feat: enhance correlation for SBOMs without CPE

[mrizzi]

https://issues.redhat.com/browse/TC-2805

Summary by Sourcery

Enhance SBOM advisory correlation to support cases where SBOMs have no CPE references or contain multiple CPE entries, by updating the raw SQL filter and adding corresponding tests with new SBOM fixtures.

Enhancements:

• Extend CONTEXT_CPE_FILTER_SQL to include related packages lacking direct CPE references in advisory correlation.

Tests:

• Add tests to verify advisory matching for SBOMs without CPEs and ensure SBOMs with multiple CPE entries do not break correlation.

Chores:

• Include new test data fixtures for CSAF and CycloneDX SBOM samples.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.01%. Comparing base (f80e4b7) to head (8b745c2).
⚠️ Report is 9 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1958      +/-   ##
==========================================
+ Coverage   67.75%   68.01%   +0.26%     
==========================================
  Files         355      355              
  Lines       19816    19816              
  Branches    19816    19816              
==========================================
+ Hits        13426    13478      +52     
+ Misses       5613     5557      -56     
- Partials      777      781       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[dejanb]

/scale-test

[github-actions]

🛠️ Scale test has started! Follow the progress here: Workflow Run

[github-actions]

Goose Report

Goose Attack Report

Plan Overview

Action	Started	Stopped	Elapsed	Users
Increasing	25-09-08 08:38:21	25-09-08 08:38:26	00:00:05	0 → 5
Maintaining	25-09-08 08:38:26	25-09-08 08:43:26	00:05:00	5
Decreasing	25-09-08 08:43:26	25-09-08 08:43:35	00:00:09	0 ← 5

Request Metrics

Method	Name	# Requests	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
GET	get_advisory_by_doc_id	70 (-60)	0	15.61 (+4.25)	3 (0)	61 (-14)	0.23 (-0.20)	0.00 (+0.00)
GET	get_analysis_latest_cpe	70 (-65)	0	134.37 (+32.56)	32 (-3)	310 (-121)	0.23 (-0.22)	0.00 (+0.00)
GET	get_analysis_status	70 (-65)	0	5.59 (-1.04)	1 (0)	50 (-5)	0.23 (-0.22)	0.00 (+0.00)
GET	get_sbom[sha256:720e4451…a939656247164447]	70 (-65)	0	572.13 (-65.97)	143 (-17)	1250 (-570)	0.23 (-0.22)	0.00 (+0.00)
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	70 (-63)	0	883.27 (+55.91)	452 (+91)	1184 (-99)	0.23 (-0.21)	0.00 (+0.00)
GET	list_advisory	70 (-60)	0	545.87 (+74.95)	290 (+140)	1114 (+86)	0.23 (-0.20)	0.00 (+0.00)
GET	list_advisory_paginated	70 (-60)	0	457.61 (+58.71)	307 (+128)	674 (-78)	0.23 (-0.20)	0.00 (+0.00)
GET	list_importer	70 (-60)	0	3.94 (+1.04)	1 (0)	45 (-2)	0.23 (-0.20)	0.00 (+0.00)
GET	list_organizations	70 (-60)	0	4.40 (-2.67)	1 (0)	19 (-25)	0.23 (-0.20)	0.00 (+0.00)
GET	list_packages	70 (-60)	0	490.46 (+91.38)	306 (+213)	987 (+28)	0.23 (-0.20)	0.00 (+0.00)
GET	list_packages_paginated	70 (-60)	0	350.57 (+17.15)	88 (-17)	544 (-49)	0.23 (-0.20)	0.00 (+0.00)
GET	list_products	70 (-65)	0	6.89 (+0.25)	4 (0)	15 (-60)	0.23 (-0.22)	0.00 (+0.00)
GET	list_sboms	70 (-65)	0	1083.51 (+108.23)	478 (+9)	1465 (+133)	0.23 (-0.22)	0.00 (+0.00)
GET	list_sboms_paginated	70 (-65)	0	1288.91 (+60.58)	476 (+92)	2187 (-689)	0.23 (-0.22)	0.00 (+0.00)
GET	list_vulnerabilities	70 (-60)	0	229.39 (-38.86)	128 (+71)	388 (-182)	0.23 (-0.20)	0.00 (+0.00)
GET	list_vulnerabilities_paginated	70 (-60)	0	198.96 (+19.88)	104 (+76)	406 (+101)	0.23 (-0.20)	0.00 (+0.00)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	70 (-63)	0	67.20 (+20.88)	11 (+2)	215 (+49)	0.23 (-0.21)	0.00 (+0.00)
GET	search_advisory	70 (-60)	0	1225.97 (+289.40)	326 (+190)	2008 (-106)	0.23 (-0.20)	0.00 (+0.00)
GET	search_exact_purl	70 (-65)	0	7.14 (+3.13)	5 (+3)	11 (+2)	0.23 (-0.22)	0.00 (+0.00)
GET	search_purls	75 (-60)	0	13301.13 (+9363.42)	8978 (+8370)	16270 (+10474)	0.25 (-0.20)	0.00 (+0.00)
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	70 (-60)	0	422.27 (-125.38)	280 (+27)	880 (-43)	0.23 (-0.20)	0.00 (+0.00)
	Aggregated	1475 (-1301)	0	1055.71 (+511.88)	1 (0)	16270 (+10474)	4.92 (-4.34)	0.00 (+0.00)

