Skip to content

fix: security results update (IN-1093)#4029

Merged
joanagmaia merged 2 commits intomainfrom
fix/security-results-update-in-1093
Apr 17, 2026
Merged

fix: security results update (IN-1093)#4029
joanagmaia merged 2 commits intomainfrom
fix/security-results-update-in-1093

Conversation

@joanagmaia
Copy link
Copy Markdown
Contributor

@joanagmaia joanagmaia commented Apr 16, 2026
edited by cursor bot
Loading

This pull request updates several database upsert operations in the security_insights data access layer to include two new fields: insightsProjectId and insightsProjectSlug. These fields are now handled consistently across the relevant insert/update functions.

Database schema and data consistency improvements:

  • Added insightsProjectId and insightsProjectSlug to the upsert statement in addEvaluationSuite, ensuring these fields are updated when conflicts occur.
  • Updated the upsert logic in addSuiteControlEvaluation to include insightsProjectId and insightsProjectSlug in conflict resolution.
  • Modified the upsert statement in addControlEvaluationAssessment to handle insightsProjectId and insightsProjectSlug as part of the conflict update.

Note

Medium Risk
Changes persistence behavior for security insights results by updating insightsProjectId/insightsProjectSlug on conflict, which could overwrite existing values for the same (repo, catalog/control/requirement) keys if upstream data is wrong.

Overview
Ensures security insights result upserts keep project metadata in sync by updating insightsProjectId and insightsProjectSlug during conflict resolution.

This applies to suite (securityInsightsEvaluationSuites), control evaluation (securityInsightsEvaluations), and assessment (securityInsightsEvaluationAssessments) inserts so re-runs no longer leave stale project identifiers when rows already exist.

Reviewed by Cursor Bugbot for commit 11dde9f. Bugbot is set up for automated code reviews on this repo. Configure here.

@joanagmaia
fix: security results update
8ba1883 
Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
@joanagmaia joanagmaia requested a review from epipav April 16, 2026 14:31
@joanagmaia joanagmaia self-assigned this Apr 16, 2026
@joanagmaia joanagmaia added the Bug Created by Linear-GitHub Sync label Apr 16, 2026
Copilot AI review requested due to automatic review settings April 16, 2026 14:31
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates security insights DAL upsert behavior so insightsProjectId and insightsProjectSlug are also updated during ON CONFLICT DO UPDATE, keeping these fields consistent when re-processing results for an existing suite/evaluation/assessment.

Changes:

  • Extend addEvaluationSuite upsert conflict-update to include insightsProjectId and insightsProjectSlug.
  • Extend addSuiteControlEvaluation upsert conflict-update to include insightsProjectId and insightsProjectSlug.
  • Extend addControlEvaluationAssessment upsert conflict-update to include insightsProjectId and insightsProjectSlug.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread services/libs/data-access-layer/src/security_insights/index.ts
Comment on lines +81 to +86
set "updatedAt" = EXCLUDED."updatedAt",
"name" = EXCLUDED."name",
"result" = EXCLUDED."result",
"corruptedState" = EXCLUDED."corruptedState",
"insightsProjectId" = EXCLUDED."insightsProjectId",
"insightsProjectSlug" = EXCLUDED."insightsProjectSlug"
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

insightsProjectSlug has a FK to insightsProjects.slug with ON UPDATE CASCADE (see backend/src/database/migrations/V1753457861__add_unique_contraint_on_insights_slug.sql). Updating the slug from EXCLUDED during the conflict update can cause the upsert to fail if the caller provides a stale slug (e.g., slug changed between read and write); previously the row would keep the cascaded/current slug. Consider not updating insightsProjectSlug on conflict, or deriving it from insightsProjectId/insightsProjects inside the update so it always remains valid/current.

Suggested change
set "updatedAt" = EXCLUDED."updatedAt",
"name" = EXCLUDED."name",
"result" = EXCLUDED."result",
"corruptedState" = EXCLUDED."corruptedState",
"insightsProjectId" = EXCLUDED."insightsProjectId",
"insightsProjectSlug" = EXCLUDED."insightsProjectSlug"
set "updatedAt" = EXCLUDED."updatedAt",
"name" = EXCLUDED."name",
"result" = EXCLUDED."result",
"corruptedState" = EXCLUDED."corruptedState",
"insightsProjectId" = EXCLUDED."insightsProjectId"

Copilot uses AI. Check for mistakes.
Comment thread services/libs/data-access-layer/src/security_insights/index.ts
"corruptedState" = EXCLUDED."corruptedState",
"remediationGuide" = EXCLUDED."remediationGuide",
"insightsProjectId" = EXCLUDED."insightsProjectId",
"insightsProjectSlug" = EXCLUDED."insightsProjectSlug"
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

insightsProjectSlug is enforced via FK to insightsProjects.slug (ON UPDATE CASCADE). Setting it to EXCLUDED.insightsProjectSlug on conflict makes this upsert sensitive to stale slug inputs (race with slug rename) and can cause FK violations at update time. Safer options are to avoid updating the slug on conflict, or compute the slug from insightsProjectId/insightsProjects in the update.

Suggested change
"insightsProjectSlug" = EXCLUDED."insightsProjectSlug"
"insightsProjectSlug" = (
select "slug"
from "insightsProjects"
where "id" = EXCLUDED."insightsProjectId"
)

Copilot uses AI. Check for mistakes.
Comment thread services/libs/data-access-layer/src/security_insights/index.ts
Comment on lines +253 to +254
"insightsProjectId" = EXCLUDED."insightsProjectId",
"insightsProjectSlug" = EXCLUDED."insightsProjectSlug"
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like the other security insights tables, insightsProjectSlug has an FK to insightsProjects.slug with ON UPDATE CASCADE. Updating it from EXCLUDED during the upsert can fail if the caller’s slug is stale (after a rename) and may undo the cascaded value. Consider leaving insightsProjectSlug untouched on conflict, or deriving it from insightsProjectId/insightsProjects within the update clause to guarantee consistency.

Suggested change
"insightsProjectId" = EXCLUDED."insightsProjectId",
"insightsProjectSlug" = EXCLUDED."insightsProjectSlug"
"insightsProjectId" = EXCLUDED."insightsProjectId"

Copilot uses AI. Check for mistakes.
@joanagmaia joanagmaia merged commit bff105f into main Apr 17, 2026
15 checks passed
@joanagmaia joanagmaia deleted the fix/security-results-update-in-1093 branch April 17, 2026 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@epipav epipav epipav approved these changes

Assignees

@joanagmaia joanagmaia

Labels

Bug Created by Linear-GitHub Sync

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joanagmaia @epipav