[bug] Running the same OSV batch queries multiple times (w/o OSV data changing) returns different results #2567
Description
Describe the bug
Starting with a just-created-and-freshly-migrated Pg database (using the ent backend), I ingest this SBOM by running go run ./cmd/guacone collect files --add-license-on-ingest --add-vuln-on-ingest ~/dev/kusari-sbom-bucket/good-files/sboms/sbom_benchmark/bom-v0.4.1_owncloud-10.spdx.json. I try this multiple times (with a new DB each time) and the query select count(*) from vulnerability_ids; returns a different number between runs (not every run is different, but I tend to see between a count in a range of 1209 to 1243). This is not, I am pretty sure, new vuln data being discovered; instead it is an instance of this osv-scanner bug I filed last week (that turned out to be a pagination handling bug in the osv-scanner v1 module) occurring within guac.
I am using guac from a source repo; I have tag v0.13.2 (curent latest release) checked out.
To Reproduce
Steps to reproduce the behavior:
- Create empty guac DB
- Run
go run ./cmd/guacgql --gql-debug --gql-backend=ent '--db-address=postgres://guac:guac@localhost:5432/guac?sslmode=disable'in one tab - Run
go run ./cmd/guacone collect files --add-license-on-ingest --add-vuln-on-ingest ~/dev/kusari-sbom-bucket/good-files/sboms/sbom_benchmark/bom-v0.4.1_owncloud-10.spdx.jsonin another tab. Wait for it to complete. - After (3) is done, open a Pg client and query the guac DB with
select count(*) from vulnerability_ids;. Record the count. - Repeat the entire process a few times and compare the counts. They should be the same, but they will change, going up and down.
Expected behavior
Barring data changes at OSV, the counts and the vulns should be the same between runs.
GUAC version
Running from source tag v0.13.2.