Remove cve_alias_alias_fkey to support GHSA aliases without CVE rows#272
Open
Remove cve_alias_alias_fkey to support GHSA aliases without CVE rows#272
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Postgres schema to allow cve_alias.alias values (e.g., GHSA IDs) to exist without requiring a corresponding row in cve, by removing the cve_alias_alias_fkey foreign key constraint.
Changes:
- Add migration to drop the
cve_alias_alias_fkeyconstraint fromcve_aliasin the Up direction. - Add Down migration to re-create the dropped foreign key constraint.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The cve_alias_alias_fkey constraint required every alias (e.g. GHSA IDs) to exist as a row in the cve table. This was incorrect — GHSA IDs are aliases, not canonical CVEs, and should not require their own cve rows. With the companion fix in nais/dependencytrack (fix/promote-github-cve-canonical), GITHUB findings now set Cve.Id to the CVE canonical. This means: - cve row is upserted for the CVE canonical (satisfies canonical_fkey) - cve_alias row is inserted with alias=GHSA-xxx (no longer needs alias_fkey) Keeping cve_alias_canonical_fkey intact — canonicals must still be valid cve rows, which the promotion guarantees.
…ding FK The Down migration re-adds cve_alias_alias_fkey which requires every alias to exist in cve(cve_id). After the Up migration, GHSA aliases can exist without a cve row. Without the DELETE, a rollback would fail with a FK violation on any such rows.
…inding promotion - TestBatchUpdateVulnerabilityData_GithubFindingPromotion: verifies full pipeline for a GITHUB finding after ParseFinding promotion — cve row upserted for CVE canonical, cve_alias row inserted without FK error, vulnerabilities row references CVE canonical, GetCanonicalCveIdByAlias returns correct canonical for the GHSA alias - TestCveAliasCanonicalFkeyStillEnforced: verifies cve_alias_canonical_fkey remains active after migration 0027 — inserting an alias with a non-existent canonical is still rejected - Improve Down migration comment to make the intentional data loss explicit
…atch Replace assert.Contains(err.Error(), constraintName) with errors.As to a *pgconn.PgError and check Code == ForeignKeyViolation and ConstraintName directly — avoids false negatives across driver/PG versions.
ybelMekk
force-pushed
the
fix/drop-cve-alias-alias-fkey
branch
from
a83a11e to
ba7b5d7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request updates the database schema to remove a foreign key constraint from the
cve_aliastable. The change allows aliases (such as GHSA IDs) to exist without requiring a corresponding row in thecvetable, making the schema more flexible for non-CVE aliases.Database schema change:
cve_alias_alias_fkeyforeign key constraint from thecve_aliastable, so aliases are no longer required to reference an existingcverow. This supports cases where aliases (like GHSA IDs) do not have a direct CVE entry.