ROX-34163: Prevent showing all profiles in UI when no scans are configured by guzalv · Pull Request #20044 · stackrox/stackrox

guzalv · 2026-04-16T09:41:16Z

Description

Before this PR, a filter matching 0 scan configurations (or no scan configurations existing at all) resulted in querying the profiles database without a WHERE clause, so the API returned every profile in the database instead of none. Meanwhile totalCount was computed correctly as 0, contradicting the returned data.

GetProfilesNames queries the compliance_operator_scan_configuration_v2 table for distinct profile names. When no rows match, it returns nil. The caller was passing nil into AddExactMatches — a no-op — producing a query with no WHERE clause.

Fix: early-return (nil, 0, nil) in getProfiles before building the second query when the name list is empty.

Affected endpoints:

GET /v2/compliance/scan/configurations/profiles/collection (ListComplianceScanConfigProfiles)
GET /v2/compliance/scan/configurations/clusters/{cluster_id}/profiles/collection (ListComplianceScanConfigClusterProfiles)

See also: companion fix for /v2/compliance/profiles/summary (#20048).

User-facing documentation

CHANGELOG.md is updated OR update is not needed

Testing and quality

the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
CI results are inspected

Automated testing

added unit tests

How I validated my change

By running in a live cluster and querying with an empty query against the profiles collection endpoint (no scan configurations defined):

# Before this PR (master)
$ curl -sku admin:admin "https://central-stackrox.apps.rox-26032-cluster-1.ocp.infra.rox.systems/v2/compliance/scan/configurations/profiles/collection?query=" | jq '.profiles[].name' | wc -l
52

# After
$ curl -sku admin:admin "https://central-stackrox.apps.rox-26032-cluster-1.ocp.infra.rox.systems/v2/compliance/scan/configurations/profiles/collection?query=" | jq '.profiles[].name' | wc -l
0

openshift-ci · 2026-04-16T09:41:21Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

guzalv · 2026-04-16T09:41:24Z

/test ocp-4-21-compliance-e2e-tests

codecov · 2026-04-16T09:46:56Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.64%. Comparing base (c1f1ddc) to head (42bfc54).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #20044      +/-   ##
==========================================
+ Coverage   49.61%   49.64%   +0.02%     
==========================================
  Files        2765     2765              
  Lines      208640   208820     +180     
==========================================
+ Hits       103517   103663     +146     
- Misses      97467    97493      +26     
- Partials     7656     7664       +8

Flag	Coverage Δ
go-unit-tests	`49.64% <100.00%> (+0.02%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-actions · 2026-04-16T09:55:06Z

🚀 Build Images Ready

Images are ready for commit 42bfc54. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-664-g42bfc54eb2

…an configs When GetProfilesNames returns nil (filter matches no scan configurations, or no scan configurations exist), the caller was passing nil into AddExactMatches which is a no-op, producing a query with no WHERE clause — causing SearchProfiles to return every profile in the database instead of none. Meanwhile totalCount came from a separate countQuery and was correctly 0, contradicting the returned data. Fix: early-return (nil, 0, nil) in getProfiles before building the second query when the name list is empty. Covers both ListComplianceScanConfigProfiles and ListComplianceScanConfigClusterProfiles. Also fixes pre-existing style issues in touched files: replace deprecated k8s.io/utils/strings/slices with stdlib slices, and deduplicate the generated/api/v2 import alias in the test file. AI-assisted change.

…an configs When GetProfilesNames returns nil (filter matches no scan configurations, or no scan configurations exist), the caller was passing nil into AddExactMatches which is a no-op, producing a query with no WHERE clause — causing SearchProfiles to return every profile in the database instead of none. Meanwhile totalCount came from a separate countQuery and was correctly 0, contradicting the returned data. Fix: early-return (nil, 0, nil) in getProfiles before building the second query when the name list is empty. Covers both ListComplianceScanConfigProfiles and ListComplianceScanConfigClusterProfiles. AI-assisted change.

guzalv added the ai-assisted label Apr 16, 2026

openshift-ci bot added the do-not-merge/work-in-progress label Apr 16, 2026

github-actions bot added the area/central label Apr 16, 2026

guzalv changed the title ~~ROX-34153: return empty list when profile name filter matches nothing~~ ROX-34153, ROX-34163: Return 0 profiles when filter matches nothing Apr 16, 2026

guzalv force-pushed the ROX-34153-profile-summary-empty-filter branch from f5c7e5a to 44fcb2b Compare April 16, 2026 12:23

guzalv changed the title ~~ROX-34153, ROX-34163: Return 0 profiles when filter matches nothing~~ ROX-34153, ROX-34163: Avoid incorrectly listing all profiles in compliance v2 Apr 16, 2026

guzalv force-pushed the ROX-34153-profile-summary-empty-filter branch from 44fcb2b to 668b647 Compare April 16, 2026 13:04

guzalv changed the title ~~ROX-34153, ROX-34163: Avoid incorrectly listing all profiles in compliance v2~~ ROX-34163: Prevent showing all profiles in UI when no scans are configured Apr 16, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ROX-34163: Prevent showing all profiles in UI when no scans are configured#20044

ROX-34163: Prevent showing all profiles in UI when no scans are configured#20044
guzalv wants to merge 2 commits intomasterfrom
ROX-34153-profile-summary-empty-filter

guzalv commented Apr 16, 2026 •

edited

Loading

Uh oh!

openshift-ci bot commented Apr 16, 2026

Uh oh!

guzalv commented Apr 16, 2026

Uh oh!

codecov bot commented Apr 16, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Apr 16, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

guzalv commented Apr 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

User-facing documentation

Testing and quality

Automated testing

How I validated my change

Uh oh!

openshift-ci bot commented Apr 16, 2026

Uh oh!

guzalv commented Apr 16, 2026

Uh oh!

codecov bot commented Apr 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

github-actions bot commented Apr 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🚀 Build Images Ready

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

guzalv commented Apr 16, 2026 •

edited

Loading

codecov bot commented Apr 16, 2026 •

edited

Loading

github-actions bot commented Apr 16, 2026 •

edited

Loading