admin: add pre v4.8.0 admin command to delete OVAL vulns

The migration to delete OVAL vulnerabilities can take a while (10 mins plus depending on resources). This patch adds a command to pre-delete the vulnerabilities after adding the migration version entry. Signed-off-by: crozzy <joseph.crosland@gmail.com>
quay · Sep 9, 2024 · 86185ab · 86185ab
1 parent 93fa883
commit 86185ab
Showing 1 changed file with 68 additions and 0 deletions.
diff --git a/cmd/clairctl/admin.go b/cmd/clairctl/admin.go
@@ -47,6 +47,14 @@ var AdminCmd = &cli.Command{
 					Usage:  "create `idx_manifest_layer_layer_id` index in the `indexer` database",
 					Action: adminPre473,
 				},
+				{
+					Name:    "v4.8.0",
+					Aliases: []string{"4.8.0"},
+					Description: "This task deletes RHEL OVALv2 vulnerabilities from the database after setting the matcher migration version.\n" +
+						"This could take a while so this command allows an operator to pre-delete the vulnerabilities.\n",
+					Usage:  "delete RHEL OVALv2 vulnerabilities",
+					Action: adminPre480,
+				},
 			},
 			Before: otherVersion,
 		},
@@ -476,3 +484,63 @@ func fromSemver(v *semver.Version) (out claircore.Version) {
 	out.V[3] = int32(v.Patch())
 	return out
 }
+
+// Attempt to remove RHEL OVALv2 vulnerabilities before v4.8.0 (where vulnerabilities come from VEX).
+func adminPre480(c *cli.Context) error {
+	ctx := c.Context
+	fi, err := os.Stat(c.Path("config"))
+	switch {
+	case !errors.Is(err, nil):
+		return fmt.Errorf("bad config: %w", err)
+	case fi.IsDir():
+		return fmt.Errorf("bad config: is a directory")
+	}
+	cfg, err := loadConfig(c.Path("config"))
+	if err != nil {
+		return fmt.Errorf("error loading config: %w", err)
+	}
+	dsn := cfg.Matcher.ConnString
+
+	pgcfg, err := pgxpool.ParseConfig(dsn)
+	if err != nil {
+		return fmt.Errorf("error parsing dsn: %w", err)
+	}
+	zlog.Info(ctx).
+		Str("host", pgcfg.ConnConfig.Host).
+		Str("database", pgcfg.ConnConfig.Database).
+		Str("user", pgcfg.ConnConfig.User).
+		Uint16("port", pgcfg.ConnConfig.Port).
+		Msg("using discovered connection params")
+
+	zlog.Debug(ctx).
+		Msg("resizing pool to 2 connections")
+	pgcfg.MaxConns = 2
+	pool, err := pgxpool.ConnectConfig(ctx, pgcfg)
+	if err != nil {
+		return fmt.Errorf("error creating pool: %w", err)
+	}
+	defer pool.Close()
+	if err := pool.Ping(ctx); err != nil {
+		return fmt.Errorf("error connecting to database: %w", err)
+	}
+
+	return pool.AcquireFunc(ctx, func(conn *pgxpool.Conn) error {
+		const (
+			setMatcherMigration = `INSERT INTO libvuln_migrations ("version") VALUES (13) ON CONFLICT DO NOTHING;`
+			deleteOVALUO        = `DELETE FROM update_operation WHERE updater ~ 'RHEL[5-9]-*';`
+			deleteOVALVulns     = `DELETE FROM vuln where updater ~ 'RHEL[5-9]-*';`
+		)
+		if _, err := conn.Exec(ctx, setMatcherMigration); err != nil {
+			return fmt.Errorf("error setting matcher migration: %w", err)
+		}
+		if _, err := conn.Exec(ctx, deleteOVALUO); err != nil {
+			return fmt.Errorf("error deleting OVAL update_operations: %w", err)
+		}
+		if _, err := conn.Exec(ctx, deleteOVALVulns); err != nil {
+			return fmt.Errorf("error deleting OVAL vulns: %w", err)
+		}
+
+		zlog.Info(ctx).Msg("pre v4.8.0 admin done")
+		return nil
+	})
+}