Response Time Metrics

Method	Name	50%ile (ms)	60%ile (ms)	70%ile (ms)	80%ile (ms)	90%ile (ms)	95%ile (ms)	99%ile (ms)	100%ile (ms)
GET	get_advisory_by_doc_id	7 (+1)	9 (+2)	12 (+4)	17 (+6)	51 (+23)	57 (+5)	60 (-5)	61 (-14)
GET	get_analysis_latest_cpe	130 (+40)	160 (+63)	170 (+60)	190 (+70)	200 (+30)	200 (+20)	210 (0)	310 (-120)
GET	get_analysis_status	3 (+1)	3 (+1)	4 (+1)	5 (+1)	7 (-2)	41 (-6)	49 (-4)	50 (-5)
GET	get_sbom[sha256:720e4451…a939656247164447]	450 (+40)	500 (+10)	600 (-100)	900 (-100)	1,000 (0)	1,000 (-820)	1,000 (-820)	1,000 (-820)
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	900 (+100)	900 (0)	1,000 (+100)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)
GET	list_advisory	500 (+40)	500 (+30)	600 (+110)	600 (+100)	800 (+200)	800 (0)	900 (-100)	1,000 (0)
GET	list_advisory_paginated	460 (+70)	480 (+70)	490 (+60)	500 (+20)	600 (+100)	600 (0)	674 (+74)	674 (-78)
GET	list_importer	2 (0)	3 (+1)	4 (+2)	6 (+3)	8 (+3)	9 (+3)	10 (-31)	45 (-2)
GET	list_organizations	3 (0)	3 (0)	4 (0)	7 (0)	9 (-14)	14 (-25)	17 (-27)	19 (-25)
GET	list_packages	470 (+50)	480 (+40)	490 (+20)	500 (+20)	800 (+300)	800 (+200)	900 (+100)	987 (+28)
GET	list_packages_paginated	390 (+20)	400 (+10)	420 (+20)	440 (+20)	480 (+10)	500 (+10)	500 (0)	500 (-93)
GET	list_products	6 (+1)	7 (+1)	8 (+2)	8 (+1)	9 (+1)	13 (+4)	14 (-54)	15 (-60)
GET	list_sboms	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)
GET	list_sboms_paginated	1,000 (0)	1,000 (0)	1,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (-876)	2,000 (-876)
GET	list_vulnerabilities	230 (-50)	240 (-60)	240 (-80)	270 (-100)	280 (-130)	310 (-140)	310 (-190)	388 (-182)
GET	list_vulnerabilities_paginated	190 (0)	200 (0)	210 (0)	220 (0)	260 (0)	290 (+20)	300 (+20)	406 (+101)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	54 (+30)	72 (+14)	87 (+23)	110 (+38)	160 (+79)	170 (+60)	170 (+10)	215 (+49)
GET	search_advisory	1,000 (+200)	1,000 (+100)	2,000 (+1,000)	2,000 (+1,000)	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)
GET	search_exact_purl	7 (+3)	7 (+3)	8 (+4)	8 (+3)	9 (+4)	10 (+4)	10 (+2)	11 (+2)
GET	search_purls	14,000 (+10,000)	14,000 (+10,000)	14,000 (+9,000)	14,000 (+9,000)	15,000 (+10,000)	16,000 (+11,000)	16,000 (+11,000)	16,000 (+10,204)
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	410 (-90)	420 (-180)	440 (-160)	460 (-240)	490 (-310)	600 (-200)	600 (-300)	880 (-20)
	Aggregated	310 (+10)	420 (+20)	500 (0)	900 (+100)	1,000 (0)	9,000 (+7,000)	14,000 (+9,000)	16,000 (+10,204)

