Skip to content

ROX-33934: remove component risk pruning #19717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dashrews78 merged 3 commits into from
Apr 1, 2026
Merged

ROX-33934: remove component risk pruning #19717

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ee45377
X-Smart-Branch-Parent: master
dashrews78 Mar 31, 2026
8acf73b
ROX-33934: remove orphaned image component risk pruning
dashrews78 Mar 31, 2026
9cd45a6
ROX-33934: restore component ranker entries in risk datastore
dashrews78 Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion central/image/datastore/datastore_impl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,7 @@ func (ds *datastoreImpl) DeleteImages(ctx context.Context, ids ...string) error
return err
}
}
// removing component risk handled by pruning
// Component risks are not stored in the risk datastore (only embedded in components).
return errorList.ToError()
}

Expand Down
2 changes: 1 addition & 1 deletion central/imagev2/datastore/datastore_impl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -322,7 +322,7 @@ func (ds *datastoreImpl) DeleteImages(ctx context.Context, ids ...string) error
return err
}
}
// removing component risk handled by pruning
// Component risks are not stored in the risk datastore (only embedded in components).
return errorList.ToError()
}

Expand Down
118 changes: 48 additions & 70 deletions central/pruning/pruning.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ import (
deploymentDatastore "github.com/stackrox/rox/central/deployment/datastore"
"github.com/stackrox/rox/central/globaldb"
imageDatastore "github.com/stackrox/rox/central/image/datastore"
imageComponentV2Datastore "github.com/stackrox/rox/central/imagecomponent/v2/datastore"

imageV2Datastore "github.com/stackrox/rox/central/imagev2/datastore"
logimbueDataStore "github.com/stackrox/rox/central/logimbue/store"
"github.com/stackrox/rox/central/metrics"
Expand Down Expand Up @@ -116,7 +116,6 @@ func newGarbageCollector(alerts alertDatastore.DataStore,
processbaseline processBaselineDatastore.DataStore,
networkflows networkFlowDatastore.ClusterDataStore,
config configDatastore.DataStore,
imageComponentsV2 imageComponentV2Datastore.DataStore,
risks riskDataStore.DataStore,
vulnReqs vulnReqDataStore.DataStore,
serviceAccts serviceAccountDataStore.DataStore,
Expand All @@ -130,61 +129,59 @@ func newGarbageCollector(alerts alertDatastore.DataStore,
roleStore roleDataStore.DataStore,
) GarbageCollector {
return &garbageCollectorImpl{
alerts: alerts,
clusters: clusters,
nodes: nodes,
images: images,
imagesV2: imagesV2,
imageComponentsV2: imageComponentsV2,
deployments: deployments,
pods: pods,
processes: processes,
processbaseline: processbaseline,
networkflows: networkflows,
config: config,
risks: risks,
vulnReqs: vulnReqs,
serviceAccts: serviceAccts,
k8sRoles: k8sRoles,
k8sRoleBindings: k8sRoleBindings,
logimbueStore: logimbueStore,
stopper: concurrency.NewStopper(),
postgres: globaldb.GetPostgres(),
reportSnapshot: reportSnapshotDS,
plops: plops,
blobStore: blobStore,
nodeCVEStore: nodeCVEStore,
roleStore: roleStore,
alerts: alerts,
clusters: clusters,
nodes: nodes,
images: images,
imagesV2: imagesV2,
deployments: deployments,
pods: pods,
processes: processes,
processbaseline: processbaseline,
networkflows: networkflows,
config: config,
risks: risks,
vulnReqs: vulnReqs,
serviceAccts: serviceAccts,
k8sRoles: k8sRoles,
k8sRoleBindings: k8sRoleBindings,
logimbueStore: logimbueStore,
stopper: concurrency.NewStopper(),
postgres: globaldb.GetPostgres(),
reportSnapshot: reportSnapshotDS,
plops: plops,
blobStore: blobStore,
nodeCVEStore: nodeCVEStore,
roleStore: roleStore,
}
}

type garbageCollectorImpl struct {
postgres pgPkg.DB

alerts alertDatastore.DataStore
clusters clusterDatastore.DataStore
nodes nodeDatastore.DataStore
images imageDatastore.DataStore
imagesV2 imageV2Datastore.DataStore
imageComponentsV2 imageComponentV2Datastore.DataStore
deployments deploymentDatastore.DataStore
pods podDatastore.DataStore
processes processDatastore.DataStore
processbaseline processBaselineDatastore.DataStore
networkflows networkFlowDatastore.ClusterDataStore
config configDatastore.DataStore
risks riskDataStore.DataStore
vulnReqs vulnReqDataStore.DataStore
serviceAccts serviceAccountDataStore.DataStore
k8sRoles k8sRoleDataStore.DataStore
k8sRoleBindings roleBindingDataStore.DataStore
logimbueStore logimbueDataStore.Store
stopper concurrency.Stopper
reportSnapshot snapshotDS.DataStore
plops plopDataStore.DataStore
blobStore blobDatastore.Datastore
nodeCVEStore nodeCVEDS.DataStore
roleStore roleDataStore.DataStore
alerts alertDatastore.DataStore
clusters clusterDatastore.DataStore
nodes nodeDatastore.DataStore
images imageDatastore.DataStore
imagesV2 imageV2Datastore.DataStore
deployments deploymentDatastore.DataStore
pods podDatastore.DataStore
processes processDatastore.DataStore
processbaseline processBaselineDatastore.DataStore
networkflows networkFlowDatastore.ClusterDataStore
config configDatastore.DataStore
risks riskDataStore.DataStore
vulnReqs vulnReqDataStore.DataStore
serviceAccts serviceAccountDataStore.DataStore
k8sRoles k8sRoleDataStore.DataStore
k8sRoleBindings roleBindingDataStore.DataStore
logimbueStore logimbueDataStore.Store
stopper concurrency.Stopper
reportSnapshot snapshotDS.DataStore
plops plopDataStore.DataStore
blobStore blobDatastore.Datastore
nodeCVEStore nodeCVEDS.DataStore
roleStore roleDataStore.DataStore
}

