fix(vuln): stop image-vuln extract dropping other scanners' findings #52
No reviewers
Labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set
Reference
Motstandskraft/spam!52
Loading…
Reference in a new issue
No description provided.
Delete branch "fix/image-vuln-extract-cross-scanner-loss"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem (found while investigating the vuln-metrics dup-key issue)
The incremental extract for
view_unified_image_vulnerabilitiescan silently drop findings. This is a correctness / data-loss bug, distinct from the duplicate-key freeze (that's PR #51).Root cause
ExtractDerivedOnArrivalruns, per table, aDELETEthen a scopedINSERT(internal/db/derived_tables.go). For the image table:WHERE image_id IN (SELECT image_digest_id FROM image_vuln_findings WHERE created_at > $1).view_unified_image_vulnerabilities_scoped($1)only re-emits findings withcreated_at > $1.image_vuln_findingsis delete+reinserted per(image_digest, scanner)scan, so only the scanner that just re-ran carries a freshcreated_at; a different scanner's findings for the same image keep their oldercreated_at. So when e.g. grype rescanned an image, trivy's rows for that image were deleted by the image-wide DELETE but not re-added by thecreated_at-scoped INSERT — gone until the next fullRebuildDerivedTables.The
20260626migration comment assumed "a changed image's whole finding set carries a fresh created_at" — true for a single scanner, but not across scanners.Fix
Scope the DELETE to the
(image_id, source)pairs that were actually rescanned, matching the INSERT's per-scanner scope:Now an untouched scanner's rows (older
created_at, not in the delete set, not re-emitted) simply survive. Eviction semantics for the rescanned scanner are unchanged (its rows are deleted and replaced with the fresh set, so fixed vulns still disappear). The repos extract already scopes by changed-repo membership and doesn't have this bug.Verification
go vet ./internal/db/...— clean.(image, scanner).🤖 Generated with Claude Code