Status Code Metrics

Method	Name	Status Codes
GET	get_advisory_by_doc_id	70 [200]
GET	get_analysis_latest_cpe	70 [200]
GET	get_analysis_status	70 [200]
GET	get_sbom[sha256:720e4451…a939656247164447]	70 [200]
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	70 [200]
GET	list_advisory	70 [200]
GET	list_advisory_paginated	70 [200]
GET	list_importer	70 [200]
GET	list_organizations	70 [200]
GET	list_packages	70 [200]
GET	list_packages_paginated	70 [200]
GET	list_products	70 [200]
GET	list_sboms	70 [200]
GET	list_sboms_paginated	70 [200]
GET	list_vulnerabilities	70 [200]
GET	list_vulnerabilities_paginated	70 [200]
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	70 [200]
GET	search_advisory	70 [200]
GET	search_exact_purl	70 [200]
GET	search_purls	75 [200]
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	70 [200]
	Aggregated	1,475 [200]

Transaction Metrics

Transaction	# Times Run	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
WebsiteUser
0.0 logon	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.1 website_index	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.2 website_openapi	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.3 website_sboms	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.4 website_packages	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.5 website_advisories	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.6 website_importers	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser
1.0 logon	70 (-60)	0 (0)	14.27 (-0.07)	10 (+3)	22 (-3)	0.23 (-0.20)	0.00 (+0.00)
1.1 list_organizations	70 (-60)	0 (0)	4.67 (-2.60)	1 (0)	19 (-25)	0.23 (-0.20)	0.00 (+0.00)
1.2 list_advisory	70 (-60)	0 (0)	545.99 (+74.99)	291 (+141)	1114 (+86)	0.23 (-0.20)	0.00 (+0.00)
1.3 list_advisory_paginated	70 (-60)	0 (0)	457.66 (+58.71)	307 (+128)	674 (-78)	0.23 (-0.20)	0.00 (+0.00)
1.4 get_advisory_by_doc_id	70 (-60)	0 (0)	15.66 (+4.22)	3 (0)	61 (-15)	0.23 (-0.20)	0.00 (+0.00)
1.5 search_advisory	70 (-60)	0 (0)	1226.00 (+289.35)	327 (+191)	2008 (-106)	0.23 (-0.20)	0.00 (+0.00)
1.6 list_vulnerabilities	70 (-60)	0 (0)	229.44 (-38.87)	129 (+72)	388 (-182)	0.23 (-0.20)	0.00 (+0.00)
1.7 list_vulnerabilities_paginated	70 (-60)	0 (0)	199.01 (+19.90)	104 (+76)	406 (+101)	0.23 (-0.20)	0.00 (+0.00)
1.8 list_importer	70 (-60)	0 (0)	3.97 (+1.04)	1 (0)	45 (-2)	0.23 (-0.20)	0.00 (+0.00)
1.9 list_packages	70 (-60)	0 (0)	490.51 (+91.38)	306 (+213)	987 (+27)	0.23 (-0.20)	0.00 (+0.00)
1.10 list_packages_paginated	70 (-60)	0 (0)	350.66 (+17.16)	88 (-17)	544 (-49)	0.23 (-0.20)	0.00 (+0.00)
1.11 search_purls	75 (-60)	0 (0)	13301.19 (+9363.42)	8978 (+8370)	16270 (+10474)	0.25 (-0.20)	0.00 (+0.00)
1.12 search_exact_purl	70 (-65)	0 (0)	7.17 (+3.12)	5 (+3)	11 (+2)	0.23 (-0.22)	0.00 (+0.00)
1.13 list_products	70 (-65)	0 (0)	6.90 (+0.20)	4 (0)	15 (-60)	0.23 (-0.22)	0.00 (+0.00)
1.14 list_sboms	70 (-65)	0 (0)	1083.59 (+108.25)	478 (+9)	1465 (+133)	0.23 (-0.22)	0.00 (+0.00)
1.15 list_sboms_paginated	70 (-65)	0 (0)	1288.97 (+60.60)	476 (+92)	2187 (-689)	0.23 (-0.22)	0.00 (+0.00)
1.16 get_analysis_status	70 (-65)	0 (0)	5.63 (-1.05)	1 (0)	50 (-5)	0.23 (-0.22)	0.00 (+0.00)
1.17 get_analysis_latest_cpe	70 (-65)	0 (0)	134.41 (+32.56)	32 (-3)	310 (-121)	0.23 (-0.22)	0.00 (+0.00)
1.18 get_sbom[sha256:720e4451…a939656247164447]	70 (-65)	0 (0)	572.19 (-66.01)	143 (-17)	1251 (-569)	0.23 (-0.22)	0.00 (+0.00)
1.19 sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	70 (-63)	0 (0)	67.33 (+20.96)	11 (+1)	215 (+49)	0.23 (-0.21)	0.00 (+0.00)
1.20 get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	70 (-63)	0 (0)	883.33 (+55.86)	452 (+91)	1184 (-99)	0.23 (-0.21)	0.00 (+0.00)
1.21 post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	70 (-60)	0 (0)	422.40 (-125.29)	280 (+27)	880 (-43)	0.23 (-0.20)	0.00 (+0.00)
Aggregated	1545 (-1361)	0 (0)	1007.88 (+488.37)	1 (0)	16270 (+10474)	5.15 (-4.54)	0.00 (+0.00)

