Skip to content

fix: exclude archived repos from vulnerability data in Tinybird pipes (IN-1186)#4268

Merged
joanagmaia merged 5 commits into
mainfrom
fix/archived-repos-vulnerabilities
Jun 29, 2026
Merged

fix: exclude archived repos from vulnerability data in Tinybird pipes (IN-1186)#4268
joanagmaia merged 5 commits into
mainfrom
fix/archived-repos-vulnerabilities

Conversation

@joanagmaia

@joanagmaia joanagmaia commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Vulnerabilities from archived repositories were being surfaced on the Insights Security page, leading to misleading CVE reports for repos that are no longer actively maintained
  • Adds archived = false / archived != true filters to the 4 vulnerability endpoint pipes and the 2 COPY pipes that aggregate vulnerability data
  • segments_filtered.pipe is intentionally untouched — the filter is applied surgically only to vulnerability queries so other metrics (commits, stars, contributors, etc.) still include archived repos

Pipes changed

Pipe Change
vulnerabilities_list.pipe Filter added to both the count and listing branches
vulnerabilities_by_ecosystem.pipe Filter added
vulnerabilities_by_severity.pipe Filter added
vulnerabilities_summary.pipe Filter added
insights_projects_populated_copy.pipe last_vulnerability_scan_status node excludes archived repos (drives lastVulnerabilityScanStatus on the project card)
agentic_ai_projects_list_copy.pipe vulnerability_counts node filters r.archived = false on the existing repositories join

References


Note

Low Risk
Scoped SQL WHERE clauses on read/analytics pipes with no auth or write-path changes; main effect is corrected security reporting numbers.

Overview
Vulnerability-facing Tinybird pipes no longer count or list CVEs tied to archived repositories, so Insights Security and related aggregates stop surfacing stale findings from unmaintained repos.

The filter is applied only on vulnerability queries: vulnerabilities_list, vulnerabilities_summary, vulnerabilities_by_ecosystem, and vulnerabilities_by_severity add repoUrl NOT IN (SELECT url FROM repositories FINAL WHERE archived = true) (including both count and list branches in vulnerabilities_list). COPY pipes insights_projects_populated_copy (last_vulnerability_scan_status) and agentic_ai_projects_list_copy (vulnerability_counts via r.archived = false) get the same behavior for project cards and Agentic AI lists. segments_filtered is unchanged, so non-security metrics (commits, stars, etc.) still include archived repos.

Reviewed by Cursor Bugbot for commit 973db79. Bugbot is set up for automated code reviews on this repo. Configure here.

… (IN-1186)

Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
Copilot AI review requested due to automatic review settings June 25, 2026 14:48

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Tinybird vulnerability-related pipes to stop surfacing CVE/vulnerability data (and derived scan status) for repositories marked as archived, so Insights Security views don’t report misleading vulnerability posture for inactive repos.

Changes:

  • Added an “exclude archived repositories” filter to all four vulnerability endpoint pipes (vulnerabilities_list, vulnerabilities_summary, vulnerabilities_by_severity, vulnerabilities_by_ecosystem).
  • Updated two COPY aggregation pipes to exclude archived repos when deriving vulnerability-related rollups (lastVulnerabilityScanStatus and per-project vulnerability counts).

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
services/libs/tinybird/pipes/vulnerabilities_summary.pipe Excludes archived repo URLs from the vulnerability summary query scope.
services/libs/tinybird/pipes/vulnerabilities_list.pipe Excludes archived repo URLs in both count and list branches.
services/libs/tinybird/pipes/vulnerabilities_by_severity.pipe Excludes archived repo URLs from severity aggregation.
services/libs/tinybird/pipes/vulnerabilities_by_ecosystem.pipe Excludes archived repo URLs from ecosystem aggregation.
services/libs/tinybird/pipes/insights_projects_populated_copy.pipe Excludes archived repos when computing lastVulnerabilityScanStatus rollup per project.
services/libs/tinybird/pipes/agentic_ai_projects_list_copy.pipe Excludes archived repos from vulnerability counts while keeping other metrics unaffected.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI review requested due to automatic review settings June 25, 2026 14:53
Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Comment thread services/libs/tinybird/pipes/vulnerabilities_list.pipe
Comment thread services/libs/tinybird/pipes/vulnerabilities_list.pipe
Comment thread services/libs/tinybird/pipes/vulnerabilities_summary.pipe
Comment thread services/libs/tinybird/pipes/vulnerabilities_by_severity.pipe
Comment thread services/libs/tinybird/pipes/vulnerabilities_by_ecosystem.pipe
@joanagmaia joanagmaia force-pushed the fix/archived-repos-vulnerabilities branch from ab16277 to 1245d2d Compare June 25, 2026 14:58
Copilot AI review requested due to automatic review settings June 25, 2026 15:58

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Comment thread services/libs/tinybird/pipes/insights_projects_populated_copy.pipe
@joanagmaia joanagmaia requested a review from gaspergrom June 26, 2026 08:47
@gaspergrom

Copy link
Copy Markdown
Contributor

LGTM

@joanagmaia joanagmaia merged commit e534bb0 into main Jun 29, 2026
16 checks passed
@joanagmaia joanagmaia deleted the fix/archived-repos-vulnerabilities branch June 29, 2026 08:39
skwowet pushed a commit that referenced this pull request Jul 3, 2026
… (IN-1186) (#4268)

Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
Signed-off-by: Yeganathan S <63534555+skwowet@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants