docs: ADR for re-processing of documents

[ctron]

Preview: https://github.com/ctron/trustify/blob/feature/adr_rescan_1/docs/adrs/00011-re-process-documents.md

---

Summary by Sourcery

Add an architecture decision record outlining strategies for re-processing ingested documents after schema changes.

Documentation:

• Introduce ADR 00008 describing the context and assumptions for re-processing documents stored in the system
• Evaluate three migration options (in-place re-processing during DB migration, separate processor module, and full re-ingestion) with pros and cons
• List open items, alternative approaches, and consequences for the chosen strategy

Summary by Sourcery

Enable re-processing of stored documents during schema upgrades by introducing an ADR, a data migration framework, new migrations for SBOM properties and advisory scores, CLI commands for data migrations, and enhancements to storage and migrator modules.

New Features:

• Add ADR documenting strategies for re-processing ingested documents after schema changes
• Implement data migration framework to re-process stored documents as part of database migrations
• Introduce CLI commands and options to run individual data migrations (db data)

Enhancements:

• Extend migrator to support combined schema and data migrations with configurable storage backends and partitioned concurrency
• Add SBOM properties and advisory vulnerability scores to the data model and ingest pipelines
• Refactor storage configuration to unify filesystem and S3 backends with async support

Documentation:

• Add ADR 00008/00009 describing context, assumptions, and alternatives for document re-processing

Tests:

• Add integration tests for running data migrations and verifying SBOM and advisory score migrations

[sourcery-ai]

Reviewer's Guide

This PR introduces an architecture decision record for document re-processing and implements a full data migration subsystem that allows re-processing stored SBOM and advisory documents during schema changes. It adds concrete migrations for extracting SBOM properties and advisory vulnerability scores, refactors migration orchestration and storage initialization, integrates new CLI commands for data migrations, centralizes storage backend setup and enforces async trait requirements, and updates dependencies across multiple crates.

ER diagram for new and updated tables: SBOM properties and advisory vulnerability scores

erDiagram
    SBOM {
        UUID sbom_id PK
        JSON properties
    }
    ADVISORY_VULNERABILITY_SCORE {
        UUID id PK
        UUID advisory_id FK
        STRING vulnerability_id FK
        ENUM type
        STRING vector
        FLOAT score
        ENUM severity
    }
    ADVISORY_VULNERABILITY {
        UUID advisory_id PK
        STRING vulnerability_id PK
    }
    ADVISORY_VULNERABILITY_SCORE ||--|{ ADVISORY_VULNERABILITY : "advisory_id, vulnerability_id"
    ADVISORY_VULNERABILITY_SCORE }o--|| SBOM : "(none, but SBOM now has properties)"
    ADVISORY_VULNERABILITY_SCORE }o--|| ADVISORY : "advisory_id"
    ADVISORY_VULNERABILITY_SCORE }o--|| VULNERABILITY : "vulnerability_id"

Loading

Class diagram for the new data migration subsystem and document handlers

classDiagram
    class Runner {
        +String database_url
        +Option<String> database_schema
        +DispatchBackend storage
        +Direction direction
        +Vec<String> migrations
        +Options options
        +run<M: MigratorWithData>()
    }
    class MigratorWithData {
        +data_migrations() Vec<Box<MigrationTraitWithData>>
    }
    class MigrationTraitWithData {
        +up(manager: SchemaDataManager)
        +down(manager: SchemaDataManager)
    }
    class SchemaDataManager {
        +SchemaManager manager
        +DispatchBackend storage
        +Options options
        +process<D, N>(name, f)
    }
    class Handler~D~ {
        +call(document: D, model: D::Model, tx)
    }
    class Document {
        +all(tx)
        +source(model, storage, tx)
    }
    class Sbom {
        +CycloneDx
        +Spdx
        +Other
    }
    class Advisory {
        +Cve
        +Csaf
        +Osv
        +Other
    }
    Runner --> MigratorWithData
    MigratorWithData --> MigrationTraitWithData
    MigrationTraitWithData --> SchemaDataManager
    SchemaDataManager --> Handler
    Handler --> Document
    Document <|-- Sbom
    Document <|-- Advisory

Loading

Class diagram for the new advisory vulnerability score entity

classDiagram
    class AdvisoryVulnerabilityScore {
        +UUID id
        +UUID advisory_id
        +String vulnerability_id
        +ScoreType type
        +String vector
        +f64 score
        +Severity severity
    }
    class ScoreType {
        +V2_0
        +V3_0
        +V3_1
        +V4_0
    }
    class Severity {
        +None
        +Low
        +Medium
        +High
        +Critical
    }
    AdvisoryVulnerabilityScore --> ScoreType
    AdvisoryVulnerabilityScore --> Severity

Loading

File-Level Changes

Change	Details	Files
Implement data migration subsystem for document re-processing	Define MigrationTraitWithData, MigratorExt, MigratorWithData and Runner Implement document partitioning, handlers and sbom/advisory macros Add migration/src/data module and CLI in migration/src/bin/data.rs Integrate db data subcommand in trustd and common/db data_migrate	migration/src/lib.rs migration/src/data/* migration/src/bin/data.rs trustd/src/db.rs common/db/src/lib.rs
Add advisory vulnerability scoring pipeline	Implement ScoreCreator and ScoreInformation types Extract scores in osv, cve and csaf modules Update loaders to create and persist scores Add advisory_vulnerability_score entity and migration	modules/ingestor/src/service/advisory/osv/mod.rs modules/ingestor/src/service/advisory/cve/mod.rs modules/ingestor/src/service/advisory/csaf/mod.rs modules/ingestor/src/graph/cvss.rs entity/src/advisory_vulnerability_score.rs migration/src/m0002010_add_advisory_scores.rs
Introduce SBOM properties extraction and storage	Add JSON properties column to SBOM entity Implement extract_properties_json in common Extend SBOM Graph models to include properties Create data migration for SBOM properties	entity/src/sbom.rs common/src/advisory/cyclonedx.rs modules/ingestor/src/graph/sbom/* migration/src/m0002000_add_sbom_properties.rs
Centralize storage backend initialization and enforce Send on async storage traits	Implement StorageConfig.into_storage(initializer) Replace inline FS/S3 init in server and importer Add Send bounds to StorageBackend methods Remove duplicated storage setup code	modules/storage/src/config.rs modules/storage/src/service/mod.rs modules/storage/src/service/dispatch.rs modules/storage/src/service/s3.rs modules/storage/src/service/fs.rs server/src/profile/api.rs server/src/profile/importer.rs trustd/src/db.rs
Refactor migration registration and orchestration	Introduce build_migrations and into_migrations builder pattern Combine schema and data migrations in MigratorExt Simplify MigratorTrait::migrations implementation	migration/src/lib.rs
Add ADR for re-processing of documents	Document the context, options and consequences for re-processing during migrations	docs/adrs/00009-re-process-documents.md

Possibly linked issues

• #Unify how document re-ingestion behaves for all document types: The PR provides a unified framework for re-processing documents during database migrations, directly addressing the issue's goal of unifying re-ingestion behavior for all document types to add new data.
• #TC-2731: The PR adds a framework for re-processing ingested documents during database schema migrations, addressing the issue's need to refresh database information.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[codecov]

Codecov Report

❌ Patch coverage is 69.53883% with 251 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.69%. Comparing base (693278b) to head (2a3574d).
⚠️ Report is 49 commits behind head on main.

Files with missing lines	Patch %	Lines
entity/src/advisory_vulnerability_score.rs	0.00%	57 Missing ⚠️
migration/src/bin/data.rs	0.00%	37 Missing ⚠️
migration/src/data/mod.rs	75.86%	22 Missing and 6 partials ⚠️
modules/ingestor/src/graph/cvss.rs	78.81%	23 Missing and 2 partials ⚠️
trustd/src/db.rs	0.00%	22 Missing ⚠️
migration/src/data/run.rs	58.82%	12 Missing and 2 partials ⚠️
modules/ingestor/src/service/advisory/osv/mod.rs	65.85%	14 Missing ⚠️
migration/src/data/partition.rs	64.00%	9 Missing ⚠️
common/src/advisory/cyclonedx.rs	57.89%	6 Missing and 2 partials ⚠️
migration/src/data/document/mod.rs	76.00%	1 Missing and 5 partials ⚠️
... and 11 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1913      +/-   ##
==========================================
+ Coverage   68.66%   68.69%   +0.03%     
==========================================
  Files         379      395      +16     
  Lines       21449    22203     +754     
  Branches    21449    22203     +754     
==========================================
+ Hits        14727    15252     +525     
- Misses       5855     6056     +201     
- Partials      867      895      +28     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ctron]

@sourcery-ai review

[sourcery-ai]

Hey @ctron - I've reviewed your changes and found some issues that need to be addressed.

Blocking issues:

• Invalid trait bound + use<> in return type. (link)
• Invalid trait bound + use<> in return type. (link)

General comments:

• The example migration currently hardcodes FileSystemBackend::for_test, so make the storage backend configurable (e.g., allow S3) to support real‐world migrations instead of only test scenarios.
• The retrieve method signature was updated with a use<Self> bound, which looks like a typo—verify that you intended a lifetime bound (for example + 'a + Send) and correct the signature accordingly.
• In DocumentProcessor::process, wrapping all errors as DbErr::Migration(format!(…)) loses structured error context; consider using a custom error type or propagating the original error to make debugging easier.