Scenario Metrics

Transaction	# Users	# Times Run	Average (ms)	Min (ms)	Max (ms)	Scenarios/s	Iterations
WebsiteUser	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser	5 (0)	70 (-60)	21041.10 (+9726.27)	16295 (+9612)	23890 (+8695)	0.23 (-0.20)	14.00 (-12.00)
Aggregated	5 (0)	70 (-60)	21041.10 (+9726.27)	16295 (+9612)	23890 (+8695)	0.23 (-0.20)	14.00 (-12.00)

📄 Full Report (Go to "Artifacts" and download report)

[dejanb]

I tried it today against load test and large sbom to see how performances are affected by this change. The subquery in this case causes

ERROR: more than one row returned by a subquery used as an expression

I think something like this

    OR NOT EXISTS (
        SELECT 1
        FROM sbom_package_cpe_ref
        WHERE sbom_id = $1
        AND node_id IN (
            SELECT DISTINCT right_node_id
            FROM package_relates_to_package
            WHERE sbom_id = $1
            AND relationship = 13
        )
    )

is what we want. It still needs to be properly tested for performances.

[dejanb]

This looks good, no more errors on duplicate cpes. I also manually tested sbom/advisory endpoint and there are no regressions (we should really automate this, even if it's very slow).

[sourcery-ai]

Reviewer's Guide

Enhance SBOM-to-advisory correlation by extending the CPE filter logic to include SBOMs without any CPE entries, and validate this behavior through new integration tests and fixtures.

Entity Relationship diagram for enhanced SBOM-to-CPE correlation

erDiagram
    SBOM {
        int id
    }
    SBOM_PACKAGE_CPE_REF {
        int sbom_id
        int node_id
        int cpe_id
    }
    PACKAGE_RELATES_TO_PACKAGE {
        int sbom_id
        int right_node_id
        int relationship
    }
    SBOM ||--o{ SBOM_PACKAGE_CPE_REF : contains
    SBOM ||--o{ PACKAGE_RELATES_TO_PACKAGE : relates
    SBOM_PACKAGE_CPE_REF }o--|| SBOM : references
    PACKAGE_RELATES_TO_PACKAGE }o--|| SBOM : references
    SBOM_PACKAGE_CPE_REF }o--|| PACKAGE_RELATES_TO_PACKAGE : node_id

Loading

Class diagram for raw SQL filter logic update

classDiagram
    class RawSql {
        +CONTEXT_CPE_FILTER_SQL: &str
    }
    RawSql : +CONTEXT_CPE_FILTER_SQL includes logic for SBOMs without CPE

Loading

File-Level Changes

Change	Details	Files
Extend CPE filter SQL to include SBOMs without any referenced CPE packages	Added OR clause in CONTEXT_CPE_FILTER_SQL to check for absence of sbom_package_cpe_ref entries Joined sbom_package_cpe_ref and package_relates_to_package to detect CPE relationships Ensured filter returns true when no matching CPE reference is found	modules/fundamental/src/sbom/model/raw_sql.rs
Add integration tests for SBOM correlation without CPE and with multiple CPEs	Created sbom_without_cpe_matching test to verify advisories correlate for CPE-less SBOMs Created sbom_with_multiple_cpes_not_breaking test to ensure multiple CPEs don’t break filtering Assert expected advisory counts and package metadata in both scenarios	modules/fundamental/src/vulnerability/service/test.rs
Introduce test fixtures for CSAF and CycloneDX SBOM samples	Added rhsa-2025_10698.json as a CSAF vulnerability document with CPEs Added mtr-rhel8-operator_1.2.7.json as a CycloneDX SBOM lacking CPEs	etc/test-data/csaf/rhsa-2025_10698.json etc/test-data/cyclonedx/mtr-rhel8-operator_1.2.7.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[mrizzi]

@dejanb how do we want to proceed with this PR? do you feel like this is ready for approval? Just let me know 😃

[dejanb]

Looks good. I did manual scale test for the endpoint. No regressions. The issue to improve this for the future is guacsec/trustify-scale-test-runs#17

[trustify-ci-bot]

Successfully created backport PR for release/0.4.z:

• feat: enhance correlation for SBOMs without CPE [Backport release/0.4.z] #2007