComponentID:      "ROOT",
 				DependencyID:     artifactRoot,
 			}
 			err = f.DB.Create(&artifactRootDep).Error
@@ -189,7 +189,7 @@ func TestDaemonPipelineEndToEnd(t *testing.T) {
 			componentDependency := models.ComponentDependency{
 				AssetID:          asset.ID,
 				AssetVersionName: assetVersion.Name,
-				ComponentID:      &artifactRoot,
+				ComponentID:      artifactRoot,
 				DependencyID:     "pkg:npm/test-package@1.0.0",
 				Dependency:       component,
 			}
@@ -580,7 +580,7 @@ func TestDaemonPipelineScanAssetDetectVulns(t *testing.T) {
 		artifactRootDep := models.ComponentDependency{
 			AssetID:          asset.ID,
 			AssetVersionName: assetVersion.Name,
-			ComponentID:      utils.Ptr("ROOT"),
+			ComponentID:      "ROOT",
 			DependencyID:     artifactRoot,
 		}
 		err = f.DB.Create(&artifactRootDep).Error
@@ -590,7 +590,7 @@ func TestDaemonPipelineScanAssetDetectVulns(t *testing.T) {
 		componentDependency := models.ComponentDependency{
 			AssetID:          asset.ID,
 			AssetVersionName: assetVersion.Name,
-			ComponentID:      &artifactRoot,
+			ComponentID:      artifactRoot,
 			DependencyID:     "pkg:npm/vulnerable-package@2.0.0",
 			Dependency:       component,
 		}
@@ -772,7 +772,7 @@ func TestDaemonPipelineRiskCalculation(t *testing.T) {
 			artifactRootDep := models.ComponentDependency{
 				AssetID:          asset.ID,
 				AssetVersionName: assetVersion.Name,
-				ComponentID:      utils.Ptr("ROOT"),
+				ComponentID:      "ROOT",
 				DependencyID:     artifactRoot,
 			}
 			err = f.DB.Create(&artifactRootDep).Error
@@ -782,7 +782,7 @@ func TestDaemonPipelineRiskCalculation(t *testing.T) {
 			componentDependency := models.ComponentDependency{
 				AssetID:          asset.ID,
 				AssetVersionName: assetVersion.Name,
-				ComponentID:      &artifactRoot,
+				ComponentID:      artifactRoot,
 				DependencyID:     "pkg:npm/risk-test-package@1.0.0",
 				Dependency:       component,
 			}
diff --git a/tests/release_integration_test.go b/tests/release_integration_test.go
diff --git a/transformer/component_transformer.go b/transformer/component_transformer.go
