chore(be) : Address bugs causing flappy fix timestamp

[charmik-redhat]

Description

There are two scenarios that can cause flappy FixAvailableTimestamps in a CVE:

1. If the same (CVE + package + datasource combination) is present multiple times in an image with different fix timestamps, then the one processed last will take precedence because the ImageCVEInfo lookup table can only have one (CVE + package + datasource) combination. So the last processed vuln will overwrite earlier info. Instead, we should preserve the earliest timestamp across multiple occurrences.

2. The implementation did not preserve the datasource from the scanner when writing CVEs to the database. This can also cause CVE FixAvailableTimestamp to change. The image enricher does not rescan the image each time. Sometimes it just fetches the stored image from the database and populates the scan. If datasources are not stored in db, the scan populated from an existing image will not have any datasources. When such an image gets rewritten to the db, the logic used to find FixAvailableTimestamp from the ImageCVEInfos lookup table will not be able to find it without the right datasource. Preserving the datasource in the database would fix this problem.

This PR addresses both the above issues.

User-facing documentation

• CHANGELOG update is not needed
• documentation is not needed

Testing and quality

• the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
• CI results are inspected

Automated testing

• added unit tests
• added e2e tests
• added regression tests
• added compatibility tests
• modified existing tests

How I validated my change

Unit tests
Manual tests

[rhacs-bot]

Images are ready for the commit at 4b12d1d.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-2-g4b12d1df49.

[codecov]

Codecov Report

❌ Patch coverage is 75.00000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.36%. Comparing base (e80a7e3) to head (4b12d1d).
⚠️ Report is 7 commits behind head on master.

Files with missing lines	Patch %	Lines
central/imagev2/datastore/datastore_impl.go	0.00%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #18789      +/-   ##
==========================================
+ Coverage   49.35%   49.36%   +0.01%     
==========================================
  Files        2659     2659              
  Lines      200572   200679     +107     
==========================================
+ Hits        99000    99075      +75     
- Misses      94137    94164      +27     
- Partials     7435     7440       +5     

Flag	Coverage Δ
go-unit-tests	49.36% <75.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[openshift-ci]

@charmik-redhat: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ocp-4-20-nongroovy-e2e-tests	4b12d1d	link	false	/test ocp-4-20-nongroovy-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.