fix: exclude archived repos from vulnerability data in Tinybird pipes (IN-1186)#4268
Open
joanagmaia wants to merge 4 commits into
Open
fix: exclude archived repos from vulnerability data in Tinybird pipes (IN-1186)#4268joanagmaia wants to merge 4 commits into
joanagmaia wants to merge 4 commits into
Conversation
… (IN-1186) Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates Tinybird vulnerability-related pipes to stop surfacing CVE/vulnerability data (and derived scan status) for repositories marked as archived, so Insights Security views don’t report misleading vulnerability posture for inactive repos.
Changes:
- Added an “exclude archived repositories” filter to all four vulnerability endpoint pipes (
vulnerabilities_list,vulnerabilities_summary,vulnerabilities_by_severity,vulnerabilities_by_ecosystem). - Updated two COPY aggregation pipes to exclude archived repos when deriving vulnerability-related rollups (
lastVulnerabilityScanStatusand per-project vulnerability counts).
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| services/libs/tinybird/pipes/vulnerabilities_summary.pipe | Excludes archived repo URLs from the vulnerability summary query scope. |
| services/libs/tinybird/pipes/vulnerabilities_list.pipe | Excludes archived repo URLs in both count and list branches. |
| services/libs/tinybird/pipes/vulnerabilities_by_severity.pipe | Excludes archived repo URLs from severity aggregation. |
| services/libs/tinybird/pipes/vulnerabilities_by_ecosystem.pipe | Excludes archived repo URLs from ecosystem aggregation. |
| services/libs/tinybird/pipes/insights_projects_populated_copy.pipe | Excludes archived repos when computing lastVulnerabilityScanStatus rollup per project. |
| services/libs/tinybird/pipes/agentic_ai_projects_list_copy.pipe | Excludes archived repos from vulnerability counts while keeping other metrics unaffected. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
joanagmaia
force-pushed
the
fix/archived-repos-vulnerabilities
branch
from
ab16277 to
1245d2d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
archived = false/archived != truefilters to the 4 vulnerability endpoint pipes and the 2 COPY pipes that aggregate vulnerability datasegments_filtered.pipeis intentionally untouched — the filter is applied surgically only to vulnerability queries so other metrics (commits, stars, contributors, etc.) still include archived reposPipes changed
vulnerabilities_list.pipevulnerabilities_by_ecosystem.pipevulnerabilities_by_severity.pipevulnerabilities_summary.pipeinsights_projects_populated_copy.pipelast_vulnerability_scan_statusnode excludes archived repos (driveslastVulnerabilityScanStatuson the project card)agentic_ai_projects_list_copy.pipevulnerability_countsnode filtersr.archived = falseon the existingrepositoriesjoinReferences
Note
Medium Risk
Changes only read-side SQL filters on security-facing metrics, but they alter reported vulnerability counts and scan status for projects with archived repos, which could surprise users until COPY/API data refreshes.
Overview
Stops Insights Security and related dashboards from counting CVEs tied to archived repositories by filtering those repos out of vulnerability queries only.
The four API pipes (
vulnerabilities_list,vulnerabilities_by_ecosystem,vulnerabilities_by_severity,vulnerabilities_summary) now addv.repoUrl NOT IN (SELECT url FROM repositories FINAL WHERE archived = true)alongside the existing segment/repo filters; the list pipe applies this in both the count and listing branches. COPY jobs are updated in parallel:insights_projects_populated_copyexcludes archived repos when derivinglastVulnerabilityScanStatus, andagentic_ai_projects_list_copyrequiresr.archived = falseon the repositories join invulnerability_counts.segments_filteredis unchanged so commits, stars, contributors, and other non-security metrics still include archived repos.Reviewed by Cursor Bugbot for commit b394829. Bugbot is set up for automated code reviews on this repo. Configure here.