Skip to content

ROX-33339: Return ScanReused when enrichment uses existing scan #19827

Merged
clickboo merged 1 commit intomasterfrom
boo-reprocessor-targeted-invalidation
Apr 7, 2026
Merged

ROX-33339: Return ScanReused when enrichment uses existing scan #19827
clickboo merged 1 commit intomasterfrom
boo-reprocessor-targeted-invalidation

Conversation

@clickboo
Copy link
Copy Markdown
Contributor

@clickboo clickboo commented Apr 4, 2026
edited
Loading

Description

The image enricher returns ScanSucceeded when reusing an existing scan from the database, making ImageUpdated always true even when no image data changed. This prevents downstream consumers from distinguishing genuinely updated images from unchanged ones, and results in a significant volume of unnecessary UpdateImage messages to secured clusters, and subsequent storage.Image proto deserialization in Sensor.

This PR introduces a ScanReused enum value in ScanResult, returned when the enricher reuses an existing DB scan unchanged. ImageUpdated now correctly evaluates to false for these images, enabling the rest of the targeted admission controller cache invalidation stack to optimize message flow in the short-circuit reprocessor path. Given the image proto can be large, with scan data for large number of CVEs, metadata and image signatures, and multiple secured clusters, this constitutes significant savings.

A HasScanData() helper has been added to ScanResult to avoid regressions in API paths (roxctl image scan, SBOM export, WatchImage) that validate scan presence - these paths now accept both ScanSucceeded and ScanReused as valid.

Note:
Future PRs will use imageUpdated to decide between UpdatedImage messages (for each changed image) vs. a batched RefreshImageCacheTTL message (for unchanged images) in the short-circuit reprocessor path. Without this fix, the absence of accurate ImageUpdated flag, makes future optimizations impossible.

User-facing documentation

  • CHANGELOG.md is updated OR update is not needed
  • documentation PR is created and is linked above OR is not needed

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

  • Unit tests verify ScanReused is returned when useExistingScan is true, and ImageUpdated is false in that case
  • TestHasScanData covers all ScanResult enum values
  • SBOM export tests cover ScanReused returning HTTP 200 (regression check)
  • Traced all ScanResult consumers to confirm no regressions: periodic reprocessor uses ForceRefetchCachedValuesOnly (never hits ScanReused); WatchImage uses IgnoreExistingImages (never hits ScanReused); ScanImage and SBOM export use UseCachesIfPossible (can hit ScanReused, covered by HasScanData())

@clickboo
Copy link
Copy Markdown
Contributor Author

clickboo commented Apr 4, 2026
edited
Loading

This change is part of the following stack:

Change managed by git-spice.

@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Apr 4, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

sourcery-ai[bot]

This comment was marked as resolved.

Sign in to view

@coderabbitai

This comment was marked as outdated.

Sign in to view
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 4, 2026
edited
Loading

🚀 Build Images Ready

Images are ready for commit 7f56c20. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-575-g7f56c20e93

@clickboo clickboo force-pushed the boo-reprocessor-targeted-invalidation branch 4 times, most recently from a85dbb2 to a1cf896 Compare April 4, 2026 11:17
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 4, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 54.54545% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.60%. Comparing base (7678bbc) to head (8e833aa).
⚠️ Report is 3 commits behind head on master.

Files with missing lines Patch % Lines
central/image/service/service_impl.go 0.00% 2 Missing ⚠️
pkg/images/enricher/util.go 0.00% 2 Missing ⚠️
central/image/service/http_handler.go 0.00% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #19827      +/-   ##
==========================================
- Coverage   49.60%   49.60%   -0.01%     
==========================================
  Files        2763     2763              
  Lines      208339   208331       -8     
==========================================
- Hits       103342   103337       -5     
+ Misses      97332    97328       -4     
- Partials     7665     7666       +1
Flag Coverage Δ
go-unit-tests 49.60% <54.54%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@clickboo clickboo force-pushed the boo-reprocessor-targeted-invalidation branch from a1cf896 to 81241af Compare April 4, 2026 13:43
@clickboo clickboo changed the title ROX-33339: Avoid adm cntrl full cache purge during reprocessing ROX-33339: Foundational: Avoid adm cntrl full cache purge during reprocessing Apr 4, 2026
@clickboo clickboo force-pushed the boo-reprocessor-targeted-invalidation branch from 81241af to e516610 Compare April 4, 2026 13:50
@clickboo clickboo changed the title ROX-33339: Foundational: Avoid adm cntrl full cache purge during reprocessing ROX-33339: Return ScanReused when useExistingScan is true during enrichment Apr 4, 2026
@clickboo clickboo changed the title ROX-33339: Return ScanReused when useExistingScan is true during enrichment ROX-33339: Return ScanReused when useExistingScan=true during enrichment Apr 4, 2026
@clickboo clickboo changed the title ROX-33339: Return ScanReused when useExistingScan=true during enrichment ROX-33339: Return ScanReused when enrichment uses existing scan Apr 4, 2026
@clickboo clickboo force-pushed the boo-reprocessor-targeted-invalidation branch from e516610 to a753bc4 Compare April 5, 2026 05:17
@clickboo
Copy link
Copy Markdown
Contributor Author

clickboo commented Apr 5, 2026

/test all

This was referenced Apr 6, 2026
Merged
Open
Open
@clickboo clickboo marked this pull request as ready for review April 6, 2026 13:09
@clickboo clickboo requested a review from a team as a code owner April 6, 2026 13:09
sourcery-ai[bot]

This comment was marked as outdated.

Sign in to view

@clickboo
Copy link
Copy Markdown
Contributor Author

clickboo commented Apr 6, 2026

/test ocp-4-21-qa-e2e-tests

@clickboo clickboo force-pushed the boo-reprocessor-targeted-invalidation branch from 6211fa0 to 8e833aa Compare April 7, 2026 05:52
@clickboo
Copy link
Copy Markdown
Contributor Author

clickboo commented Apr 7, 2026

/test gke-upgrade-tests

@clickboo clickboo enabled auto-merge (squash) April 7, 2026 09:22
@clickboo clickboo merged commit 7f56c20 into master Apr 7, 2026
112 of 113 checks passed
@clickboo clickboo deleted the boo-reprocessor-targeted-invalidation branch April 7, 2026 09:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@charmik-redhat charmik-redhat charmik-redhat approved these changes

@dcaravel dcaravel dcaravel approved these changes

Assignees

No one assigned

Labels

ai-review area/central area/sensor coderabbit-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@clickboo @charmik-redhat @dcaravel