Prompt for AI Agents

Please address the comments from this code review:
## Overall Comments
- The example migration currently hardcodes `FileSystemBackend::for_test`, so make the storage backend configurable (e.g., allow S3) to support real‐world migrations instead of only test scenarios.
- The `retrieve` method signature was updated with a `use<Self>` bound, which looks like a typo—verify that you intended a lifetime bound (for example `+ 'a + Send`) and correct the signature accordingly.
- In `DocumentProcessor::process`, wrapping all errors as `DbErr::Migration(format!(…))` loses structured error context; consider using a custom error type or propagating the original error to make debugging easier.

## Individual Comments

### Comment 1
<location> `modules/storage/src/service/s3.rs` </location>
<code_context>
-    async fn retrieve<'a>(
+    async fn retrieve(
         &self,
         StorageKey(key): StorageKey,
-    ) -> Result<Option<impl Stream<Item = Result<Bytes, Self::Error>> + 'a>, Self::Error> {
</code_context>

<issue_to_address>
Invalid trait bound `+ use<>` in return type.

`+ use<>` is invalid Rust syntax and will not compile. Please correct this trait bound.
</issue_to_address>

### Comment 2
<location> `modules/storage/src/service/fs.rs` </location>
<code_context>
-    async fn retrieve<'a>(
+    async fn retrieve(
         &self,
         key: StorageKey,
-    ) -> Result<Option<impl Stream<Item = Result<Bytes, Self::Error>> + 'a>, Self::Error> {
</code_context>

<issue_to_address>
Invalid trait bound `+ use<>` in return type.

This trait bound will cause a compilation error; please update it to valid Rust syntax.
</issue_to_address>

### Comment 3
<location> `docs/adrs/00008-re-process-documents.md:17` </location>
<code_context>
+When making changes to the database structure, we also have a migration process, which takes care of upgrading the
+database structures during an upgrade.
+
+However, in some cases, changing the database structure actually means to extract more information from documents and is
+currently stored in the database. Or information is extracted in a different way. This requires a re-processing of
+all documents affected by this change.
+
</code_context>

<issue_to_address>
Grammatical error: 'means to extract more information from documents and is currently stored' should be 'means extracting more information from documents than is currently stored'.

It should be: 'changing the database structure actually means extracting more information from documents than is currently stored in the database.'
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
However, in some cases, changing the database structure actually means to extract more information from documents and is
currently stored in the database. Or information is extracted in a different way. This requires a re-processing of
all documents affected by this change.
=======
However, in some cases, changing the database structure actually means extracting more information from documents than is
currently stored in the database. Or information is extracted in a different way. This requires a re-processing of
all documents affected by this change.
>>>>>>> REPLACE

</suggested_fix>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[carlosthe19916]

Just some thoughts:

• Would it be possible to trigger the "re-processing" in parallel? E.g. multiple pods. What would be the technical challenges?
• Would it be helpful to mark the documents (e.g. SBOMs) with a version number to indicate which is his current "re-ingest" version? similar to database migration controls
• Just like the importers I wonder if it would be worth sharing "how many documents were processed, how long should we wait for the process to finish, etc (estimations)"

[JimFuller-RedHat]

There maybe a third way eg. only using default_transaction_read_only which will switch the db to read only mode ... note this is session based so maybe this is just a matter of keeping original conn for normal operations and generating a new conn (without setting default_transaction_read_only) to do any mutations. I think I would also use default_transaction_read_only for blue/green as well, but thought I would mention this.

[ctron]

I think working with read-only transactions makes sense in general. Some operations just being read-only by nature.

We could ask the user to re-configure the trustify for read-only transactions. And then run the migrations. But that wouldn't be much of a difference to the blue/green approach? We'd just need to ensure we can enable the user to do so.

[JimFuller-RedHat]

failure during these kind of migrations will need extra testing ... and maybe specific TX handling (transactional DDL is your friend).

[ctron]

Yes, that's why I started adding tests for migrations (with data) as well.

[JimFuller-RedHat]

there maybe other options - there are a lot of pg ext for this sort of thing - ex. https://github.com/xataio/pgroll

[ctron]

Definitely worth checking out. However, it seems to add a lot of complexity which needs to be handles by us then. And I'm not sure it is worth the effort.

[JimFuller-RedHat]

worth mentioning that amazon has blue/green pg deployments as part of their service though I do not have much experience with them

[ctron]

Yes, that was my though here. I'd expect other PG services to have similar setups available. However, it's up to the user to provide a database. We'd just try to ensure we can work with a model like this.