func (g *garbageCollectorImpl) Start() {
Expand Down Expand Up @@ -1031,7 +1028,6 @@ func (g *garbageCollectorImpl) getAlertsToPrune(query *v1.Query) ([]string, erro
func (g *garbageCollectorImpl) removeOrphanedRisks() {
g.removeOrphanedDeploymentRisks()
g.removeOrphanedImageRisks()
g.removeOrphanedImageComponentRisks()
g.removeOrphanedNodeRisks()
}

Expand Down Expand Up @@ -1069,24 +1065,6 @@ func (g *garbageCollectorImpl) removeOrphanedImageRisks() {
g.removeRisks(storage.RiskSubjectType_IMAGE, prunable...)
}

func (g *garbageCollectorImpl) removeOrphanedImageComponentRisks() {
defer metrics.SetPruningDuration(time.Now(), "ImageCompositionRisks")
var prunable []string
var results []search.Result
var err error
componentsWithRisk := g.getRisks(storage.RiskSubjectType_IMAGE_COMPONENT)

results, err = g.imageComponentsV2.Search(pruningCtx, search.EmptyQuery())
if err != nil {
log.Errorf("[Risk pruning] Searching image components: %v", err)
return
}

prunable = componentsWithRisk.Difference(search.ResultsToIDSet(results)).AsSlice()
log.Infof("[Risk pruning] Removing %d image component risks", len(prunable))
g.removeRisks(storage.RiskSubjectType_IMAGE_COMPONENT, prunable...)
}

func (g *garbageCollectorImpl) removeOrphanedNodeRisks() {
defer metrics.SetPruningDuration(time.Now(), "NodeRisks")
nodesWithRisk := g.getRisks(storage.RiskSubjectType_NODE)
Expand Down
8 changes: 4 additions & 4 deletions central/pruning/pruning_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -573,7 +573,7 @@ func (s *PruningTestSuite) TestImagePruning() {
nodes := s.generateNodeDataStructures()

gc := newGarbageCollector(alerts, nodes, images, imagesV2, nil, deployments, pods,
nil, nil, nil, config, nil, nil,
nil, nil, nil, config, nil,
nil, nil, nil, nil, nil, nil, nil,
nil, nil, nil).(*garbageCollectorImpl)

Expand Down Expand Up @@ -866,7 +866,7 @@ func (s *PruningTestSuite) TestClusterPruning() {
}

gc := newGarbageCollector(nil, nil, nil, nil, clusterDS, deploymentsDS, nil,
nil, nil, nil, nil, nil, nil,
nil, nil, nil, nil, nil,
nil, nil, nil, nil, nil, nil,
nil, nil, nil, nil).(*garbageCollectorImpl)
gc.collectClusters(c.config)
Expand Down Expand Up @@ -993,7 +993,7 @@ func (s *PruningTestSuite) TestClusterPruningCentralCheck() {
lastClusterPruneTime = time.Now().Add(-24 * time.Hour)

gc := newGarbageCollector(nil, nil, nil, nil, clusterDS, deploymentsDS, nil,
nil, nil, nil, nil, nil, nil,
nil, nil, nil, nil, nil,
nil, nil, nil, nil, nil, nil,
nil, nil, nil, nil).(*garbageCollectorImpl)
gc.collectClusters(getCluserRetentionConfig(60, 90, 72))
Expand Down Expand Up @@ -1171,7 +1171,7 @@ func (s *PruningTestSuite) TestAlertPruning() {
nodes := s.generateNodeDataStructures()

gc := newGarbageCollector(alerts, nodes, images, imagesV2, nil, deployments, nil,
nil, nil, nil, config, nil, nil,
nil, nil, nil, config, nil,
nil, nil, nil, nil, nil, nil,
nil, nil, nil, nil).(*garbageCollectorImpl)

Expand Down
3 changes: 1 addition & 2 deletions central/pruning/singleton.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import (
nodeCVEDS "github.com/stackrox/rox/central/cve/node/datastore"
deploymentDatastore "github.com/stackrox/rox/central/deployment/datastore"
imagesDatastore "github.com/stackrox/rox/central/image/datastore"
imageComponentV2Datastore "github.com/stackrox/rox/central/imagecomponent/v2/datastore"

imageV2Datastore "github.com/stackrox/rox/central/imagev2/datastore"
logimbueStore "github.com/stackrox/rox/central/logimbue/store"
networkFlowsDataStore "github.com/stackrox/rox/central/networkgraph/flow/datastore"
Expand Down Expand Up @@ -46,7 +46,6 @@ func Singleton() GarbageCollector {
processBaselineDatastore.Singleton(),
networkFlowsDataStore.Singleton(),
configDatastore.Singleton(),
imageComponentV2Datastore.Singleton(),
riskDataStore.Singleton(),
vulnReqDataStore.Singleton(),
serviceAccountDataStore.Singleton(),
Expand Down
Loading