Skip to content

ROX-19064: Reset Scanner V4 DB connection pool after init#19327

Open
dcaravel wants to merge 1 commit intomasterfrom
dc/matcher-reset-pool
Open

ROX-19064: Reset Scanner V4 DB connection pool after init#19327
dcaravel wants to merge 1 commit intomasterfrom
dc/matcher-reset-pool

Conversation

@dcaravel
Copy link
Contributor

@dcaravel dcaravel commented Mar 6, 2026

Description

The Scanner V4 Indexer and Matcher perform DB migrations on startup that can introduce new PostgreSQL custom types.

Existing connections in the connection pool may be unaware of the new types leading to errors, such as:

unable to encode <thing> into text format for unknown type (OID 16417)

Full error:

{"level":"error","host":"scanner-v4-matcher-7bd6f59ccc-hb5bn","bundle":"bundles/osv.json.zst","component":"matcher/updater/vuln/Updater.runMultiBundleUpdate","error":"importing vulnerabilities: updating vulnerability: failed to finish batch vulnerability insert: error building query \n\t\tINSERT INTO vuln (\n\t\t\thash_kind, hash,\n\t\t\tname, updater, description, issued, links, severity, normalized_severity,\n\t\t\tpackage_name, package_version, package_module, package_arch, package_kind,\n\t\t\tdist_id, dist_name, dist_version, dist_version_code_name, dist_version_id, dist_arch, dist_cpe, dist_pretty_name,\n\t\t\trepo_name, repo_key, repo_uri,\n\t\t\tfixed_in_version, arch_operation, version_kind, vulnerable_range\n\t\t) VALUES (\n\t\t  $1, $2,\n\t\t  $3, $4, $5, $6, $7, $8, $9,\n\t\t  $10, $11, $12, $13, $14,\n\t\t  $15, $16, $17, $18, $19, $20, $21, $22,\n\t\t  $23, $24, $25,\n\t\t  $26, $27, $28, COALESCE($29, VersionRange('{}', '{}', '()'))\n\t\t)\n\t\tON CONFLICT (hash_kind, hash) DO NOTHING;: failed to encode args[28]: unable to encode &claircore.Range{Lower:claircore.Version{Kind:\"\", V:[10]int32{0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}, Upper:claircore.Version{Kind:\"\", V:[10]int32{0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}} into text format for unknown type (OID 16417): cannot find encode plan","time":"2026-03-04T02:48:49Z","message":"updating bundle failed"}

This was consistently observed after enabling Scanner V4 in CI.

Claircore v1.5.50+ adds this Reset() into the store initialization logic. When StackRox is updated to use that version these Reset()'s can be removed. Adding these to StackRox enables us to backport to prior releases that will not have Claircore version bumps.

Reviewing the PGX code a second called to Reset() is harmless in this context, keeping these after a Claircore version bump should be OK as well (outside of the smell).

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

No new tests added

How I validated my change

CI

@openshift-ci
Copy link

openshift-ci bot commented Mar 6, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@dcaravel
Copy link
Contributor Author

dcaravel commented Mar 6, 2026

/test all

@rhacs-bot
Copy link
Contributor

rhacs-bot commented Mar 6, 2026

Images are ready for the commit at 061abfa.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-251-g061abfa10e.

@codecov
Copy link

codecov bot commented Mar 6, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.67%. Comparing base (9a1667a) to head (061abfa).
⚠️ Report is 14 commits behind head on master.

Files with missing lines Patch % Lines
scanner/indexer/indexer.go 0.00% 2 Missing ⚠️
scanner/updater/import.go 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #19327      +/-   ##
==========================================
+ Coverage   49.62%   49.67%   +0.04%     
==========================================
  Files        2680     2689       +9     
  Lines      202231   202536     +305     
==========================================
+ Hits       100362   100602     +240     
- Misses      94382    94426      +44     
- Partials     7487     7508      +21
Flag Coverage Δ
go-unit-tests 49.67% <0.00%> (+0.04%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@dcaravel dcaravel marked this pull request as ready for review March 7, 2026 01:12
@dcaravel dcaravel requested a review from a team as a code owner March 7, 2026 01:12
@openshift-ci
Copy link

openshift-ci bot commented Mar 7, 2026

@dcaravel: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ocp-4-20-nongroovy-e2e-tests 061abfa link false /test ocp-4-20-nongroovy-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/scanner

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dcaravel @rhacs-bot