[ctron]

Just some thoughts:

• Would it be possible to trigger the "re-processing" in parallel? E.g. multiple pods. What would be the technical challenges?

I don't think there would be a way of doing this automatically. Assuming the Sea ORM migrations drive this, it would be sequential. As part of the data migration most likely there would also be a schema migration.

However, if we allow the data migrations to be run up-front, we could bundle such processing. What definitely would work is to run multiple processors (in a single process/pod) in parallel.

We could improve on that, but it would add much more complexity. And I'd like to avoid that in the beginning.

• Would it be helpful to mark the documents (e.g. SBOMs) with a version number to indicate which is his current "re-ingest" version? similar to database migration controls

Very good idea. However, that also conflicts with the idea of running multiple steps/migrations in parallel. So each document must be upgraded sequentially. However that process could run in parallel.

• Just like the importers I wonder if it would be worth sharing "how many documents were processed, how long should we wait for the process to finish, etc (estimations)"

I though about that too. However, I believe, that the current preferred idea of having A/B (green/blue) deployments would but that information not on the UI, but on some other process, detached from the UI.

Assuming a user is running blue/green. The upgrade would run on blue, but the UI would serve (read-only) from green. So it would not see the state of blue until it's finished.

[jcrossley3]

Just to be clear: users would be unable to ingest new data while an update/migration is in progress? And that could potentially take more than a day? I think that's a bad look.

I believe it's worth the effort to design a system that allows the re-processing of docs ingested during migration. We should aim for "zero downtime".

[ctron]

Maybe you can add another option to the document describing your idea.

[jcrossley3]

Once the code and db schema have been updated, why can't new docs (post update) be ingested while old docs (pre update) are being re-ingested?

[ctron]

Assuming you're adding a new, mandatory field. How would that be populated during schema migration? How would new code, relying on that data, work when that data is not present? Why should docs be re-ingested, and not just missing data be amended?

[jcrossley3]

I'm not suggesting we add a new field. I'm asking why new docs can't be ingested into the new schema with the new code while the old docs are being re-ingested into the new schema with the new code. "Old" docs could be identified by their ingestion date.

[ctron]

That is a use case we need to cover. Adding a new field.

[sourcery-ai]

New security issues found

[dejanb]

I think this PR is good go now. It provides the functionality for reprocessing documents and a use case of reparsing cvss data is working.

It is pretty big, so keeping it in this state requires a lot of work. All further improvements and more testing will be done in next phases. For example, I'll start working next on querying these new score tables, and we can fix and refine all things related to this functionality in this work.

@JimFuller-RedHat @jcrossley3

[jcrossley3]

It's 47 commits and ~3K lines so it's a lot to expect anyone to review it productively.

I mostly worry that this PR will result in updates that take too long from the perspective of the user. Our goal should be minutes, not hours, and certainly not days. We have people using TPA now, and some have lots of data. Do we have any sense how they'll react to the impact[s] of this PR?

Are we sure that this PR is better than just adopting a policy that new code will have to be robust enough to account for "missing data" while re-ingestion is occurring?

[dejanb]

@jcrossley3 I understand you completely and sorry for putting you in this position. The idea was that someone else beside @ctron and me would take a peak and see if something stands out.
As for the feature in general, I'd encourage @ctron to add his thoughts as well. I think we can make this work properly even for larger datasets. That's exactly the next step I would like to do, test and see how it behaves and what we need to do in order to work properly for large deployments (we have enough time as it will be released only with the next major release, so it won't impact folks immediately). That's why we also have this first migration as a use case. I think every migration with re-processing will need to be evaluated for performance impact individually.
What I would like to avoid is to keep adding more stuff to this pr as it's already a nightmare to maintain and review.

[ctron]

We are talking about breaking changes of the data model here. Changes which require data that we did not have before. We could avoid this in some situations. In others we can't. If we can avoid them, we should. A case like this should be an exception rather than the norm.

Writing code that works with both worlds at the same time (old data model and new data model) on a "per document" basis will be hell. And adds code that we need to maintain for a while. It will result in unexpected results for the user. Results that will change when reloading, as time (and migration) progress. That will make it even harder to understand and test.

On the other side, this approach does allow one to pre-run migrations on a cloned data set. See the impact, and plan a migration. Rather than working on actual production data. Once the migration is tested, the migrated result can also be used as a new clone for the production system again. We provide tools now to prevent changes, setting the database to read-only mode during that time. And to my understanding, this is what users actually prefer.

So I think it makes sense in moving forward with this. Getting some user feedback.

[dejanb]

This phase looks done to me. We need plan for the steps:

• More integaration and performance tests with large deployments
• Plan for upgrading production environments
• Implementing querying side of new CVSS table