Skip to content

ROX-33766: Use UUIDv7 for VM scan, component, and CVE IDs#19757

Merged
dashrews78 merged 1 commit intomasterfrom
dashrews/virtual-machine-uuid-33766
Apr 2, 2026
Merged

ROX-33766: Use UUIDv7 for VM scan, component, and CVE IDs#19757
dashrews78 merged 1 commit intomasterfrom
dashrews/virtual-machine-uuid-33766

Conversation

@dashrews78
Copy link
Copy Markdown
Contributor

@dashrews78 dashrews78 commented Apr 1, 2026
edited
Loading

Description

Switch from UUIDv4 (random) to UUIDv7 (time-ordered, RFC 9562) for
virtual machine scan, component, and CVE ID generation. UUIDv7 embeds
a millisecond timestamp in the high bits, producing monotonically
increasing values that improve PostgreSQL B-tree index performance
(sequential inserts, better page fill, reduced WAL amplification).
This aligns the implementation with the existing proto comment on
VirtualMachineScanV2.id that specifies UUIDv7 intent.

Partially generated by AI.

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

existing unit tests sufficient here as APIs and datastores are not wired up to this yet.

@dashrews78 @claude
ROX-33766: Use UUIDv7 for VM scan, component, and CVE IDs
0ddadea 
Switch from UUIDv4 (random) to UUIDv7 (time-ordered, RFC 9562) for
virtual machine scan, component, and CVE ID generation. UUIDv7 embeds
a millisecond timestamp in the high bits, producing monotonically
increasing values that improve PostgreSQL B-tree index performance
(sequential inserts, better page fill, reduced WAL amplification).
This aligns the implementation with the existing proto comment on
VirtualMachineScanV2.id that specifies UUIDv7 intent.

Partially generated by AI.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dashrews78
Copy link
Copy Markdown
Contributor Author

dashrews78 commented Apr 1, 2026

This change is part of the following stack:

Change managed by git-spice.

@rhacs-bot
Copy link
Copy Markdown
Contributor

rhacs-bot commented Apr 1, 2026

Images are ready for the commit at 0ddadea.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-526-g0ddadeabe8.

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 1, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.59%. Comparing base (c3cccf6) to head (0ddadea).
⚠️ Report is 13 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #19757      +/-   ##
==========================================
- Coverage   49.59%   49.59%   -0.01%     
==========================================
  Files        2756     2756              
  Lines      208036   208040       +4     
==========================================
- Hits       103183   103179       -4     
- Misses      97192    97199       +7     
- Partials     7661     7662       +1
Flag Coverage Δ
go-unit-tests 49.59% <100.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@dashrews78 dashrews78 requested review from a team, ajheflin and charmik-redhat April 1, 2026 17:47
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Apr 1, 2026

📝 Walkthrough

Summary by CodeRabbit

  • New Features

    • Upgraded UUID generation to use RFC 9562 Version 7 format, providing time-ordered identifiers with monotonic properties for scan data conversion.

  • Tests

    • Added test suite validating UUID generation, uniqueness, and ordering behavior.

Walkthrough

Added a new V7 UUID constructor to the UUID package and updated scan conversion logic to use V7 UUIDs instead of V4. The new NewV7() function generates time-ordered, millisecond-precision UUIDs per RFC 9562, with comprehensive test coverage validating uniqueness, version marking, and monotonic ordering.

Changes

Cohort / File(s) Summary
UUID Package Enhancement
pkg/uuid/uuid.go, pkg/uuid/uuid_test.go		 Added new exported NewV7() constructor function that wraps uuid.Must(uuid.NewV7()) for time-ordered UUID generation. Included comprehensive test suite validating successful parsing, version nibble, uniqueness across 100 generations, and strict monotonic lexicographic ordering of successive UUIDs.
VM Scan Conversion Update
central/convert/v1tov2storage/vm_scan_parts.go		 Updated UUID generation for v2 scan entities during conversion to use uuid.NewV7().String() instead of uuid.NewV4().String() for scan ID, component IDs, and CVE IDs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 42.86% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately and specifically describes the main change—switching from UUIDv4 to UUIDv7 for VM scan, component, and CVE ID generation—which is the core purpose of the PR.
Description check ✅ Passed The PR description includes a detailed explanation of the change, rationale, and testing approach. While some checklist items remain unchecked, the author provides clear justification for why existing tests are sufficient.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dashrews/virtual-machine-uuid-33766

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
pkg/uuid/uuid_test.go (1)

86-93: Monotonic test relies on implementation-specific behavior.

The lexicographic string comparison works because google/uuid's NewV7() uses an internal counter for sub-millisecond ordering. However, this isn't guaranteed by RFC 9562 itself—it only mandates millisecond-precision timestamps. If the underlying library changes its sub-millisecond strategy, this test could become flaky.

Consider adding a brief comment noting this relies on google/uuid's counter-based implementation, or relax to testing non-decreasing order (allowing equality within the same millisecond).

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@pkg/uuid/uuid_test.go` around lines 86 - 93, The test "monotonically
increasing" relies on google/uuid's sub-millisecond counter behavior (NewV7())
which is implementation-specific; either add a clarifying comment above the
t.Run noting this dependency on google/uuid's counter-based ordering, or change
the assertion to allow non-decreasing order (assert.GreaterOrEqual or
assert.NotLess) so equality within the same millisecond is permitted while still
checking ordering semantics of NewV7().
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/uuid/uuid_test.go`:
- Around line 86-93: The test "monotonically increasing" relies on google/uuid's
sub-millisecond counter behavior (NewV7()) which is implementation-specific;
either add a clarifying comment above the t.Run noting this dependency on
google/uuid's counter-based ordering, or change the assertion to allow
non-decreasing order (assert.GreaterOrEqual or assert.NotLess) so equality
within the same millisecond is permitted while still checking ordering semantics
of NewV7().
ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 4839782f-fab2-4137-bb3c-a29d5c1b1dd1

📥 Commits

Reviewing files that changed from the base of the PR and between c3cccf6 and 0ddadea.

📒 Files selected for processing (3)
  • central/convert/v1tov2storage/vm_scan_parts.go
  • pkg/uuid/uuid.go
  • pkg/uuid/uuid_test.go

@dashrews78 dashrews78 merged commit 1d15c62 into master Apr 2, 2026
126 of 127 checks passed
@dashrews78 dashrews78 deleted the dashrews/virtual-machine-uuid-33766 branch April 2, 2026 11:05
c-du pushed a commit that referenced this pull request Apr 2, 2026
@dashrews78 @claude @c-du
ROX-33766: Use UUIDv7 for VM scan, component, and CVE IDs (#19757)
569dfb2 
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@c-du c-du c-du approved these changes

@charmik-redhat charmik-redhat Awaiting requested review from charmik-redhat

@ajheflin ajheflin Awaiting requested review from ajheflin

Assignees

No one assigned

Labels

area/central coderabbit-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dashrews78 @rhacs-bot @c-du