refactor(server): change custom advisory and vulnerability data types fr… #8923
Conversation
…om structpb.Value to bytes for improved serialization
tonaim
changed the title
pkg/rpc/convert.go
Outdated
| @@ -595,6 +598,18 @@ func ConvertFromRPCVulns(rpcVulns []*common.Vulnerability) []types.DetectedVulne | |||
| publishedDate = lo.ToPtr(vuln.PublishedDate.AsTime()) | |||
| } | |||
|
|
|||
| var cVData, cAData any | |||
| if len(vuln.CustomVulnData) > 0 { | |||
| if err := json.Unmarshal(vuln.CustomVulnData, &cVData); err != nil { | |||
There was a problem hiding this comment.
do we need this additional unmarshal? cannt we directly assign customAdvisoryData to proto attribute.
There was a problem hiding this comment.
@deven0t , handled it now.
There was a problem hiding this comment.
Pull Request Overview
Refactor serialization of custom advisory and vulnerability data to use raw bytes instead of structpb.Value, updating protobuf definitions, generated code, and conversion logic.
- Changed
custom_advisory_dataandcustom_vuln_datafields in theVulnerabilitymessage fromgoogle.protobuf.Valuetobytes. - Regenerated
service.pb.goto reflect byte-slice fields, updated getters, raw descriptors, and dependency indexes. - Updated
ConvertToRPCVulns/ConvertFromRPCVulnsto marshal custom data as JSON bytes and assign raw bytes on the return path.
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| rpc/common/service.proto | Updated custom data fields in Vulnerability to bytes |
| rpc/common/service.pb.go | Regenerated code for byte-slice fields, getters, and descriptors |
| pkg/rpc/convert.go | Switched to JSON marshalling and adapted conversion functions |
Comments suppressed due to low confidence (1)
pkg/rpc/convert.go:303
- There are no unit tests covering the new JSON serialization logic for custom advisory and vulnerability data. Add tests to verify that data round-trips correctly through ConvertToRPCVulns and ConvertFromRPCVulns.
jsonBytes, _ := json.Marshal(vuln.Custom) // nolint: errcheck
pkg/rpc/convert.go
Outdated
| vulnCustom = any(vuln.CustomVulnData) | ||
| } | ||
| var advisoryCustom any | ||
| if len(vuln.CustomAdvisoryData) > 0 { | ||
| advisoryCustom = any(vuln.CustomAdvisoryData) |
There was a problem hiding this comment.
ConvertFromRPCVulns assigns raw JSON bytes to the Custom field instead of unmarshalling back into a structured object, so callers will receive []byte rather than the original data. Consider using json.Unmarshal to decode vuln.CustomVulnData into an interface{} before assignment.
| vulnCustom = any(vuln.CustomVulnData) | |
| } | |
| var advisoryCustom any | |
| if len(vuln.CustomAdvisoryData) > 0 { | |
| advisoryCustom = any(vuln.CustomAdvisoryData) | |
| if err := json.Unmarshal(vuln.CustomVulnData, &vulnCustom); err != nil { | |
| log.Logger.Warnf("Failed to unmarshal CustomVulnData: %v", err) | |
| } | |
| } | |
| var advisoryCustom any | |
| if len(vuln.CustomAdvisoryData) > 0 { | |
| if err := json.Unmarshal(vuln.CustomAdvisoryData, &advisoryCustom); err != nil { | |
| log.Logger.Warnf("Failed to unmarshal CustomAdvisoryData: %v", err) | |
| } |
Copilot uses AI. Check for mistakes.
| google.protobuf.Timestamp last_modified_date = 16; | ||
| google.protobuf.Value custom_advisory_data = 17; | ||
| google.protobuf.Value custom_vuln_data = 18; | ||
| bytes custom_advisory_data = 17; |
There was a problem hiding this comment.
[nitpick] Consider adding a comment above these fields to clarify that they now carry JSON-encoded data as raw bytes, and clients must JSON-decode them to retrieve the original structure.
Copilot uses AI. Check for mistakes.
Updated the description details. |
Remove redundant type conversions where values are already of the correct type, simplifying the code and improving readability.
Are you sure it's language agnostic? We use protobuf anyway.
This PR is just migrating to json.Marshal. It should explain why it improves performance. |
To support that having []byte is advantageous, I wrote small benchmarking program. |
We still need a protobuf library to parse the HTTP response. Could you please explain in more detail what this means?
If this is what you mean, the above explanatin doesn't seem accurate. |
You’re absolutely right that the outer envelope remains a normal protobuf Vulnerability message, so any client that speaks gRPC will keep using its protobuf runtime to read the response. The generated stub contains a plain bytes field, which every language’s core protobuf runtime already knows how to handle. No Struct/Value helpers required. I am rephrasing the description |
Updated all getters, raw descriptors, dependency indexes, and field types to use []byte instead of *structpb.Value.
Encoding (ConvertToRPCVulns): JSON-marshal both vuln.Custom and vuln.Vulnerability.Custom into the new byte fields.
Decoding (ConvertFromRPCVulns): JSON-unmarshal incoming byte slices back into interface{}, falling back to nil on unmarshal errors.
Updated existing tests to expect raw byte slices for non-empty custom data and nil interfaces for empty data.
Added new round-trip tests to verify that custom fields serialize → deserialize correctly.
Why This Matters
Performance & Dependency Reduction
Removing structpb.Value avoids heavy reflection and descriptor overhead, streamlining serialization on both server and client.
Data Fidelity
Callers now get the exact original structure (maps, arrays, strings) without needing to re-interpret a generic Protobuf Value wrapper.
more cross-language-friendly
The generated stub contains a plain bytes field, which every language’s core protobuf runtime already knows how to handle. No Struct/Value helpers required.
Test Consistency
Ensures empty custom data fields yield a true Go nil interface, matching existing test expectations.
Checklist