Skip to content

[WIP] ROX-31850: Fix cve first occurance time policy and search criteria#19261

Open
c-du wants to merge 8 commits intomasterfrom
cong/rox-31850
Open

[WIP] ROX-31850: Fix cve first occurance time policy and search criteria#19261
c-du wants to merge 8 commits intomasterfrom
cong/rox-31850

Conversation

@c-du
Copy link
Contributor

@c-du c-du commented Mar 3, 2026
edited
Loading

Description

First, the fix is primarily from ROX-31575 by adding and maintaining the image_cve_infos table with first_system_occurrence which record the first discovered time for cve#package#datasource.

This PR is to complete the solution by:

  1. Add a migration that backfill the image_cves_v2.base_cve_info.createAt to the field first_system_occurrence.
  2. Fix a small issue that uses first_system_occurrence from the scanner instead of now in central.
  3. Add a unit test to guard the regression.

We also remove the hash:ignore tag to the createAt in the database. It was there to avoid frequent update to the vulns in database. With the fix to the logic, the createAt was updated before we upsert the image. The value is very stable and we should remove the hash tag to keep the data correct.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

change me!

@c-du c-du requested a review from a team as a code owner March 3, 2026 00:21
@c-du @claude
Merge branch 'master' into cong/rox-31850
258581a 
Resolved migration number conflict by renumbering migration:
- Master added m_220_to_m_221_add_deployment_hash_column
- This branch's m_220_to_m_221_backfill_image_cve_infos_from_image_cves_v2
  was renumbered to m_221_to_m_222_backfill_image_cve_infos_from_image_cves_v2

Updated package names, imports, and sequence numbers in:
- migration.go: package m221tom222, startSeqNum = 221
- migration_impl.go: package and schema import path
- migration_test.go: package and schema import path
- all.go: includes both migrations in correct order

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@rhacs-bot
Copy link
Contributor

rhacs-bot commented Mar 3, 2026
edited
Loading

Images are ready for the commit at 6e78700.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-223-g6e787008e7.

@openshift-ci
Copy link

openshift-ci bot commented Mar 3, 2026

@c-du: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ocp-4-20-qa-e2e-tests 6e78700 link false /test ocp-4-20-qa-e2e-tests
ci/prow/ocp-4-20-scanner-v4-install-tests 6e78700 link false /test ocp-4-20-scanner-v4-install-tests
ci/prow/ocp-4-20-nongroovy-e2e-tests 6e78700 link false /test ocp-4-20-nongroovy-e2e-tests
ci/prow/ocp-4-20-ui-e2e-tests 6e78700 link false /test ocp-4-20-ui-e2e-tests
ci/prow/ocp-4-20-operator-e2e-tests 6e78700 link false /test ocp-4-20-operator-e2e-tests
ci/prow/ocp-4-12-scanner-v4-install-tests 6e78700 link false /test ocp-4-12-scanner-v4-install-tests
ci/prow/ocp-4-12-operator-e2e-tests 6e78700 link false /test ocp-4-12-operator-e2e-tests
ci/prow/ocp-4-12-nongroovy-e2e-tests 6e78700 link false /test ocp-4-12-nongroovy-e2e-tests
ci/prow/ocp-4-12-qa-e2e-tests 6e78700 link false /test ocp-4-12-qa-e2e-tests
ci/prow/gke-qa-e2e-tests 6e78700 link false /test gke-qa-e2e-tests
ci/prow/gke-operator-e2e-tests 6e78700 link false /test gke-operator-e2e-tests
ci/prow/gke-nongroovy-e2e-tests 6e78700 link true /test gke-nongroovy-e2e-tests
ci/prow/gke-upgrade-tests 6e78700 link false /test gke-upgrade-tests
ci/prow/gke-scanner-v4-install-tests 6e78700 link false /test gke-scanner-v4-install-tests
ci/prow/gke-ui-e2e-tests 6e78700 link true /test gke-ui-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/central do-not-merge/work-in-progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@c-du @rhacs-bot