From e2335e383d2542bd4f5cedfcbe9bcb3320d8aa16 Mon Sep 17 00:00:00 2001 From: Charmik Sheth Date: Thu, 12 Mar 2026 17:04:15 -0700 Subject: [PATCH 1/2] Fix some tiny bugs --- central/cve/matcher/matcher.go | 28 ++++++++++++++----- central/cve/matcher/matcher_test.go | 18 ++++++++++-- central/cve/matcher/singleton.go | 3 +- .../manager/querymgr/query_manager_impl.go | 4 +++ pkg/images/types/type.go | 1 + pkg/images/utils/convert_utils.go | 2 ++ 6 files changed, 46 insertions(+), 10 deletions(-) diff --git a/central/cve/matcher/matcher.go b/central/cve/matcher/matcher.go index 244fd43cd0e4d..2df686cf662d2 100644 --- a/central/cve/matcher/matcher.go +++ b/central/cve/matcher/matcher.go @@ -12,9 +12,11 @@ import ( clusterDataStore "github.com/stackrox/rox/central/cluster/datastore" "github.com/stackrox/rox/central/cve/converter/utils" imageDataStore "github.com/stackrox/rox/central/image/datastore" + imageV2DataStore "github.com/stackrox/rox/central/imagev2/datastore" nsDataStore "github.com/stackrox/rox/central/namespace/datastore" "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/errorhelpers" + "github.com/stackrox/rox/pkg/features" "github.com/stackrox/rox/pkg/logging" "github.com/stackrox/rox/pkg/search" "github.com/stackrox/rox/pkg/set" @@ -33,14 +35,16 @@ type CVEMatcher struct { clusters clusterDataStore.DataStore namespaces nsDataStore.DataStore images imageDataStore.DataStore + imagesV2 imageV2DataStore.DataStore } // NewCVEMatcher returns new instance of CVEMatcher -func NewCVEMatcher(clusters clusterDataStore.DataStore, namespaces nsDataStore.DataStore, images imageDataStore.DataStore) (*CVEMatcher, error) { +func NewCVEMatcher(clusters clusterDataStore.DataStore, namespaces nsDataStore.DataStore, images imageDataStore.DataStore, imagesV2 imageV2DataStore.DataStore) (*CVEMatcher, error) { return &CVEMatcher{ clusters: clusters, namespaces: namespaces, images: images, + imagesV2: imagesV2, }, nil } @@ -183,12 +187,22 @@ func (m *CVEMatcher) getAllIstioComponentsVersionsInCluster(ctx context.Context, AddExactMatches(search.ImageRegistry, "docker.io"). AddStrings(search.ImageRemote, "istio"). ProtoQuery() - images, err := m.images.SearchRawImages(ctx, q) - if err != nil { - return set, err - } - for _, image := range images { - set.Add(image.GetName().GetTag()) + if features.FlattenImageData.Enabled() { + images, err := m.imagesV2.SearchRawImages(ctx, q) + if err != nil { + return set, err + } + for _, image := range images { + set.Add(image.GetName().GetTag()) + } + } else { + images, err := m.images.SearchRawImages(ctx, q) + if err != nil { + return set, err + } + for _, image := range images { + set.Add(image.GetName().GetTag()) + } } return set, nil } diff --git a/central/cve/matcher/matcher_test.go b/central/cve/matcher/matcher_test.go index 998f1cbadb937..52fbf0bb8b236 100644 --- a/central/cve/matcher/matcher_test.go +++ b/central/cve/matcher/matcher_test.go @@ -7,8 +7,10 @@ import ( "github.com/facebookincubator/nvdtools/cvefeed/nvd/schema" mockClusterDataStore "github.com/stackrox/rox/central/cluster/datastore/mocks" mockImagesDataStore "github.com/stackrox/rox/central/image/datastore/mocks" + mockImageV2DataStore "github.com/stackrox/rox/central/imagev2/datastore/mocks" mockNamespaceDataStore "github.com/stackrox/rox/central/namespace/datastore/mocks" "github.com/stackrox/rox/generated/storage" + "github.com/stackrox/rox/pkg/features" "github.com/stackrox/rox/pkg/sac" "github.com/stackrox/rox/pkg/sac/resources" "github.com/stackrox/rox/pkg/search" @@ -30,6 +32,7 @@ type cveMatcherTestSuite struct { clusters *mockClusterDataStore.MockDataStore namespaces *mockNamespaceDataStore.MockDataStore images *mockImagesDataStore.MockDataStore + imagesV2 *mockImageV2DataStore.MockDataStore mockCtrl *gomock.Controller } @@ -48,9 +51,10 @@ func (s *cveMatcherTestSuite) SetupTest() { s.clusters = mockClusterDataStore.NewMockDataStore(s.mockCtrl) s.namespaces = mockNamespaceDataStore.NewMockDataStore(s.mockCtrl) s.images = mockImagesDataStore.NewMockDataStore(s.mockCtrl) + s.imagesV2 = mockImageV2DataStore.NewMockDataStore(s.mockCtrl) var err error - s.cveMatcher, err = NewCVEMatcher(s.clusters, s.namespaces, s.images) + s.cveMatcher, err = NewCVEMatcher(s.clusters, s.namespaces, s.images, s.imagesV2) s.Require().NoError(err) } @@ -746,7 +750,17 @@ func (s *cveMatcherTestSuite) TestIstioCVEImpactsCluster() { s.clusters.EXPECT().GetClusters(gomock.Any()).Return(clusters, nil).AnyTimes() s.namespaces.EXPECT().Search(gomock.Any(), gomock.Any()).Return(namespaces, nil).AnyTimes() - s.images.EXPECT().SearchRawImages(gomock.Any(), gomock.Any()).Return(images, nil).AnyTimes() + + // Matcher uses images or imagesV2 depending on FlattenImageData. + imagesV2 := make([]*storage.ImageV2, len(images)) + for i, img := range images { + imagesV2[i] = &storage.ImageV2{Id: img.GetId(), Name: img.GetName()} + } + if features.FlattenImageData.Enabled() { + s.imagesV2.EXPECT().SearchRawImages(gomock.Any(), gomock.Any()).Return(imagesV2, nil).AnyTimes() + } else { + s.images.EXPECT().SearchRawImages(gomock.Any(), gomock.Any()).Return(images, nil).AnyTimes() + } ok, err := s.cveMatcher.isIstioControlPlaneRunning(context.Background()) s.Nil(err) diff --git a/central/cve/matcher/singleton.go b/central/cve/matcher/singleton.go index a3aaa2f338852..2028840f1145d 100644 --- a/central/cve/matcher/singleton.go +++ b/central/cve/matcher/singleton.go @@ -3,6 +3,7 @@ package matcher import ( clusterDataStore "github.com/stackrox/rox/central/cluster/datastore" imageDataStore "github.com/stackrox/rox/central/image/datastore" + imageV2DataStore "github.com/stackrox/rox/central/imagev2/datastore" nsDataStore "github.com/stackrox/rox/central/namespace/datastore" "github.com/stackrox/rox/pkg/sync" "github.com/stackrox/rox/pkg/utils" @@ -15,7 +16,7 @@ var ( func initialize() { var err error - cveMatcher, err = NewCVEMatcher(clusterDataStore.Singleton(), nsDataStore.Singleton(), imageDataStore.Singleton()) + cveMatcher, err = NewCVEMatcher(clusterDataStore.Singleton(), nsDataStore.Singleton(), imageDataStore.Singleton(), imageV2DataStore.Singleton()) utils.CrashOnError(err) } diff --git a/central/vulnmgmt/vulnerabilityrequest/manager/querymgr/query_manager_impl.go b/central/vulnmgmt/vulnerabilityrequest/manager/querymgr/query_manager_impl.go index 9a40a7a4f088c..70a598c9fed19 100644 --- a/central/vulnmgmt/vulnerabilityrequest/manager/querymgr/query_manager_impl.go +++ b/central/vulnmgmt/vulnerabilityrequest/manager/querymgr/query_manager_impl.go @@ -13,6 +13,7 @@ import ( "github.com/stackrox/rox/central/vulnmgmt/vulnerabilityrequest/utils" v1 "github.com/stackrox/rox/generated/api/v1" "github.com/stackrox/rox/generated/storage" + "github.com/stackrox/rox/pkg/features" "github.com/stackrox/rox/pkg/sac" "github.com/stackrox/rox/pkg/sac/resources" ) @@ -45,6 +46,9 @@ func (m *queryManagerImpl) ImageCount(ctx context.Context, requestID string, que if err != nil { return 0, err } + if features.FlattenImageData.Enabled() { + return m.imageV2s.Count(ctx, query) + } return m.images.Count(ctx, query) } diff --git a/pkg/images/types/type.go b/pkg/images/types/type.go index fd1c5612badc1..bb4ce078fab24 100644 --- a/pkg/images/types/type.go +++ b/pkg/images/types/type.go @@ -63,6 +63,7 @@ func ConvertImageToListImage(i *storage.Image) *storage.ListImage { Name: i.GetName().GetFullName(), Created: i.GetMetadata().GetV1().GetCreated(), LastUpdated: i.GetLastUpdated(), + Priority: i.GetPriority(), } if i.GetSetComponents() != nil { listImage.SetComponents = &storage.ListImage_Components{ diff --git a/pkg/images/utils/convert_utils.go b/pkg/images/utils/convert_utils.go index a493ec67b69aa..fa60f4e2f05bf 100644 --- a/pkg/images/utils/convert_utils.go +++ b/pkg/images/utils/convert_utils.go @@ -42,6 +42,7 @@ func ConvertToV1(image *storage.ImageV2, names ...*storage.ImageName) *storage.I }, Signature: image.GetSignature(), SignatureVerificationData: image.GetSignatureVerificationData(), + BaseImageInfo: image.GetBaseImageInfo(), } } @@ -87,6 +88,7 @@ func ConvertToV2(image *storage.Image) *storage.ImageV2 { TopCvss: image.GetTopCvss(), SignatureVerificationData: image.GetSignatureVerificationData(), Signature: image.GetSignature(), + BaseImageInfo: image.GetBaseImageInfo(), } FillScanStatsV2(ret) return ret From efa6a58af7e644213d44161b48f7e8011e52de83 Mon Sep 17 00:00:00 2001 From: Charmik Sheth Date: Fri, 13 Mar 2026 00:19:19 -0700 Subject: [PATCH 2/2] Fix tests --- central/cve/fetcher/manager_impl_postgres_test.go | 11 ++++++++--- central/graphql/resolvers/vulnerabilities_v1_test.go | 4 +++- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/central/cve/fetcher/manager_impl_postgres_test.go b/central/cve/fetcher/manager_impl_postgres_test.go index 5451634d74364..182059aef7911 100644 --- a/central/cve/fetcher/manager_impl_postgres_test.go +++ b/central/cve/fetcher/manager_impl_postgres_test.go @@ -17,6 +17,7 @@ import ( "github.com/stackrox/rox/central/cve/converter/v2" "github.com/stackrox/rox/central/cve/matcher" mockImageDataStore "github.com/stackrox/rox/central/image/datastore/mocks" + mockImageV2DataStore "github.com/stackrox/rox/central/imagev2/datastore/mocks" mockNSDataStore "github.com/stackrox/rox/central/namespace/datastore/mocks" "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/cve" @@ -133,9 +134,10 @@ func TestReconcileIstioCVEsInPostgres(t *testing.T) { mockClusters := mockClusterDataStore.NewMockDataStore(ctrl) mockNamespaces := mockNSDataStore.NewMockDataStore(ctrl) mockImages := mockImageDataStore.NewMockDataStore(ctrl) + mockImagesV2 := mockImageV2DataStore.NewMockDataStore(ctrl) mockCVEs := mockCVEDataStore.NewMockDataStore(ctrl) - cveMatcher, err := matcher.NewCVEMatcher(mockClusters, mockNamespaces, mockImages) + cveMatcher, err := matcher.NewCVEMatcher(mockClusters, mockNamespaces, mockImages, mockImagesV2) require.NoError(t, err) cveManager := &orchestratorIstioCVEManagerImpl{ @@ -404,9 +406,10 @@ func TestReconcileCVEsInPostgres(t *testing.T) { mockClusters := mockClusterDataStore.NewMockDataStore(ctrl) mockNamespaces := mockNSDataStore.NewMockDataStore(ctrl) mockImages := mockImageDataStore.NewMockDataStore(ctrl) + mockImagesV2 := mockImageV2DataStore.NewMockDataStore(ctrl) mockCVEs := mockCVEDataStore.NewMockDataStore(ctrl) - cveMatcher, err := matcher.NewCVEMatcher(mockClusters, mockNamespaces, mockImages) + cveMatcher, err := matcher.NewCVEMatcher(mockClusters, mockNamespaces, mockImages, mockImagesV2) require.NoError(t, err) cveManager := &orchestratorIstioCVEManagerImpl{ @@ -436,6 +439,7 @@ type TestClusterCVEOpsInPostgresTestSuite struct { clusterCVEDatastore clusterCVEDataStore.DataStore mockNamespaces *mockNSDataStore.MockDataStore mockImages *mockImageDataStore.MockDataStore + mockImagesV2 *mockImageV2DataStore.MockDataStore cveManager *orchestratorCVEManager } @@ -447,6 +451,7 @@ func (s *TestClusterCVEOpsInPostgresTestSuite) SetupSuite() { // Create cluster datastore s.mockNamespaces = mockNSDataStore.NewMockDataStore(s.mockCtrl) s.mockImages = mockImageDataStore.NewMockDataStore(s.mockCtrl) + s.mockImagesV2 = mockImageV2DataStore.NewMockDataStore(s.mockCtrl) // Create cluster cve datastore clusterCVEDatastore, err := clusterCVEDataStore.GetTestPostgresDataStore(s.T(), s.testPostgres.DB) @@ -458,7 +463,7 @@ func (s *TestClusterCVEOpsInPostgresTestSuite) SetupSuite() { s.clusterDataStore = clusterDataStore // Create cve manager - cveMatcher, err := matcher.NewCVEMatcher(clusterDataStore, s.mockNamespaces, s.mockImages) + cveMatcher, err := matcher.NewCVEMatcher(clusterDataStore, s.mockNamespaces, s.mockImages, s.mockImagesV2) s.NoError(err) s.cveManager = &orchestratorCVEManager{ diff --git a/central/graphql/resolvers/vulnerabilities_v1_test.go b/central/graphql/resolvers/vulnerabilities_v1_test.go index 2f0be883eeaed..60d7f92e625e1 100644 --- a/central/graphql/resolvers/vulnerabilities_v1_test.go +++ b/central/graphql/resolvers/vulnerabilities_v1_test.go @@ -9,6 +9,7 @@ import ( "github.com/stackrox/rox/central/cve/converter/utils" "github.com/stackrox/rox/central/cve/matcher" imageMocks "github.com/stackrox/rox/central/image/datastore/mocks" + imageV2Mocks "github.com/stackrox/rox/central/imagev2/datastore/mocks" nsMocks "github.com/stackrox/rox/central/namespace/datastore/mocks" "github.com/stackrox/rox/generated/storage" "github.com/stretchr/testify/assert" @@ -71,7 +72,8 @@ func TestK8sCVEEnvImpact(t *testing.T) { clusterDataStore := clusterMocks.NewMockDataStore(ctrl) nsDataStore := nsMocks.NewMockDataStore(ctrl) imageDataStore := imageMocks.NewMockDataStore(ctrl) - cveMatcher, err := matcher.NewCVEMatcher(clusterDataStore, nsDataStore, imageDataStore) + imageV2DataStore := imageV2Mocks.NewMockDataStore(ctrl) + cveMatcher, err := matcher.NewCVEMatcher(clusterDataStore, nsDataStore, imageDataStore, imageV2DataStore) require.NoError(t, err) clusterDataStore.EXPECT().GetClusters(gomock.Any()).Return(clusters, nil).AnyTimes()