Skip to content

fix(db): fix vulnerability count mismatches across service group and …#1235

Open
tsim-sap wants to merge 2 commits into
mainfrom
tsim-sap/issue-1210/fix-vulnerability-totalcounts
Open

fix(db): fix vulnerability count mismatches across service group and …#1235
tsim-sap wants to merge 2 commits into
mainfrom
tsim-sap/issue-1210/fix-vulnerability-totalcounts

Conversation

@tsim-sap

@tsim-sap tsim-sap commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator

Description

This aims to fix vulnerability count mismatches in several places.

What type of PR is this? (check all applicable)

  • 🐛 Bug Fix

Related Tickets & Documents

Closes #1210

Added tests?

  • 👍 yes
  • 🙅 no, because they aren't needed
  • 🙋 no, because I need help
  • Separate ticket for tests # (issue/pr)

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

@tsim-sap tsim-sap force-pushed the tsim-sap/issue-1210/fix-vulnerability-totalcounts branch 3 times, most recently from 12fa810 to 6b67190 Compare June 26, 2026 10:30
…image views

Signed-off-by: Valiantsin Tsimoshyk <v.tsimoshyk@sap.com>
@tsim-sap tsim-sap force-pushed the tsim-sap/issue-1210/fix-vulnerability-totalcounts branch from 6b67190 to f36f078 Compare June 26, 2026 14:48
@tsim-sap tsim-sap marked this pull request as ready for review July 1, 2026 12:55
Copilot AI review requested due to automatic review settings July 1, 2026 12:55

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR targets inconsistent vulnerability severity totals by aligning “badge/counts” queries with the same materialized-view-backed sources used for the vulnerability list, and by correcting a service-group counting procedure that was over-deduplicating per service.

Changes:

  • Fixes refresh_mvCountIssueRatingsService_proc to deduplicate by (component_version_id, issue_id) per support group (not per service), preventing inflated support-group totals.
  • Switches image/component vulnerability counting to be derived from mvVulnerabilityList (and service scoping via mvVulnerabilityService) to match list semantics.
  • Removes the unused mvAllComponentsByServiceVulnerabilityCounts MV (event/procedure/table) and updates scheduling/fixtures/e2e seeding accordingly.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
internal/e2e/image_query_test.go Refreshes mvVulnerabilityService during e2e seeding to keep MV-backed queries consistent.
internal/database/mariadb/test/fixture.go Adds RefreshMvVulnerabilityService() seeder helper and removes refresh of the dropped MV proc.
internal/database/mariadb/migrations/20260625100000_fix_vulnerability_count_mismatches.up.sql Fixes service-group dedup logic and drops the unused mvAllComponentsByServiceVulnerabilityCounts objects.
internal/database/mariadb/migrations/20260625100000_fix_vulnerability_count_mismatches.down.sql Restores the prior procedure behavior and recreates the dropped table/procedure on rollback.
internal/database/mariadb/migration.go Stops scheduling the dropped refresh_mvAllComponentsByServiceVulnerabilityCounts event.
internal/database/mariadb/image_batch.go Reworks per-image severity counting to use mvVulnerabilityList and optional service scoping via mvVulnerabilityService.
internal/database/mariadb/component.go Removes an unreachable join and forces CountComponentVulnerabilities to use the single-component MV path.
internal/app/component/component_handler.go Renames log event and removes emission of a now-deleted component-count event.
internal/app/component/component_handler_events.go Deletes the unused component-count event type/constant.
internal/api/graphql/graph/baseResolver/vulnerability.go Uses the new component-based counting path when resolving vulnerability counts under an Image parent.
internal/api/graphql/graph/baseResolver/image.go Parses component IDs once for batch preloading and reuses them across preloads.
internal/api/graphql/graph/baseResolver/component.go Switches image vulnerabilityCounts resolver to use GetIssueCountsByComponentIDs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

}

query = fmt.Sprintf("%s %s", query, groupBy)
query = fmt.Sprintf("%s GROUP BY CVR.component_id", query)
Comment on lines 171 to 174
query = query.
Join("Service S ON CVR.service_id = S.service_id").
Join("mvVulnerabilityService MVS ON I.issue_id = MVS.issue_id").
Join("Service S ON MVS.service_id = S.service_id").
Where(sq.Eq{"S.service_ccrn": nonNilCCRNs})
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix: vulnerability totalCounts

4 participants